![]() It’s a sad sign of the times when unscrupulous people look for opportunities such as this to harm others and when the corporate world therefore feels the need to isolate itself from legal fallout. By granting signing only to registered developers they provide a way (in theory at least) to track the mischief back to its source, and by providing a means to restrict what extensions can load they make it your decision to load unsigned ones from questionable sources. SketchUp embeds a full Ruby interpreter, which means that an extension has ability to do anything a user-installed Ruby script can do, and that includes a lot of malicious mischief. ![]() I haven’t seen it stated officially anywhere, but I think that the signing and loading policy thing was driven by Trimble’s lawyers and insurance company in an attempt to limit Trimble’s liability, not by an actual incident or a request from SketchUp users (though if there was an actual incident it likely wouldn’t be reported publicly). All I’ll add is that the whole signing idea was quite controversial right from the start.Įdit: After some reflection I’ll also add this: However, if you get your RBZs from a trusted source or use in-house code you can rely on then, then what’s the risk ? ![]() The hash process is not even 100% secure - it only works in >=v2016 - and IMHO a serious hacker with malicious intent could circumvent it… Of course that also has implications for the developers themselves, who will inevitably write many iterations of their code before it ever goes public ! The big issue they have in ever removing the ‘unrestricted’ policy option is that it would preclude you from writing in-house plugins [unless you register as a developer and go through the rigmarole of submitting an RBZ for signing etc - even for minor code changes and perhaps even prevent you from using Ruby-snippets in the Ruby Console - a seriously retrograde step. To back out of the change, click the Discard Changes button. Click the Apply Changes button, and your extension is enabled or disabled. Click the Enabled or Disabled button next to the extension whose status you want to change. ![]() Signing gives that impression, however they sign developer’s RBZs with no checks as to the code’s intentions - malicious or not - so it’s somewhat illusory.Ī signed extension cannot be altered without it breaking the signed-hash, but if you get your RBZs from a reputable source like EWH, SketchUcation, Smustard or established developers sites, then the issue of it being signed is somewhat academic. In SketchUp, select Extensions > Extension Manager. Trimble had this idea that users wanted the comfort of having ‘certified’ extensions. If you trust the source, then running SketchUp in ‘unrestricted’ loading-policy is unlikely to be dangerous and unsigned and in house code will run without difficulty. Also with a new version many developers are playing catchup - to make their code compatible and/or submit their RBZs to be re-signed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |