Ludeon Forums

Because this community is getting larger and larger every day, we should begin taking security measures when working with mods that require assemblies (DLLs) as well.

Tynan hasn't restricted namespace usage yet, so that means that DLLs have unrestricted access, including the ability to plant bad stuff on your computer. Or if somebody writes really really bad code, it could hang Windows. (But that's not going to happen, so just consider it as a very exaggerated example.)

I think that source code (at least some, obfuscated or not) should be released along with mods. Not only does it help other modders in working on their own code, but it's also a good way to do a sort of peer review. The code doesn't have to be under an open license; it can be under a restrictive license (ex. no redistribution or commercial use is allowed).

Having to resort to tools like ILSpy is simply inconvenient. They are just for snooping around and curiosity, and it just gets in the way of learning. Yeah, I'm supposed to be writing tutorials, but I have to pull basic material from somewhere.

I agree that source code should be included with mod releases, but probably not bundled together with mod downloads. It could/should be a different download, as not everyone want nor care about the source.

Quote from: StorymasterQ on May 05, 2014, 09:13:42 PM
I agree that source code should be included with mod releases, but probably not bundled together with mod downloads. It could/should be a different download, as not everyone want nor care about the source.

Yeah, a separate download would be okay.

Do I think including source code with mods might be nice? Yes.
Do I think you should include it? Only if you want to.
If the security of mods ever becomes a concern, including source code of mods wouldn't be the best way to fix the issue. Including source code would only stop viruses/windows hanging if there was some kind of review board that checked through all of the source code of all submitted mods (and they would need to be experienced enough to know what to look for). Or, failing this, would only help people who took the time to look through and understand the assemblies a mod use.
If you want open source as part of a way to help people learn how mods do their thing, try asking the mod maker for help. Or better yet, ask on the forums where everyone can gain the benefit of the answers that mod makers, tynan, and the community will provide. If you just want to get a feel for how stuff works in general, look at the source code tynan has provided for the core game (or just use ILSpy, it really isn't that bad most of the time).
Overall, I don't plan on releasing the source as just an open thing for any major mods that I make. If someone has a specific issue that I have solved already, chances are i'll help them out on the forums. Isn't that more useful?

Releasing the source would only be useful for people who know how to read it. Even then, it's not exactly foolproof. Someone could easily remove the nasty stuff from the source code prior to bundling it with the mod download.
The only way to be 100% sure would be to use something like ILSpy to confirm that the assembly doesn't include anything nasty.

Alternatively, the use of an online service, such as VirusTotal (https://www.virustotal.com/) or possibly Comodo Instant Malware Analysis (http://camas.comodo.com/), could also help identify a malicious mod maker.

I'm just hoping that that kind of thing doesn't happen.

It would be nice if everybody would release their source code, but I don't think it's right to demand it.
As for the security concern, I think it would only give a false sense of security. There's no way to check if the source they uploaded is actually complete or even related to the assembly library.

It takes entire 2,037 sec faster to open dll in ilspy than to open .cs in vs :D
So im not sure why you would want .cs file.

I've always worked on the basis that I'm happy to release individual pieces of source code to the people who ask for it, but I see no point in releasing the whole thing because generally speaking ILSpy does a pretty good job as it is :P

I'm not quite sure how Tynan loads mods, but it might be possible to host them in another appdomain with lower permissions, or just set permissions to medium in the main assembly. Possibly then doing disk operations in a separate domain with higher. :)

It would be preferable if the game handled security and we didn't have to scrutinize mod code before using it.

I won't have a go at it, but I dunno what would happen today if somebody did Process.Start("format c:");

Or just remove assemblies and just only add source, (built in compiler in the game) should do it all.:P
Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.

Quote from: iame6162013 on May 06, 2014, 11:24:06 AM
Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.

This can happen regardless of the case. You can take some decompiled code from another assembly and transplant it on your own, and nobody would ever suspect it (until they look closer).

Quote from: longbyte1 on May 06, 2014, 07:57:36 PM

Quote from: iame6162013 on May 06, 2014, 11:24:06 AM
Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.

This can happen regardless of the case. You can take some decompiled code from another assembly and transplant it on your own, and nobody would ever suspect it (until they look closer).

It does become a lot easier with source code though.

