Instead of pushing mods/plugins to a client, maybe something that is in the form of a launcher that is similar to MultiMC. The launcher could allow a user to pick and choose mods/plugins from an approved list. Possibly it could also allow a user to pick and choose mod packs that server owners have created from the approved mods/plugins.
And of course, there should be a way to inject/import unapproved mods/plugins as well.
Just my thoughts and 2¢
Well in the case of an official repo you could set a mod to “private”
@junrall Like MultiMC if you have the server simply sending a mod ID for the client to download from the repo itself it works even better than having to manually select the mods/plugins from a list.
I see your point… makes sense.
I guess that something like MultiMC would be more beneficial to mod pack creators that wish to use approved mods/plugins.
Would still like to see a launcher just for Sponge… but that is for another thread!
Rather than having an official mod/plugin repository with admins that double-check each for threats, how about this? You download a “master server config” or something like that from the server owner; this file contains the server IP and server name, mod name, mod version, and download links to all the mods, optionally a name/version/download link to a texture pack, and a download link to a ZIP file with configs (possibly JSON format?). You can check this file yourself and/or individually download each file if you don’t trust the server owner; otherwise, you drag/import the file into Sponge, and it automatically adds a server entry into the multiplayer menu, and downloads the mods (possibly with a progress bar beneath the server entry?). If the server updates, all you do is drag in a new “master server config” file, and it automatically updates (and of course you can check this new one). Each server’s mods, texture packs, and configs are in separate folders, and/or are disabled/enabled per server.
This seems like it solves the problem with automatically downloading a mod, or forging a trusted mod name (because you can see the download link). It also adds the ability to automatically download a specific server config.
Thoughts?
I see what you mean and this is a good idea but consider this scenario… The server sends over the file and you open it up and open the links, everything looks pretty legit but one of the downloads is actually malicious and the link is to a spoofed website with fake reviews (people do this all the time), you think it is legit, you import it into sponge and then the code infects your computer. Still a certain amount of security risk, granted all the responsibility to verify the mod is now on the user him/herself.
Me and you share the same idea. By requiring an approval process and forcing it to a central repo, imo that makes it more safe than downloading a mod off a Minecraft forums post. Though a lot of work for approval.
This sort of thing already exists though. Like you said, MultiMC or Technic (which is more for serving modpacks). People know about these solutions as they have been around for years. Some people want to try a different solution, though it has been discussed in length that it might be more than difficult.
This is the whole goal of Obsidian Box, homepage over here: http://obsidianbox.org/news/
We will be using sponge as the API, don’t reinvent the wheel please, we’ve got some great developers on the project.
Sounds promising. How possible do you think doing something like this would be?
Very very possible. I think it’s possible to do this without any special work. Unfortunately it would require running two servers.
Yes, Obsidian is my project.
My goal was, at first, to send addon jars (external code) to the client…but that is a mess in and of itself. My teammates and I also hit issues with the client not having the blocks that exist on the server during the handshake process (which caused FML to kick us)
That said, 1.8 changes things. We can probably send the new blocks from the server now using combo of fml/vanilla which would bring me closer to my dream with Obsidian.
Will take a bit though as my hands are full currently running Sponge’s development :p.
I would also like to mention, just to dispel the idea that this would be terribly unsafe. That I was planning to make sure that we did code signing on jars we sent to the client from the server.
If you want to allow the server itself to send jars that’s a players own choice, like an Android application.
That’s the plan I was thinking anyway.
Very correct, let’s say
server owner sends a virus into the players client and bye player and the owner could have another computer apart of his/her botnet and use that to DDoS servers, isn’t this also a legal issue? wouldn’t it be illegal?
Well if you look in to forge modding. Forge uses world.isremote() to filter client and world operations. Wouldn’t it be possible to send render code only to the client? Meaby packed in a special format that includes:
Yes it would be illegal for the server owner to do this. Has nothing to do with us really. The difficulty of doing that would be high, as players would have to confirm they want the addon; then its the user’s fault actually.
I noticed that a lot of people are mentioning the need for a central repository, isn’t this what curse forge is already. I would think it would be possible to just get a file that lists the curse forge links of the needed mods and then use the official curse API to get the mods.
As for security, concerns have every mod that is to be installed pop up in a list along with author name that when clicked opens up the curse page in your default browser.
This would require either one mod installed (the APIs that allow this auto-downloading) or a custom client. This would still allow vanilla clients to connect. As for configs, they could just be taken from the server since they are only read files and can’t be executed.
Curse forge is very far from a central repo. It is not meant to behave like a repo should behave, it is a download site. Also I do not think that the mods on curse forge are heavily reviewed. You could easily download a virus which has been our problem in the first place. Read the entire thread.
FYI: That right there was a necro post. Try not to do that too often.
What’s a necro post?
Also I did read the whole thread, curse scans all uploaded mods for certain things and isn’t downloading the only thing that would have to be done. Also, right now whenever you download a mod you do so because it has a good description so right now anyone could download a virus regardless of where it is hosted. Curse at least does a basic scan. If someone really had malicious intent, no matter where they host it, a few people will download it before it is know to be malicious unless you only had open source mods that had to be manually built by the end user to ensure it wasn’t modified before being uploaded.
A post that awakes the thread its posted in from the death…
The last post in here was on nov '14 before you revived this thread.
