blender/blender-addons
19
43
Fork 96
Code Issues 630 Pull Requests 27 Projects 1 Releases Wiki Activity

BlenderKit add-on violates Blender's privacy policy #76779

New Issue
Closed
opened 2020-05-15 10:41:59 +02:00 by Campbell Barton · 9 comments
Campbell Barton commented 2020-05-15 10:41:59 +02:00
Owner
Copy Link

Text from: https://www.blender.org/about/license

Blender respects your privacy, no registration is needed, no connection to the internet is made if you decide to install and use Blender. Blender does not need internet to function properly.

Some add-ons bundled with Blender may access the internet for additional services. These add-ons are not enabled on installing Blender. These add-ons are not required to be enabled for proper functioning of the software, nor will any Blender function ask for enabling such add-ons.

Add-ons that require internet will ask a user explicit permission to use internet while or after enabling the add-on.

BlenderKit add-on currently polls the users clipboard, detects changes, makes requests bases on the contents.

See:

release/scripts/addons/blenderkit/search.py check_clipboard function. timer_update

Suggest moving this to a button, explicit user action.

Text from: https://www.blender.org/about/license ``` Blender respects your privacy, no registration is needed, no connection to the internet is made if you decide to install and use Blender. Blender does not need internet to function properly. Some add-ons bundled with Blender may access the internet for additional services. These add-ons are not enabled on installing Blender. These add-ons are not required to be enabled for proper functioning of the software, nor will any Blender function ask for enabling such add-ons. Add-ons that require internet will ask a user explicit permission to use internet while or after enabling the add-on. ``` BlenderKit add-on currently polls the users clipboard, detects changes, makes requests bases on the contents. See: `release/scripts/addons/blenderkit/search.py` `check_clipboard` function. `timer_update` Suggest moving this to a button, explicit user action.
Campbell Barton commented 2020-05-15 10:41:59 +02:00
Author
Owner
Copy Link

Added subscriber: @ideasman42

Added subscriber: @ideasman42
Vilem Duha was assigned by Campbell Barton 2020-05-15 10:46:15 +02:00
Campbell Barton changed title from BlendKit add-on violates Blender's privacy policy to BlenderKit add-on violates Blender's privacy policy 2020-05-15 10:48:57 +02:00
Vilem Duha commented 2020-05-19 13:15:08 +02:00
Member
Copy Link

Moving this function to a button makes it obsolete (it's definitely an option). Maybe we should make a clear statement that the addon connects to the internet while the addon is enabled, to adhere to the policy? Since the clipboard function is one of many that connect to the internet (while most of them do it through user actions) - BlenderKit is an internet browser by it's nature. Also to make it clear, in this particular case, connection is made only after the clipboard data is detected as a valid search request, there is literally zero possibility to connect when the clipboard content isn't a BlenderKit website generated string.

Moving this function to a button makes it obsolete (it's definitely an option). Maybe we should make a clear statement that the addon connects to the internet while the addon is enabled, to adhere to the policy? Since the clipboard function is one of many that connect to the internet (while most of them do it through user actions) - BlenderKit is an internet browser by it's nature. Also to make it clear, in this particular case, connection is made only after the clipboard data is detected as a valid search request, there is literally zero possibility to connect when the clipboard content isn't a BlenderKit website generated string.
Petr Dlouhý commented 2020-05-19 14:06:41 +02:00
Copy Link

Added subscriber: @petr.dlouhy

Added subscriber: @petr.dlouhy
Petr Dlouhý commented 2020-05-19 14:06:41 +02:00
Copy Link

Additional button click would be against purpose of this function - direct linking the asset from website to BlenderKit search. The seamless user experience is important here.

I think, that copying very specific string to string should be considered explicit user action.

Although the string is not specific enough in the current implementation - I think we should add validation of UUID and asset_type variariables and send only these validated data and nothing else from the string.

If that is not enough, we could also add something very specific to the copied string, like checksum of the variables, that would ensure, that it could not be in the clipboard by mistake.

