Comments (7)
fifty-six
commented on July 22, 2024
5
The PR changed a large amount of the hashes because it was migrating after the previous hosting setup went down. The downgrading of the mod as a result of this, while unintended, still has the mod link pointing to a trusted source, the drive created by us as a result of the previous hosting going down. This isn't anywhere near a "malware" attack.
Migrating was done mostly by getting links using a self-written script which took a zip from every mod folder, which didn't account for multiple zips in every folder. While it getting the wrong one is a mistake, and an unfortunate one at that, it's nothing near a vulnerability. I've gone ahead and fixed it, but calling this a red flag for malware is a bit much given how often people put wrong SHA1s in and have to replace them later.
from modinstaller.
SFGrenade
commented on July 22, 2024
i think the repo is public for people to make pull requests to fix the links and SHA1's
from modinstaller.
andrewsf
commented on July 22, 2024
Only a trusted contributor should make changes regarding validity and trust.
from modinstaller.
Ruttie2006
commented on July 22, 2024
yeah everyone can make a pr to fix modlinks/add new modlinks. the pr's do ofc get looked at.
from modinstaller.
Ruttie2006
commented on July 22, 2024
Instead, commit b9e08be changed the hash to further reflect the old 2.7.3.3 version.
yeah, this was because i had no idea that it was a older version, i only knew that the SHA1 was wrong ¯\_(ツ)_/¯
from modinstaller.
RedFrog6002
commented on July 22, 2024
If only some people could modify modlinks things would be much slower regarding adding or updating mods
from modinstaller.
andrewsf
commented on July 22, 2024
If only some people could modify modlinks things would be much slower regarding adding or updating mods
I take your point, but this is an application that downloads and installs executable software. The hash is a security feature to couple trust of the individual mod downloads with trust of the mod installer and its maintainers. That is, if you trust the mod installer, you implicitly trust the software that it installs. Updates should only go as quickly as they can while maintaining that chain of trust.
The fact that the SHA hash was failing validation for a month and that it was corrected by re-generating using the incorrect binary (which could have been malware) suggests that the check is not always doing its job on this project and the installed software is not being vetted. Maybe that's OK.
With that in mind, later this week I will set up an environment & submit a PR if someone more prepared doesn't get to it first.
from modinstaller.
Related Issues (13)
- Downloading Mods with filesizes over Googles Virus-Scan-Limit
- How to create mod for Hollow Knight HOT 1
- Linux freeze HOT 1
- Doesn't work after death, won't uninstall HOT 2
- Mod installer breaks down if a mod lists a dependency that can not be automatically installed HOT 7
- Path is denied HOT 2
- Link for the API on the modlinks.xml is unsuitable for MacOS HOT 6
- Broken on new patch HOT 4
- "End of central directory record could not be found" HOT 1
- dont start HOT 6
- 1.5 compatability HOT 1
- Manual Installation check outdated HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from modinstaller.