POC Plugin Downloader on Client

This is a Proof of Concept (POC)

Note: There will never be a plugin downloader in Sponge

Here's a GIF of an idea I have to create a plugin downloader on the client. The server will send a list of plugins that are needed on the client, the client then downloads from Ore. ![screenshot gif](/uploads/default/5016/be6a6bd8c924d940.gif) Once I actually have it functioning (the screen is fake ATM), it would be great if someone can prove that it is not safe by hacking it (A POC of a POC) to really show why it's potentially dangerous.

It’s a really nice idea, I can imagine if it’s not proven unsafe then this could be really useful for people like me who are too lazy to download stuff the normal way. xD

Moved to Plugin Discussion.

If the server just provides links to Ore, and Ore is safe, no problem right?

If someone hacks this together I’ll happily provide a POC showing the security vulnerabilities here. I can think of multiple just off of the top of my head. However it really depends on the implementation. Though each implementation will have it’s flaws.

1 Like

It seems in the faq it is said that Sponge won’t send plugins to client… Obsidian did this right?

Why would the server need to send plugins to the client? Plugins are server-side only entities and as long as you are connected to a server with the plugins the client does not need to have them. This seems to fall under the automatically downloaded mods category.

I support something like this whole-heartedly on the other hand for use by mapmakers or perhaps even someday for client-side mods themselves for both modded servers and maps, if there is ever a semi-secure repository for them.

I think, if handled correctly with the appropriate amount of paranoia then something like this could be great, but hey, obviously a lot of people freak the hell out when they see “download plugins directly from ore” so I can’t really say much.

This would be for client plugins when Sponge gets a client side API or possibly for Forge mods too though they won’t use Ore.
I saw that some people were interested in dowloading stuff from the server so I will try to pursue making it possible (though only as a PoC and shouldn’t be used in production).

1 Like

I love this idea, and it should be introduced within Vanilla in my opinion, however before joining a server, it should warn the user that potentially harmful files may be downloaded.

On a side note:
Would it be safe for Minecraft to just download/read scala scripts? Would that be safer as they could limit what could be interpreted in scala?

for example:
Maybe they could just add stuff like gui support, packet sending to server etc… so that servers can truly customize their player experience without the users worrying about harmful files.

Update (because who doesn’t like those :slight_smile: )
[li] I have got the server to send a list of plugins to the client using Sponge’s Network API.[/li]
[li]Vanilla handles the response gracefully, the server will kick them vanilla screenshot[/li]
[li]When using the mod on the client, it will download them (not implemented yet)mod screenshot[/li]
[li]Limitation - Ore is not a usable product yet, there’s only so far I can go at the moment.[/li]
[li]To decrease the risk of the server sending bad things, it’s completely up to the client to deal with the necessary plugins. The server sends a list of all plugins the client will need, and will hang up if the client does not give the ‘all OK’ message.[/li]


I suggest the ability to add “optional” downloads. Plugins not required, but can be used if the client wants them (ie minimap, redesigned hud, ext).

I also suggest (if possible) an option to separate plugins for each server in their own folder.

Where could I download it?

I have not worked on this since my last update post, there is nothing useful that it does at the moment.

I have not seen any plugins that have clients-side features as of yet so I don’t see a reason for this to be needed right now.

Do you have any source anywhere?

Now I do :stuck_out_tongue:

is this updated, if so how do I install it?