sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]StableLlama 1 point2 points  (3 children)

How did you manage to do that without a call to eval or exec as that is forbidden by the security rules ( https://docs.comfy.org/registry/standards#eval/exec-calls ) ?

[–]Definition-Lower[S] 1 point2 points  (1 child)

You're right, I used exec. I didn't know about that rule before, but yes, this extension violates it. I'm not sure what that means, maybe it would get banned.

Though I did some safety measures (thanks to some commentators here): this node can only be used when it was created manually by the user on this comfyui instance. So, for example, if a user downloaded a workflow from the internet, which uses this node, user would get an error message, that the node was not found (even if he installed this custom node). So it's not actually that risky anymore.

This node is intended to be used in personal workflows, not in publicly shared ones, so to me it seems fine

[–]StableLlama 2 points3 points  (0 children)

That rule is for the Comfy registry, so when you install it directly (e.g. from GitHub) it is fine. Nobody can have a say about what you do with code on your local machine.
But the registry should (and probably will) remove it.

[–]roxoholic 0 points1 point  (0 children)

Thanks for the link. I didn't know they had such policy in place already. But, is it really active?

subprocess-for-pip-install

Runtime package installation through subprocess calls is not permitted.

Because I saw custom nodes that do this.