george moromisato wrote:
Agreed. This is still in the "thinking about it phase" so I don't have a design [And just to set expectations, this probably won't show up for a while.]
But I was thinking that this would be tied to a developer ID of some sort and that the relevant mod would be either signed (as you suggest) or stored on the server.
1. Developer registers their extension at neurohack.com (or whatever).
2. The registration process generates an md5 signature for the extension.
3. At load time we check the signature for an extension and refuse to load if the signature doesn't match (or we re-download the extension from the server).
4. At execution time, we check all calls to the unvSetData/unvGetData to validate that they come from the proper registered extension.
5. Calls to the server would have to be signed by the Transcendence engine [which means we'll need to store a secret key in the engine code.]
I find this a fun subject, but after thinking about it for a bit, I find it
really hard to see how you would avoid having players spoof the data. I also
think the idea of registering mods is overly complicated. Here are my thoughts,
on this and the subject as a whole:
--------------
A suggestion for implementation:
1. Create new events, and restrict running of online functions to those blocks.
Since running any online functions will have a completely different latency
than any of the other functions available in tscript, it should not be
encouraged to run them inside other pieces of code, since that will most likely
create strange behaviour.
1a. <OnlineOnLoad>
This event should be run at startup, after gPlayerShip and initial system is
available. A good place to initialize global data.
1b. <OnlineOnExit>
This event should be run when T is unloaded. A good place to update global data.
1c. <OnlineOnPlayerEnteredSystem>
This event will be run like the regular OnGlobalPlayerEnteredSystem. Required for
system specific global data.
1d. <OnlineOnPlayerLeftSystem>
This event will be run like the regular OnGlobalPlayerLeftSystem. Required for
system specific global data.
2. When T loads, generate an hash of every single file (vanilla files included).
When running any of the above events, track from what file it is called and
tack that files hash onto the key (or prefix it). That way, the database will
contain unique keys for every variation of the mod. This makes the process
simpler, and as far as I can see, just as spoofproof (at least that part).
2a. If needed, you can still add an interface that allows a developer to register
a mod and it's signature.
2b. If 2a is implemented, it would also be nice to have a way of designating
"updates" to the mod. That way the data stored in keys can be inherited by
future versions of the same mod. Basically, I upload a new mod and say, this
signature supersedes the previous signature (or they are grouped?).
3. Like you stated yourself, T would have to sign and encrypt the data.
--------------
I think the biggest argument for something like that above, is that it would
not require storing the mod on the server, and it would be really easy to work
with. Possibly more events should be added, but I think a simple start would
be just the right thing :D
However, I still find it hard to see how to make it completely spoofproof. Most
of the data I can see these functions sending would be gathered from various
sources, including globally accessible data (that is, stuff that is variable).
This means that anyone with a debug console, or a minimum of modding ability
can change those values (using other mods to affect global state). I can not
see any way around that. If it was just the console, we could rule out
debugmode, but since I can just create a mod that runs a piece of script
whenever I want it too, there is no real way of hiding from this vulnerability.
