I had the Idea that a plugin developer could put, as part of the config or sponge automatically detects it, whether or not the plugin includes custom client side resources (new blocks/items, entity texture and models, guis) and then download them to the client when a client connects to the server. I imagine it being similar to server resource packs. The server would tell the client what plugins need to be loaded(similar setup to checking for how many players are online), downloads the correct version of the plugins, and then restarts the client including the plugins specified for that server. This would require the client to have a plugin, but only if the server has client side resources. If the server does not then it would run like a bukkit server did, using only vanilla items, blocks, entities. If the server does and the client does not have the plugin then the server could kick the player and tell them to download the plugin from Sponge.
What do you guys think? I haven’t really though about the code side of it, but things could be changed if needs be. I am wanting to help as much as I can towards this project. I think that it is great that the community came together so quickly after the DCMA Event. Thanks to the new Sponge Team for their work so far.
Would be cool, but I would think that the plugin/mod author would have to give permission for this to work. Coming more from the Forge world a lot of mod authors put up their mods behind Adfly and similar revenue garnering mechanisms.
But it won’t get integrated into to sponge i guess. IIRC they said they won’t include stuff like this cause of security.
I could image to exactly this, but i want to eliminate the possibility of malicious code or at least lower it. With some kind of permission based system like Android does. To achieve this, the only way i can see, is that client mods have to be written in JavaScript or some other scripting language and may we kill away the java references, so you can’t get every class you want, but instead provide them over a special class which will get exposed to the script context if the permissions are needed.
I have been rethinking this. It would work, and not have security issues, if the server side of sponge gathered the plugin’s name and version and if the client requires it. Then when a client tries to connect to the server, it would receive the name and version of required mods from the server, but download them from a section similar to the old dev.bukkit.org site. All plugins uploaded would be verified and checked for malicious content. The client screen could look similar to forge’s missing-dependancy screen where it says the mod and required version, except for this it could ask whether or not you want to download the plugins. Following which, it would relaunch minecraft with the appropriate mods for that server (could be similar to the launcher’s profiles)
Sorry if my post is hard to follow. I keep changing my ideas about this. I think this would be a great addition for Sponge
Well like @aileron565 was starting to say, only download the plugin from trusted sources (like dev.bukkit.org) where they already get checked for malicious content. To expand on that, if the person so wishes (even tho it’s against the EULA) to use ad fly then prompt the user to download it themselves. (and inform them it could be dangerous.)
Correct @Kodfod, this system will only be as secure as the uploading/dev site’s setup. This prevents the need to check for malicious files twice (once for each system).
Well, if you do a ‘Uploaded.spingepowered.org’ and staff approve, it the client can download it.
The download page is approved by Sponge, and the only source sponge allows.
I would like to see dev.spongepowered.org (or what ever system they implement) have a way for developers to get information. I would like to see JSON used to get information (IE: Versions, Names, Permissions, Author, etc…)
as much as i like the idea of allowing this kind of automation, there really isn’t much to combat against the priority of security. its been stated before long time ago (and above 6 days ago) that sponge won’t be integrating any form of client-downloader automation.
that doesn’t necessarily mean someone can’t make it themselves, however (and i’m not suggesting making a pr to sponge either, that’ll get nopetrained fast). one can make their own extension mod or plugin to do that, however it’ll be up to the users as to whether or not it is trustable as they do with the mods and/or plugins they choose to download.