Quote from: WorldOfIllusion on May 06, 2014, 08:22:45 PM

Quote from: longbyte1 on May 06, 2014, 07:57:36 PM

Quote from: iame6162013 on May 06, 2014, 11:24:06 AM
Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.

This can happen regardless of the case. You can take some decompiled code from another assembly and transplant it on your own, and nobody would ever suspect it (until they look closer).

It does become a lot easier with source code though.

well decompilers open stuff in like one second so Nope

Quote from: longbyte1 on May 06, 2014, 07:57:36 PM

Quote from: iame6162013 on May 06, 2014, 11:24:06 AM
Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.

This can happen regardless of the case. You can take some decompiled code from another assembly and transplant it on your own, and nobody would ever suspect it (until they look closer).

This should happen, it would mean better mods.

Since the game uses the .Net framwork, anyone can easily look at the source of an assembly using .NET Reflector or something similar. If any DLL is doing bad things, someone will catch it.

Quote from: iame6162013 on May 07, 2014, 09:40:16 AM

Quote from: WorldOfIllusion on May 06, 2014, 08:22:45 PM

Quote from: longbyte1 on May 06, 2014, 07:57:36 PM

Quote from: iame6162013 on May 06, 2014, 11:24:06 AM
Not saying it's good at all, if somebody has greatcode anybody could steal it.:/
and claim it as theirs.

This can happen regardless of the case. You can take some decompiled code from another assembly and transplant it on your own, and nobody would ever suspect it (until they look closer).

It does become a lot easier with source code though.

well decompilers open stuff in like one second so Nope

Are you actually saying that decompiled code is as easy to understand/copy as original source code that has comments, structure, meaningful names in loops etc etc (not to mention parts which don't decompile properly)? If decompiled code was as good as source code, this whole post wouldn't have a point, cause including source wouldn't matter. The point is, it that there is some difference between source code and decompiled code.

Quote from: mrofa on May 07, 2014, 12:29:39 PM
This should happen, it would mean better mods.

I don't know if I agree with that entirely. If people want to make better mods they shouldn't do it by just copying the work other people have done. Sure, people can help new modders with showing them how to solve a problem that has been solved previously, but this is very different from saying that stealing code is good as it leads to better mods.

Quote from: Justin C on May 07, 2014, 03:44:10 PM
Since the game uses the .Net framework, anyone can easily look at the source of an assembly using .NET Reflector or something similar. If any DLL is doing bad things, someone will catch it.

Not that easily.

Decompiled code has no comments and obfuscated names of variables. So instead of seeing intelligible variable names, you are very likely to see things like num1 and num2 in method bodies. So you're not looking at organized pieces of code; you're looking at whatever was compiled by VC# and thrown back at you with the help of a decompiler.

Quote from: longbyte1 on May 07, 2014, 07:32:49 PM

Quote from: Justin C on May 07, 2014, 03:44:10 PM
Since the game uses the .Net framework, anyone can easily look at the source of an assembly using .NET Reflector or something similar. If any DLL is doing bad things, someone will catch it.

Not that easily.

Decompiled code has no comments and obfuscated names of variables. So instead of seeing intelligible variable names, you are very likely to see things like num1 and num2 in method bodies. So you're not looking at organized pieces of code; you're looking at whatever was compiled by VC# and thrown back at you with the help of a decompiler.

Have you tried? The variables are not obfuscated at all when viewing the code through ILSpy or .Net Reflector (save some instances of compiler generated code). Sure, there are no comments, but most programmers don't do much commenting anyway, and if a modder was doing something in their code that they didn't want you to know about they would not be commenting "// And this is where I install the rootkit" for you in their code.

Quote from: Justin C on May 07, 2014, 10:51:55 PM
...and if a modder was doing something in their code that they didn't want you to know about they would not be commenting "// And this is where I install the rootkit" for you in their code.

Naw, they'd probably make it something like
// This is MOST DEFINITELY NOT where I install the rootkit.

variables used in foreach loops and the like are renamed to 'current', unsure if this affects other variables that are declared inside methods or not. Point being, some variables are renamed.
What can also be a big problem is the stuff that doesn't get decompiled well, for example switch case statements get rather mangled by the decompilation, due to how the compiler reorganises them to be more efficient (but vastly less understandable).

Quote from: WorldOfIllusion on May 07, 2014, 05:54:14 PMIf people want to make better mods they shouldn't do it by just copying the work other people have done.

