Why assembly source should be bundled with mods

longbyte1 · May 05, 2014, 07:33:51 PM

Because this community is getting larger and larger every day, we should begin taking security measures when working with mods that require assemblies (DLLs) as well.

Tynan hasn't restricted namespace usage yet, so that means that DLLs have unrestricted access, including the ability to plant bad stuff on your computer. Or if somebody writes really really bad code, it could hang Windows. (But that's not going to happen, so just consider it as a very exaggerated example.)

I think that source code (at least some, obfuscated or not) should be released along with mods. Not only does it help other modders in working on their own code, but it's also a good way to do a sort of peer review. The code doesn't have to be under an open license; it can be under a restrictive license (ex. no redistribution or commercial use is allowed).

Having to resort to tools like ILSpy is simply inconvenient. They are just for snooping around and curiosity, and it just gets in the way of learning. Yeah, I'm supposed to be writing tutorials, but I have to pull basic material from somewhere.

StorymasterQ · May 05, 2014, 09:13:42 PM

I agree that source code should be included with mod releases, but probably not bundled together with mod downloads. It could/should be a different download, as not everyone want nor care about the source.

longbyte1 · May 05, 2014, 09:19:17 PM

Quote from: StorymasterQ on May 05, 2014, 09:13:42 PM
I agree that source code should be included with mod releases, but probably not bundled together with mod downloads. It could/should be a different download, as not everyone want nor care about the source.

Yeah, a separate download would be okay.

WorldOfIllusion · May 05, 2014, 09:28:33 PM

Do I think including source code with mods might be nice? Yes.
Do I think you should include it? Only if you want to.
If the security of mods ever becomes a concern, including source code of mods wouldn't be the best way to fix the issue. Including source code would only stop viruses/windows hanging if there was some kind of review board that checked through all of the source code of all submitted mods (and they would need to be experienced enough to know what to look for). Or, failing this, would only help people who took the time to look through and understand the assemblies a mod use.
If you want open source as part of a way to help people learn how mods do their thing, try asking the mod maker for help. Or better yet, ask on the forums where everyone can gain the benefit of the answers that mod makers, tynan, and the community will provide. If you just want to get a feel for how stuff works in general, look at the source code tynan has provided for the core game (or just use ILSpy, it really isn't that bad most of the time).
Overall, I don't plan on releasing the source as just an open thing for any major mods that I make. If someone has a specific issue that I have solved already, chances are i'll help them out on the forums. Isn't that more useful?

ItchyFlea · May 06, 2014, 12:55:53 AM

Releasing the source would only be useful for people who know how to read it. Even then, it's not exactly foolproof. Someone could easily remove the nasty stuff from the source code prior to bundling it with the mod download.
The only way to be 100% sure would be to use something like ILSpy to confirm that the assembly doesn't include anything nasty.

Alternatively, the use of an online service, such as VirusTotal or possibly Comodo Instant Malware Analysis, could also help identify a malicious mod maker.

I'm just hoping that that kind of thing doesn't happen.

pawnstorm · May 06, 2014, 01:53:42 AM

It would be nice if everybody would release their source code, but I don't think it's right to demand it.
As for the security concern, I think it would only give a false sense of security. There's no way to check if the source they uploaded is actually complete or even related to the assembly library.

mrofa · May 06, 2014, 04:08:08 AM

It takes entire 2,037 sec faster to open dll in ilspy than to open .cs in vs

So im not sure why you would want .cs file.

Architect · May 06, 2014, 08:50:27 AM

I've always worked on the basis that I'm happy to release individual pieces of source code to the people who ask for it, but I see no point in releasing the whole thing because generally speaking ILSpy does a pretty good job as it is

bleedo · May 06, 2014, 10:44:37 AM

I'm not quite sure how Tynan loads mods, but it might be possible to host them in another appdomain with lower permissions, or just set permissions to medium in the main assembly. Possibly then doing disk operations in a separate domain with higher.

It would be preferable if the game handled security and we didn't have to scrutinize mod code before using it.

I won't have a go at it, but I dunno what would happen today if somebody did Process.Start("format c:");

iame6162013 · May 06, 2014, 11:24:06 AM

Or just remove assemblies and just only add source, (built in compiler in the game) should do it all.

Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.

longbyte1 · May 06, 2014, 07:57:36 PM

Quote from: iame6162013 on May 06, 2014, 11:24:06 AM
Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.

This can happen regardless of the case. You can take some decompiled code from another assembly and transplant it on your own, and nobody would ever suspect it (until they look closer).

WorldOfIllusion · May 06, 2014, 08:22:45 PM

Quote from: longbyte1 on May 06, 2014, 07:57:36 PM
Quote from: iame6162013 on May 06, 2014, 11:24:06 AM
Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.
This can happen regardless of the case. You can take some decompiled code from another assembly and transplant it on your own, and nobody would ever suspect it (until they look closer).

It does become a lot easier with source code though.

iame6162013 · May 07, 2014, 09:40:16 AM

Quote from: WorldOfIllusion on May 06, 2014, 08:22:45 PM
Quote from: longbyte1 on May 06, 2014, 07:57:36 PM
Quote from: iame6162013 on May 06, 2014, 11:24:06 AM
Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.
This can happen regardless of the case. You can take some decompiled code from another assembly and transplant it on your own, and nobody would ever suspect it (until they look closer).
It does become a lot easier with source code though.

well decompilers open stuff in like one second so Nope

mrofa · May 07, 2014, 12:29:39 PM

Quote from: longbyte1 on May 06, 2014, 07:57:36 PM
Quote from: iame6162013 on May 06, 2014, 11:24:06 AM
Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.
This can happen regardless of the case. You can take some decompiled code from another assembly and transplant it on your own, and nobody would ever suspect it (until they look closer).

This should happen, it would mean better mods.

Justin C · May 07, 2014, 03:44:10 PM

Since the game uses the .Net framwork, anyone can easily look at the source of an assembly using .NET Reflector or something similar. If any DLL is doing bad things, someone will catch it.