Add a preference item to allow updating Presets from non-Prusa sites #4129
Conversation
If enabled, the application will also allow updates of Vendor Bundles from URLs other than the official PrusaResearch URL. The user controls whether or not to allow access to the "non-official" URLs.
| // Please keep in sync with ../Utils/PresetUpdater.cpp | ||
| def.label = L("Allow updating Presets from non-Prusa sites"); | ||
| def.type = coBool; | ||
| def.tooltip = L("If enabled, Slic3r will also allow updates of built-in system presets from URLs other than the official Prusa URL."); |
There was a problem hiding this comment.
Shouldn't it read "Prusa Slicer" instead of "Slic3r"?
There was a problem hiding this comment.
Quite possibly. I chose "Slic3r" to follow the convention used in Preferences.cpp. Pretty much every preference codes its tooltip with "Slic3r" as well. I'm not sure how they show up as "PrusaSlicer" in the app.
|
Sorry, but we are not going to merge this, especially after |
|
Hmm, I wish I could defend this change as vigorously as #4122, but I see your point. While I don't believe it makes PrusaSlicer any more vulnerable to abuse, this change does nothing to help (and may complicate) the overarching issues related to security. Perhaps there is another approach -- a way to provide a secure update that can use the official Prusa site (or an officially vetted site) to create and maintain complete vendor configuration bundles more or less independently of the PrusaSlicer program? And along the way, add the ability to update all resource files (not just the .ini and .idx files). I have no good solutions to propose. The current update mechanism has a few tiny rough spots -- ultimately worth fixing I think in such a capable and polished program as PrusaSlicer. But for now, I believe more thought and research is in order. |
|
Hello, it took a while to find why it's was not working before i found this PR. Thanks Johan |
|
That is fair. I have added the following note: Please note, that PrusaSlicer does NOT allow downloading of profiles from other sites than prusa3d.com for security reasons. |
When updating system presets (vendor bundles), the application currently blocks access to any URL that does not match Prusa Research's "official" update URL. This patch adds a preference item that lets the user override this behavior, that is, it allows the application to update system presets from URLs other than the official PrusaResearch URL. Since the user directly controls this new behavior, I think the patch mitigates much of any "security risk" and preserves the intent of the code's original behavior. This change extends the program's "standard" updating process to support experimental, limited-appeal, or one-off vendor profiles that are not directly supported by PrusaSlicer and PrusaSlicer-settings.
Along with pull request #4122, may resolve issues #2306, #2560, and #3398.