As a professional developer, this basically summarizes what I do on a day to day basis.  I take ideas that someone else has had and use it for myself.  I look at their code and figure out how they solved the problem and use that insight to solve my problem.  As a programmer, you are very rarely working on a problem that no one else has worked on.  It's quite common to run across code snippets that are, quite literally, exactly what you need.

That said, I think what you were trying to say was "They shouldn't, literally, copy-paste someone else's code into their project."  Here, I agree.  The reason is that you won't really learn anything about the code.  However, being able to see how someone else has solved a problem can help you solve your problem.

Will it help everyone?  Of course not.  Will people blindly copy your code and complain?  Of course, but fuck those people.  You're not trying to help everyone, you're trying to help the people that matter.  The people that will look at the code as a learning experience, not a rock to be thrown at the problem.

I wish[/] I had access to the source code for some of the mods I've been looking at.  I've found some really great features in a few mods that I know are added with dlls, but I either I don't want the entire mod just to get or aren't updated yet.

Let's be honest.  We're not writing Enterprise grade software here.  You're writing a tiny ass little mod.  You have nothing to lose by releasing your source, particularly if you use a format that can show you uploaded it first.

tl;dr if you think releasing your source code could help someone, you should.

It really would help. I'm knowledge-less in programming, and it's taken me a few days and lots of frustration to figure out what little I have. Any help would be appreciated, and yeah, some people will steal your code; but lots of people will appreciate what you've done, and mention your mod in their mod's about/thank you section. Mreh; learning is hard, so you should try to help clear the path for people as much as you can. :D

actually nobody care about small indie game in alpha stage, rist of infection is zero.

also on w7 and above games run under limited user by default and maynot cause severe harm to computer.

My biggest concern is the modding community becoming insular; I dunno. A game-modding forum isnt the place for knowledge-hording. We should be sharing our code and enjoying the awesome crap eachother manage. I know I ain't got the knowledge of programming, so I have 'little to lose' in this situation, but it'd help the game if people were abit less protective of their code and their methods. *shrugs* ALSO MORE TUTORIALS PLEASE KNOWLEDABLE AWESOME-PEOPLE. :D

Thers no protection of the code other than licence, you can see it thrugh ilspy, only real reson i found to add .cs files is to make mod pack creator work easier, while trying to get all mods working. Other than that thers no real point in adding source code.

actually protection is possible, dynamic methods with bytecode XORchained and encrypted will  cause lots of pain to anyone without skill beyond "download ilspy" level.

I disagree that it should be a requirement for most of the reasons already listed here. Really though, there's one major reason to me. It's discouraging to new modders (read: programmers). I've made quite a few things, and most of it never saw the light of day (when I was very new to programming) because I didn't want to deal with public scrutiny of my coding. I could care less about the possible jabs at the actual product, but it was the thought that other, much more experienced programmers would be looking at my source and/or disassembling it. Maybe it was just me and my severe anxiety but I doubt it. I've learned to get past that obviously because, screw it and because MOST people are kind enough to provide CONSTRUCTIVE criticsim but that's not the case in every community. From what I've seen here, this community is the constructive kind but that doesn't lower the worry.

Sure, open source will benefit people who learn better from seeing code examples, or are just stuck and happen to come across the perfect code snippet but if that's the only reason for it (which is obviously not the goal of the Thread e.g. security concerns) there's other ways to accomplish that. Providing documentation, filling in the wiki, which I intend to contribute to soon myself. Offering a Q/A thread or posting examples of how you figured out how to do x amazing thing.

Open source is awesome, that's why my current project is OS, but I think it should be at the developer's discretion. We've got a good community here of talented people, if someone tried to do something malicious it'd be found out pretty quickly. There might be casualties but requiring source wouldn't change that. A malicious person would just omit their malicious code and we'd only find out about it from a disassembly.

Our best bet to protect from that is namespace protection. Just my two cents.

All that said, I Strongly encourage supplying source, if only so if you go awol at some point someone else can pick up your mod (assuming non-restrictive licensing) without the hassle of rebuilding it all out of ILSpy or something similar.

any limits is bad.

if you try to enforce "open source" rules, people who dont like opensource simply will leave community.

also such rule only illusion of safety and huge mistake

Quote from: RawCode on August 06, 2014, 08:48:11 AM
if you try to enforce "open source" rules, people who dont like opensource simply will leave community.

GPL much?

PS: I'm back!