feat: Verified mods listing #87
Conversation
|
@GeckoEidechse do you have any answer to my multiple questions? 😏 |
Using some form of version control for validated mods (maybe together with CI to ensure valid JSON format) is probably preferred over hand-editing the file on server. Also make it easy to accept other contributions via CI and checking who verified a mod using git blame. Thing is adding it to this repo might add too much noise to commit history. Maybe a separate repo for it?
Hmm, maybe wiki might be a better place for it? The requirements also aren't out yet but a draft wouldn't hurt :P
Definitely yes. We need some common dependency string format that is consistent between server, client, MS, and Thunderstore. Using the Thunderstore string as the ground truth is probably the way to go ^^ |
Good idea, I'll let you create the repo :)
I'll create another pull request there, then. About mod naming, we need to have the dependency string client-side (as you said); where should we put this information?
|
Unfortunately due to how thunderstore packages are formatted, the manifest.json won't be in the mod's folder.
Therefore any thunderstore mod that is installed will replace that file, meaning we can't use it.
Would that even be necessary? If we have the name of the mod, surely we can use that to get the dependancy string or download link just through the MS verified mods list? Worst case scenario is that the server owner renames a mod and it makes clients auto-download a (verified) mod that doesn't match with the server's? I don't think we expose any security issues because the client would still be downloading a verified mod, and the server could just run malicious code on a non-RequiredOnClient mod, spoofing a verified mod on server-side doesn't accomplish anything for the server |
We would have to do the dependency string reconstruction on the launcher; example with mod settings mod: {
"Name": "Mod Settings",
"Version": "1.0.0",
"Description": "pain",
"LoadPriority": 2
}We'd have to manually convert spaces to We would have to enforce using the same name in As an example, This would also prevent uploading several mods in the same Thunderstore package. |
But why though? Can we not just do this on MS? Example:
{
"Mods":
[
{
"Name": "Mod Settings",
"Version": "1.0.0"
},
{
"Name": "Moblin.Archon",
"Version": "1.3.0"
}
]
}
{
"Mods":
[
{
"Name": "Mod Settings",
"Version": "1.0.0",
"DependencyString": "example-1.0.0"
},
{
"Name": "Moblin.Archon",
"Version": "1.3.0",
"DependencyString": "example2-1.3.0"
}
]
}
And on the MS we store the name of the verified mods, along with their versions and their dependency strings, allowing us to match a name and version to a dependency string for thunderstore. Example of JSON object for MS verified mods list: {
"Mod Settings":
{
"1.0.0": "example-1.0.0",
"1.1.0": "example-1.1.0"
},
"Moblin.Archon":
{
"1.3.0": "example2-1.3.0",
"1.3.1": "example2-1.3.1"
}
} |
|
I got your point! The "ModName to dependency" relation can be established MS-side by humans (who commit new entries to verified mods list). I might rework my PR to match this. Is step 3 needed though? I thought of sending verified mods list only once from MS to client (at boot), not to overload MS. |
Looking more into the code on MS side, nah it's not rly needed. My first impressions were that client would make a request for each mod when they need it, as opposed to being sent it all one time. But my point about making the In theory could we skip the dependency string step entirely, and simply send the actual thunderstore download link? Potentially (not rly going to ever happen) the verified mods list gets too large to the point where clients cannot feasibly get the entire list, but I'd say thats a non-issue, at least for now. |
I don't think so, we can save some space by not storing download URL on MS; besides that, download URL is static, and can easily be rebuild from dependency string (e.g. I believe the format you proposed suits all our needs: {
"Mod Settings":
{
"1.0.0": "EladNLG-ModSettings-1.0.0",
"1.1.0": "EladNLG-ModSettings-1.1.0"
},
"Moblin.Archon":
{
"1.3.0": "GalacticMoblin-MoblinArchon-1.3.0",
"1.3.1": "GalacticMoblin-MoblinArchon-1.3.1"
}
}We could even optimize it a bit: {
"Mod Settings":
{
"DependencyPrefix": "EladNLG-ModSettings",
"Versions": [ "1.0.0", "1.1.0" ]
},
"Moblin.Archon":
{
"DependencyPrefix": "GalacticMoblin-MoblinArchon",
"Versions": [ "1.3.0", "1.3.1" ]
