Why would there be a lot of people downloading it? Maybe at first yes, but after a while the traffic should slow down. I would think that after you download it the first time then you wouldn’t need to download it again (unless the server updates/changes something). Most people play on the same server.
As for a “backdoor”, I don’t think you can prevent that completely. However, having a verification/flag system would help.
Md_5’s are always an option, you know to check if the “Verified mods” are legit.
We were originally discussing the fact that Sponge wouldn’t require a modified client; hopefully due to Lex’s work in Forge.
How about making an API that let’s modders add blocks/items through plugins. The textures would be sent to the client, no code/binaries will be downloaded.
Another option would be to overhaul resource packs so they can add blocks, items, and behaviors. They can already change block models, add sounds, and change locale and textures, why shouldn’t they be able to add blocks?
There would also be a cache system with md5 checks so the client only needs to download the textures/overhauled resource packs when needed.
I know it’s easier said than done, but this would be a huge change in Minecraft modding that I think should have happened a long time ago. From what I know/hope, this is what the Modding API is going to be like.
The only problem left to solve is to find a good idea for advanced behaviors that can’t be scripted…
Well im not 100% sure like Spoutcraft work’s but the idea is simeler.
We really need something like this. I hate it, that you have to tell your players, what mods to use and how to get them. Every bigger server develops a custom launcher to handle this problem, but i would love to see this integrated in the server.
I also understand the security issues, but don’t we have that problem with every modpack we install? How can I be safe when downloading modpacks with FTB launcher or Technic Launcher? Yep, i can’t!
I haven’t heard any mechanisms in this thread on how to honor licensing terms of a mod.
If an author doesn’t want their mod distributed then it won’t be. Simple.
As far as I know the modpacks in FTB are checked for security flaws. But I agree, something like this is needed. My friends are really not the brightest, so I can’t ever play modded minecraft with them. FTB was the closest I ever got.
In my opinion such a system can be designed to be secure, but I am not sure if there are enough resources here for designing and implementing such a system.
Receiving and executing untrusted software can go very wrong very fast. All mods would need to be signed by the author and by a third party like sponge, this third party would need to make sure plugins are not malicious. The sponge server would need to check all signatures and eventual revocations.
But there are many open questions:
couldn’t we do like a database of plugins that can be sent from a server to the client based on what the server owner chopped.
That’s what I said, something like the Steam Workshop.
I said something almost identical like 2 days ago.
The only problem with something like the steam workshop is that it would mean that a separate client would need to be launched. The goal here is to be able to connect up using the Vanilla Client. Correct me if I’m wrong though…
Proof of concept…
I know they are checked for issues, but does anyone know, how they are checking? If you argue that way, the server owner can be the one, who checks the mods for security breaches.
In my opinion, it would be the best to just send links of the mods to the client and the client downloads the mod itself. That way you can’t send any code to the client.
If there will be a mod database for sponge, you propably can do automatic MD5 checks.
At the first download of the mods you can show a list of mods to the client with the status of the MD5 hash and warn them to install unchecked mods. The client has to confirm the warnings and sponge is no longer responsible for security issues.
You also could add automatic license checks, so it checks, if you are allowed to use the mod in your modpack.
I like your last idea. I had the same idea. But with the little change, that the server should use download-links from an mod database but he also can use alternative links (e.g if it’s a custom mod). Now if I want to join this server for the first time, I see a list with every mod. Mods that don’t have a link to the database are marked with red color an are at the top of the list. In addition you have a checkbox for every plugin where you can choose if you want this mod to be installed. Mods that are marked in red color are always unchecked!
(Sry for my bad english 
)
That’s exactly what i was thinking!
I like 007checker’s idea except I think it should still be automatic, just make them agree to 4 terms of services and they will surely give up xD
No I’m serious, make them agree to the licence the mod is put under and force them to look at their website, you should do something like Firefox’s wait 5 seconds to install this extension to make sure they read it thoroughly!