Blender’s Security Problems Tarnish the Image of the Open Source Ecosystem
Blender, the video editor that helped prove open source’s mettle a decade ago, turns out to be rife with security vulnerabilities. Sadly, open source developers refuse to fix them. What does this mean for the state of open source security? Here’s what you need to know.
In September 2002, a crowdfunding campaign succeeded in raising sufficient funds for the Blender developers to open source the platform.
This was a big deal. At the time, the future of open source software remained uncertain. Firefox, the first major open source Web browser, was only a few years old. So was GNOME, the open source desktop interface. OpenOffice, the first real open source office productivity suite, was released just months before Blender was open-sourced.
In short, when Blender joined the open source ecosystem, it remained very unclear whether the open source model would succeed. Many key open source platforms were still in the early stages of development, and had not been widely adopted.
For that reason, it was significant not just that Blender was open-sourced in 2002, but that people started using it for serious purposes. Video editing software is a sophisticated and complex niche to fill. Blender’s ability to provide video editing functionality for the open source ecosystem helped to instill confidence in the open source vision.
Blender’s Security Vulnerabilities
For most of its history, Blender made few headlines. It was widely used in the video editing world and known to open source enthusiasts, but it never generated much noise.
Most of the vulnerabilities make it possible for an attacker to execute arbitrary code (which, in layman’s terms, basically means take over someone’s computer) if a malicious file is loaded into Blender.
You might not expect these Blender security issues to be noteworthy. Security problems are disclosed in software platforms all the time, including open source ones. Usually, the problems are fixed, developers promise not to make the same mistakes again, and eventually everyone forgets the episode.
Yet what makes the Blender vulnerabilities notable is the Blender team’s refusal to fix them.
Arguing that it is the user’s responsibility to avoid loading into Blender the malicious files that could trigger a security breach, Blender developer Brecht Van Lommel said it would be “a waste of time” to fix the vulnerabilities.
Van Lommel has a point—sort of. Developers can’t control what users load into an application. If you open a file attachment from a source you don’t trust and it installs malware on your computer, you can’t blame your email provider, to take one example.
On the other hand, developers have a reasonable responsibility to mitigate security holes that attackers could exploit. If they’re aware of a security flaw, they should fix it. They can’t control everything users do, but if they know that an action that is routinely performed by users could trigger a security attack, they should take steps to reduce the risk that it will happen.
Blender Security and Open Source
Blender developers’ reluctance to address the security issues that Talos disclosed do not reflect well on the open source ecosystem. After all, if one believes the open source mantra that “given enough eyeballs, all bugs are shallow“—which was one of the talking points that helped open source software to go mainstream fifteen years ago—then one should undertake efforts to fix bugs (including security bugs) that are discovered by others.
Otherwise, one of the core arguments in favor the open source model starts to break down. If developers don’t want to respond to feedback that third parties provide about their applications, they probably should not open-source the applications.
Conclusion: While I can appreciate the Blender developers’ argument, I think they’re doing a dangerous disservice to open source by ignoring the security problems. Fortunately, given how pervasive open source has now become, I doubt this affair will have a serious impact on the image of open source software.