I am really excited if sponge will be able to add mods through the server to a limited fashion like spoutcraft 
It has been discussed, maybe sponge as a client side mod can do this, but for the most part it’s been a pretty stable “no” for any other way, because of the security risks.
1 Like
You would be able to detect if a clientside Forge mod is installed on a player using channels on your plugin. So for example, if they get the clientside hud mod, you can change the values according to your plugin and if they don’t, you can have a vanilla interface maybe by using scoreboard.
Everything in the Internet is at your own risk so nobody would be mind about that that some bad software A.K.A Viruses would come on their PCs. If you are good at it you can make also a normal Server to a Virus Server because minecraft downloads partwise the world so i think a “Use at your own risk.” sign would be more than sufficient and SpoutSponge is ready to go. 
Yes. But the world that is downloaded is non executable and needs to follow a specific format. If any packet deviates from that format it will be read incorrectly, discarded or the client will disconnect. Nothing is / can be sent that could make the client act in a way not intended by its developer. That’s the difference.
The server I play on in the past had issues where random chunks would load but be inexplicably corrupted. Entering them would crash a player’s game and prevent them from reentering unless an admin jailed them (jailing would edit the player’s last coordinates in the player file itself, hence removing them from the bad chunk). If someone weaponizes whatever caused this corruption… Game over.
I would absolutely care.
No you would not be able to get a virus from a minecraft server without downloading mods, downloading the world is very similar to viewing an image off the internet, Almost impossible to get a virus from as long as the software viewing it is coded correctly…
And who will pay attention to that?
Crashing the players game is easy compared to “weaponizing” the crash. All you need to do is confuse the client and it disconnects, this doesn’t mean that you are suddenly able to run arbitrary code on the client.
Right. The chunks were corrupted (which is by the way usually caused by apruptly stopping the server, via sigterm for instance), so they crashed the client. That doesn’t mean that the client would suddnely run arbitrary code. For something to execute arbitrary code the Minecraft client would need to be coded in a way to accept, interpret and treat that code as code. And even if, the code would still have to be executed. Code isn’t dangerous. To pose any threat at all it needs to be executed. That requires somebody / something to execute it.
A mod is not a runnable though. or at least not on your Computer directly it runs in minecraft so it could destroy your minecraft instance but NOT your Computer.
Incorrect, it could absolutely destroy your computer, or at least the files of the user minecraft is running as.
I have slightly unrelated question. Front page says:
Combining the strengths
of the server and client modding communities.
But I can’t find any plans or info about it. Search in docs returned only this:
it should be possible in the long term.
AFAIK, there is absolutely no plans for any client code, for reasons above. Adding new blocks and items via Sponge, showing arbitrary UI/HUD also was rejected. I can understand reasons behind that. But what “Combining the strengths of the server and client” means in context of Sponge, then? I know that it’s not implemented yet, but is there any plans or the like?
At the moment they want the existing API to be feature complete and implemented from the server side before working out the client side stuff.
Bukkit is dead/dying a better replacement is the first priority. Making things awesome comes next 
1 Like
to be more elaborate, a mod is part of minecraft, which is in its most basic form a program that runs on your computer. considering a mod changes the behavior of that program, it also very likely has full access to all the rights the original program has. that in mind, a mod has as much power as the game does over your computer, the same powers it uses to write its default downloaded assets into the .minecraft folder of your system appdata, and the same powers it possesses to run programs since its code is executed as an accessible running part of the program. just because its basically an extension of it doesn’t mean its harmless.
1 Like
Although many people have left explanations of these I would like to rehash, and recap.
That’s a pretty big assumption that no one cares about viruses. Especially since it isn’t true at all. If it were, there would be no need for any InfoSec at all. Who needs Anti-Virus’s, Firewalls, Updates, etc.
As pointed out above. Think of the world as downloading an image. Not dangerous at all unless the parsing is implemented correctly. (Which I’m fairly 1000% sure to say it is.)
Since when truly has anyone payed attention to these signs? I’ll give you the answer. No one.
To elaborate further on @Xemiru 's post. When a mod is loaded it has the ability to execute code completely arbitrary. The mod has the same privileges as minecraft. Which in order to run the game gives them some pretty special abilities. Writing/reading anywhere the current user can, the ability to load C/C++ code (aka a library (.dll, .so)) (one of the most deadly abilities), download code arbitrarily, send packets to whatever IP address it chooses, etc. The point is it has complete arbitrary code execution.
Just like no pays attention to the TOS & (most of the time) the EULA
2 Likes
as long as staff and (hopefully) the regulars act according to the EULA all should be fine on the forums and later ore.
That means that it was designed with mods in mind and also designed by people from Bukkit, Forge, Cauldron etc. Under “client modding communities” one must mostly understand the “forge modding community” primarily. The goal is that Sponge seamlessly integrates with mods on a modded server, something that was never easily doable with Bukkit. That does however not mean that Sponge will allow the server to send mods / plugins / anything executable to the client.
Runtime.getRuntime().exec("<some string of bad stuff>");
And if you ran your client or server with root, well, GG.
That’s why you virtualize everything.