}
}A bit more work for the launcher, but less space required on MS :) |
I think this is probably the best way to store on MS. A bit more work for launcher isn't a big deal really since its a one-time thing, right? |
|
I agree! The only downside I can see to this format is it prevents several authors from uploading a mod having the same name, but I don't think it's an issue, honestly... |
If you want your mod to be verified, don't have the same name as an already verified mod, simple. Tbh if a mod shares a name with another verified mod then it really should never be verified, as that would just cause confusion |
I also agree on this. I'll implement this format in this PR :) |
|
Maybe we should just make That would even allow us to stay independent from Thunderstore to some degree ^^ |
We can indeed enforce this, we can even make CI create the But please, let's ALL agree on a verified mods list format, so I don't have to update MS and Launcher forks every 2 days 😄 |
What if I told you this already exists Northstar/NorthstarLauncher/pull/146 DownloadLink is already used btw |
How is this already used when it's not standard? Those PRs are a bit different from yours, they intent to automatically download mods, without any action from users. |
What do you mean standard? Download links from local mods are already supported by the launcher it's just that nobody uses them |
If you don't provide a DownloadLink in your mod, launcher will return an empty string; it's not enforced at all. |
@GeckoEidechse what do we do? Which mod format do we choose? I would like this to get merged, for us to:
|
Uh, I would say we make |
I can ping Emerald to automatically generate
This is tracked there: R2Northstar/ModdingDocs#74 |
|
Hmmm. I think it would be simpler to just limit the verified mods to thunderstore and make it an array. Example: [
{
"ModString": "EladNLG.ModSettings"
"Versions": [ "1.1.2", "1.0.0" ]
}
]EDIT: Object alternative: {
"EladNLG.ModSettings": {
// Could add additional data here if needed.
"Versions": [ "1.1.2", "1.0.0" ]
}
} |
Would |
Thunderstore string, omitting version. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
The download link must be stored or generated from the masterserver, the mod.json should have no say in the matter |
|
Also, the verified mods list should be moved to a separate repo, with wider write access. As of right now, it'll take way too long for a single mod to get verified. The verification process should not be done by a handful of people, there have to be more people able to verify mods. |
How would the masterserver generate it? There's no clear link between NS modname <-> Thunderstore modname.
Separate repo has already been decided on, see #87 (comment) Who gets write access would be decided once we reach that point. |
This sorta thing was discussed a bit in this PR's comments, a thunderstore link is fairly simple to generate, if needed |
|
Closing this as |
This adds a
/client/verifiedmodsresource that lists manually-validated mods. Just like the main menus promos, those mods are listed in a JSON file, that can be updated without restarting the server for it to be taken into account.This resource will be used to automatically download mods when joining a server that requires some; manual mods validation prevents Northstar from downloading malicious mods to people' computers.
I added a very strong ratelimit on the resource (1 request per minute), the idea being that clients should only request mods list once, when game is started; checking mods can then be done client-side by checking local mods list reference.
Prerequisites for mod to be listed
Maybe we should also enforce using a certain type of licence?
Current mods list format
{ "Mod Settings": { "1.0.0": "example-1.0.0", "1.1.0": "example-1.1.0" }, "Moblin.Archon": { "1.3.0": "example2-1.3.0", "1.3.1": "example2-1.3.1" } }TODOs
Questions
More about mod name formatting
Thunderstore
Once stored through Thunderstore API, mods will have a dependency string with
UploadTeamName-ModName-X.Y.Zformat (e.g."EladNLG-ModSettings-1.1.2"), which enables verifying mod versions individually.Northstar
No particular format is required for mod naming. We sometimes tell people to use
Author.ModNameformat, but this isn't enforced at all (e.g."name": "ModSettings"), thus loosing author name information.Related pull requests
Launcher: R2Northstar/NorthstarLauncher#262
Modding docs: R2Northstar/ModdingDocs#74