is there a way to write generic text to an output file?
On Monday, February 10, 2025 at 10:00:37 PM EST, Jordan Brown via Discuss discuss@lists.openscad.org wrote:
The question is whether the 5th percentile OpenSCAD user, who is running it to get to the Customizer, understands that an OpenSCAD program could scribble on their disk.
(Or even what it would mean for it to scribble on their disk.) These are precisely the people who should never download programs except from app stores,
because they have no idea how to vet the trustworthiness of the supplier.
Given that OpenSCAD is not in an App Store, that doesn't seem that persuasive.
There are any number of stories of social engineering people to click through warnings.
The problem is, if one tries to make software idiot-proof, two things happen:
- the universe provides an even more idiotic idiot
- one inconveniences legitimate users
The only thing that would save us from a CNN minute would be that there are very few OpenSCAD users, and so it's a small target (so villains won't bother)
and the sample size for gullibility is small (and so even if the villains bother, they won't get very many one-in-a-thousand victims).
Which, I would argue makes the risk small enough that the benefit outweighs it.
That said, as I've noted in the past, I've been very glad of the confidence which OpenSCAD has engendered due to this rigorous policy.
Obviously, I'm using PythonSCAD, and am working on a project which requires writing files out though, and feel that the risk, and feature-benefit balance out in favour of doing so.
I would like to see some sort of rapprochement which would allow Python to be a standard part of OpenSCAD --- perhaps multiple binaries?
- allow standard OpenSCAD to include Python, but only for internal use by code which has been reviewed and approved --- I would assume that making it possible for Python programmers to add features/assist in development would be welcome? The internal Python features could still be gated behind a checkbox, and as noted, it would not be possible to load arbitrary Python files
- have a second binary distributed which would have a checkbox which would enable loading Python files and writing out files and so forth
Presumably, it would be simple to build both variations of the binary? Perhaps we could turn this around and include both application files --- but the Pythonscad.exe is named something like "rename me to openscad.exe in order to have Python scripting.do not execute otherwise"
William
Probably the simplest option if not using PythonSCAD would be:
(but it hasn't been updated for a while)
William
On Feb 10, 2025, at 7:00 PM, Jordan Brown via Discuss discuss@lists.openscad.org wrote:
The question is whether the 5th percentile OpenSCAD user, who is running it to get to the Customizer, understands that an OpenSCAD program could scribble on their disk. (Or even what it would mean for it to scribble on their disk.) These are precisely the people who should never download programs except from app stores, because they have no idea how to vet the trustworthiness of the supplier.
Actually, the bigger problem would be that Thingiverse and other places that implement Customizer running of OpenSCAD scripts would become susceptible to hacks, and would thereafter refuse to run OpenSCAD scripts.
- Revar
If the customizer was run as a privileged user/process, then yea, that
could be a reasonable threat vector.
BTW, if I have to use PythonSCAD or RapCAD to do what I need, then I will
not be using OpenSCAD for things. The tools work for me or they do not. I
have not committed to become a long-term OpenSCAD internal developer. If I
can make some contributions to help myself and others, then I will do that,
but if it does not work for what I need, then I will move on. I'll try
using echo, and then parsing some tags to create the timing and regression
tests. They will depend on the builtin_timer thought.
EBo --
On Mon, Feb 10, 2025 at 10:34 PM Revar Desmera via Discuss <
discuss@lists.openscad.org> wrote:
On Feb 10, 2025, at 7:00 PM, Jordan Brown via Discuss <
discuss@lists.openscad.org> wrote:
The question is whether the 5th percentile OpenSCAD user, who is
running it to get to the Customizer, understands that an OpenSCAD program
could scribble on their disk. (Or even what it would mean for it to
scribble on their disk.) These are precisely the people who should never
download programs except from app stores, because they have no idea how to
vet the trustworthiness of the supplier.
Actually, the bigger problem would be that Thingiverse and other places
that implement Customizer running of OpenSCAD scripts would become
susceptible to hacks, and would thereafter refuse to run OpenSCAD scripts.
- Revar
OpenSCAD mailing list
To unsubscribe send an email to discuss-leave@lists.openscad.org
On 2/10/2025 8:52 PM, John David via Discuss wrote:
If the customizer was run as a privileged user/process, then yea, that
could be a reasonable threat vector.
If you're a server operator, any mechanism that lets a user scribble
on your disk (or run an external program), no matter how apparently
innocuous, is a security vulnerability. Users aren't supposed to be
able to do such things. Put differently, in such an environment
OpenSCAD does run as a more privileged user than the users
themselves. (And, given the typical structure of a web server, all
users' OpenSCADs probably run as the same user (because web users do
not correspond to UNIX users), which opens a whole 'nother can of worms.
I have been pushing and updating the python PR for almost one year, but
with almost no bandwidth on the devs side
progressing there is almost impossible.
Even for the latest scrameta PR with the great skin function: These do not
even compile in the CI even though its in way better shape than my Python PR
Devs always argue that someone could push the topic forward by having
discussions about that in IRC but apparently this has no/little effect.
