First it helps to know why the switch was made. IronPython relies on Python 2.7 to this day. That Python engine hasn’t been supported for over a year, and as a result is a security risk. If an exploit was found in the code or in a dependency in the code, your system would be at risk. If a dependency stops working after a Windows update, you’ll be unable to work with the tool at all (or you’d have to roll-back the update). Think of it like running Windows 7, but you get a less people thinking you’re crazy.
You should also know that Autodesk takes security stuff very seriously. Alot of effort goes into keeping what we ship for you to run as safe as we can. You can check out the publicly disclosed stuff here, but know there is even more stuff that isn’t disclosed, as it was found and patched internally. I typically advise people that if it ever says “security updates” in the release notes, assume you want it, and if it is on that site then you should assume you need it pronto.
Lastly, this should not come as a surprise. Three more things of note:
- The Dynamo team has been shouting about this from the rooftops for over a year now;
- The forum has had significant noise on the subject before I started at Autodesk (though I think the loudest voice deleted most, if not all of their posts);
- There is a work-around in place if you’re willing to use it.
Now that we have some background on why the change is happening and the history on the topic, it’s important to note that there are options.
- Change all the Python Everywhere that uses the IronPython engine over to the CPython engine. Sometimes this will be easy (one or two clicks), sometimes not so much. I believe the ‘switch’ can be flipped between engines in bulk by editing the .dyn and .dyf via automation routine; however the resulting custom nodes and dynamo graphs would need to be tested very carefully afterwards. I was going to release some code showing how this was done as part of my AU session… I’ll try and find another path for it now though as I didn’t make the cut with that one.
- Download the IronPython engine form the Dynamo Package Manager. Users will see this message when they open a graph, but they can be taught to “hit ok” and continue on their way. This does come with the previously mentioned security risk of keeping a Python 2.7 environment available in your network, so review with your info sec teams.
- Ignore the problem and hope it goes away. This is a bad choice, but I hate only giving two options so here we are.
Now I am going to preface this last bit with a disclaimer. I am not an infosec expert, and this is not infosec advice but rather a personal opinion. Seek professional guidance if you are not sure what to do in the area of information security.
I would trend towards 1 quickly, editing your library to remove uses of 2 until the package can be removed. Is that a lot of work? You bet. I’ve had a sampling of Python3 edited packages circling my C drive for about 2 years now and I’m not done by any means. But maintaining software of any kind is always more work than building it, and like it or not Dynamo graph authoring is software authoring, you just don’t experience it as such. If my infosec team were to push me to remove this from the environment before I was ready, I’d ask them to first ensure that all other un-supported desktop applications is stripped from the environment (see the current and 3 prior version rule for anything Autodesk, so as of today that means anything older than 2020), and that all publicly disclosed vulnerabilities are fully patched (see the trust site linked above). That will likely buy you enough time to make a focused effort to narrow in on what you need and edit accordingly.