Additional button click would be against purpose of this function - direct linking the asset from website to BlenderKit search. The seamless user experience is important here. I think, that copying very specific string to string should be considered explicit user action. Although the string is not specific enough in the current implementation - I think we should add validation of UUID and asset_type variariables and send only these validated data and nothing else from the string. If that is not enough, we could also add something very specific to the copied string, like checksum of the variables, that would ensure, that it could not be in the clipboard by mistake.
Campbell Barton commented 2020-06-10 05:11:12 +02:00
Author
Owner
Copy Link

Added subscribers: @dfelinto, @brecht

Added subscribers: @dfelinto, @brecht
Campbell Barton commented 2020-06-10 05:11:12 +02:00
Author
Owner
Copy Link

@VilemDuha discussed this with @dfelinto and @brecht, we agreed that this option can be kept but made optional, disabled by default.

Then if users want to poll the clipboard they can enable it.

@VilemDuha discussed this with @dfelinto and @brecht, we agreed that this option can be kept but made optional, disabled by default. Then if users want to poll the clipboard they can enable it.
Petr Dlouhý commented 2020-06-11 08:15:34 +02:00
Copy Link

@ideasman42: If the problematic part is connecting to the internet, would be acceptable solution, if polling the clipboard would be enabled by default, but before connecting to server we prompt the user, if he/she wants to make the search (with don't show again checkbox)?

@ideasman42: If the problematic part is connecting to the internet, would be acceptable solution, if polling the clipboard would be enabled by default, but before connecting to server we prompt the user, if he/she wants to make the search (with `don't show again` checkbox)?
Vilem Duha commented 2020-06-12 11:37:31 +02:00
Member
Copy Link

Changed status from 'Needs Triage' to: 'Resolved'

Changed status from 'Needs Triage' to: 'Resolved'
Vilem Duha commented 2020-06-12 11:37:31 +02:00
Member
Copy Link

For the 2.83 release, we 'resolved' this issue by disabling the feature.
However, I need to mention again, that there really isn't a risk of a user connecting to the internet without a very specific action, even if it happens outside of blender in the browser - by copying the predefined string into the clipboard.
By now, we decided that we will solve the issue for next release with a popup asking if the user wants to run the search that is contained in the string.

For the 2.83 release, we 'resolved' this issue by disabling the feature. However, I need to mention again, that there really isn't a risk of a user connecting to the internet without a very specific action, even if it happens outside of blender in the browser - by copying the predefined string into the clipboard. By now, we decided that we will solve the issue for next release with a popup asking if the user wants to run the search that is contained in the string.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
Interest
Animation & Rigging

  
Interest
Blender Cloud

  
Interest
Collada

  
Interest
Core

  
Interest
Documentation

  
Interest
Eevee & Viewport

  
Interest
Geometry Nodes

  
Interest
Grease Pencil

  
Interest
Import and Export

  
Interest
Modeling

  
Interest
Modifiers

  
Interest
Nodes & Physics

  
Interest
Pipeline, Assets & IO

  
Interest
Platforms, Builds, Tests & Devices

  
Interest
Python API

  
Interest
Rendering & Cycles

  
Interest
Sculpt, Paint & Texture

  
Interest
Translations

  
Interest
User Interface

  
Interest
UV Editing

  
Interest
VFX & Video

  
Meta
Good First Issue

  
Meta
Papercut

  
Module
Add-ons (BF-Blender)

  
Module
Add-ons (Community)

  
Platform
Linux

  
Platform
macOS

  
Platform
Windows

  
Priority
High

  
Priority
Low

  
Priority
Normal

  
Priority
Unbreak Now!

  
Status
Archived

  
Status
Confirmed

  
Status
Duplicate

  
Status
Needs Info from Developers

  
Status
Needs Information from User

  
Status
Needs Triage

  
Status
Resolved

  
Type
Bug

  
Type
Design

  
Type
Known Issue

  
Type
Patch

  
Type
Report

  
Type
To Do

No Label
Interest
Animation & Rigging
Interest
Blender Cloud
Interest
Collada
Interest
Core
Interest
Documentation
Interest
Eevee & Viewport
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
Import and Export
Interest
Modeling
Interest
Modifiers
Interest
Nodes & Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds, Tests & Devices
Interest
Python API
Interest
Rendering & Cycles
Interest
Sculpt, Paint & Texture
Interest
Translations
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Meta
Good First Issue
Meta
Papercut
Module
Add-ons (BF-Blender)
Module
Add-ons (Community)
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
Vilem Duha
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender-addons#76779
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?