I feel we should pause that topic here until there is more bandwidth (more
time or more persons) on the devs'side)
After all my PR's is terribly outdated and is probably easier to start it
from scratch as pythonscad also got many updates (AND BUGFIXES) in the
meantime
my little 2 cents
PS: In the meantime: everybody who wants openscad to write files and is
aware about the security risk already knows, how to proceed
On Tue, Feb 11, 2025 at 12:05 AM Torsten Paul via Discuss <
discuss@lists.openscad.org> wrote:
On 10.02.25 23:56, John David via Discuss wrote:
If not, are there any objections to me implementing something like this
and requesting a PR?
For OpenSCAD scripts, the situation has not changed. Those can't
have a write() function.
I still hope we can get the Python support integrated eventually,
that would allow such things without extra work. With no help
moving that topic forward, there's no timeline though.
ciao,
Torsten.
OpenSCAD mailing list
To unsubscribe send an email to discuss-leave@lists.openscad.org
On 11.02.25 02:44, Jordan Brown via Discuss wrote:
On 2/10/2025 3:05 PM, Torsten Paul via Discuss wrote:
On 10.02.25 23:56, John David via Discuss wrote:
If not, are there any objections to me implementing something like this
and requesting a PR?
For OpenSCAD scripts, the situation has not changed. Those can't
have a write() function.
To amplify on that a bit... this is a deliberate design decision. It
should be safe for you to download an OpenSCAD program and run it,
without fear that it will scribble on your files.
Yes, that's a concern. It's NOT the main concern though.
Can CSS write files?
Result of the script evaluation is a tree of geometry
instances.
The tree will be processed in a 2nd step into a final
mesh. The script is long gone at this time.
OpenSCAD scripts are not sequential programs calculating
the resulting mesh.
ciao,
Torsten.
You can write text to the screen/viewport, and save as pdf., or other
2d/3d formats, if you need to read the values. If you want to input that
as text to another program, then that will need other manipulation. Text
is not exported as text, but as an image of the text. One method would
be to display output as a qr code, plenty of software for handling that.
On 10/02/2025 22:56, John David via Discuss wrote:
I want to write some generic text (similar to echo statements) to a
user defined output file. My interest in this is to use it in
conjunction with the timing tests to output the results from dozens of
tests. In the past, I have used stuff like this to output the
configuration of a simulation, so I know what all the parameters were.
I see in the GitHub issues "Allow OpenSCAD to open and write out text
files #3400" https://github.com/openscad/openscad/issues/3400 that
some folks were looking to use the same functionality to be able to
output their CAM G-Code.
Was this functionality ever implemented? If so, where/how?
If not, are there any objections to me implementing something like
this and requesting a PR?
EBo --
OpenSCAD mailing list
To unsubscribe send an email todiscuss-leave@lists.openscad.org
On 2/13/2025 6:41 AM, Raymond West via Discuss wrote:
You can write text to the screen/viewport, and save as pdf., or other
2d/3d formats, if you need to read the values. If you want to input
that as text to another program, then that will need other
manipulation. Text is not exported as text, but as an image of the
text. One method would be to display output as a qr code, plenty of
software for handling that.
It's only exported as an image of the text if you take a screen shot.
Ordinary select/copy/paste works fine and transfers the text as text.
module outline(t) {
difference() {
offset(t/2) children();
offset(-t/2) children();
}
}
color("black") outline(0.3) text("Hello world!");
yields console output:
Parsing design (AST generation)...
Saved backup file:
C:/Users/Jordan/OneDrive/Documents/OpenSCAD/backups/unsaved-backup-cSChDmHh.scad
Compiling design (CSG Tree generation)...
Compiling design (CSG Products generation)...
Geometries in cache: 7
Geometry cache size in bytes: 59168
CGAL Polyhedrons in cache: 0
CGAL cache size in bytes: 0
Compiling design (CSG Products normalization)...
Normalized tree has 2 elements!
Compile and preview finished.
Total rendering time: 0:00:00.051
BTW, does anyone have an example of how to run OpenSCAD from the command
line and parsing the output from stderr/stdout? When trying to build
various version from source I broke some things and have not gotten it all
sorted out yet. So, in the interim...
EBo --
On Thu, Feb 13, 2025 at 11:34 AM Jordan Brown via Discuss <
discuss@lists.openscad.org> wrote:
On 2/13/2025 6:41 AM, Raymond West via Discuss wrote:
You can write text to the screen/viewport, and save as pdf., or other
2d/3d formats, if you need to read the values. If you want to input that as
text to another program, then that will need other manipulation. Text is
not exported as text, but as an image of the text. One method would be to
display output as a qr code, plenty of software for handling that.
It's only exported as an image of the text if you take a screen shot.
Ordinary select/copy/paste works fine and transfers the text as text.
module outline(t) {
difference() {
offset(t/2) children();
offset(-t/2) children();
}
}
color("black") outline(0.3) text("Hello world!");
yields console output:
Parsing design (AST generation)...
Saved backup file:
C:/Users/Jordan/OneDrive/Documents/OpenSCAD/backups/unsaved-backup-cSChDmHh.scad
Compiling design (CSG Tree generation)...
Compiling design (CSG Products generation)...
Geometries in cache: 7
Geometry cache size in bytes: 59168
CGAL Polyhedrons in cache: 0
CGAL cache size in bytes: 0
Compiling design (CSG Products normalization)...
Normalized tree has 2 elements!
Compile and preview finished.
Total rendering time: 0:00:00.051
OpenSCAD mailing list
To unsubscribe send an email to discuss-leave@lists.openscad.org