[IDEA] Sponge "Hack-a-thon"

Continuing the discussion from Suspicious Plugin Response Team Training [CLOSED see post for details]:

I think it would be a good idea to do some of this, so we can find vulnerabilities in the Sponge API.
Also so we can create plugin upload screening software :smile:

1 Like

I think my post explains why this is not a great idea pretty well. @Zidane maybe you could do some tweaking to my post to make this fact clear?


Maybe I should just turn it into a forum game then?

This was the explanation that I was given after talking with @modwizcode I wish we could do it too…

That’s a great explanation.

However, I still think plugin upload screening software would be useful.
(Or you could just remove any mention of setting op status from Sponge.)

Plugin screening will be done by people, they may be aided by tools but plugins are manually reviewed. Uploads MUST go through people before they are posted. It’s far easier to trick a screening tool than someone possessing a copy of the bytecode and running through it line by line at worst.

But won’t that get to a point where plugins will take forever to get approved?

I really don’t see another way tbh. I have spent a good amount of time trying to think of alternatives.

How about: Plugins can be uploaded without approval, but until approved, there is a big warning to downloaders that the plugin hasn’t been approved, or similar.


That does work to solve the issue of a backlog, still requires fairly large manpower to not get incredibly behind though. Also, amateur server owners probably are not even aware a plugin could exploit their setup and leave them vulnerable, what happens when someone uploads a malicious plugin? You see how well ASOs listen on sponge when we have at multiple locations that it is not ready for download. They are going to look right past a warning label.

BukkitDev may have been fairly slow, but it was a lot faster than getting new updates to an iPhone app. So as long as we are faster than that, I think the Ore plugin response team will be fine. I know I don’t want any links even with cigarette ad style warnings in front of them if the file is unapproved, since many misguided server owners don’t read the messages.


This message brought to you by the sysadmin general.

ASOs probably won’t even recognize what that is though.

That mobo got rekt… scratches head How does that even happen?

Should probably make this more relevant to the original topic…

My university has a hack-a-thon, but its not about hacking and breaking things, rather, its a 24 hour competition to build some piece of software. Some great things come out of timed competitions (I believe the Trouble in Terrorist Town Garry’s Mod gamemode was made in some sort of timed competition, don’t quote me on that, though) and I do think that could be beneficial for the community.

1 Like

We regularly had approval measured in minutes rather than hours. The difficulty isn’t the system itself it’s getting volunteers willing to suffer through review, and then deal with an utterly ungrateful community in the extremely rare event they make a mistake.


There’s been many discussions on that particular topic already


1 Like