Widget signing gadget (request)

[eyu100]

Request:

A way to associate a digital signature with widgets and a gadget that checks widgets for the mod maker's signature, disabling any that don't have a signature.

Also, it would be nice (but not necessary) to have a way to blacklist certain hashes.

This works better than a whitelist of hashes because the mod maker can allow new widgets without releasing a new version of the mod.

[CarRepairer]

Spring needs to start a crypto-security department for working on this issue. How's our funding look?

[zwzsg]

Every widget I saw are already signed, you can check a widget signature with GetInfo().author

[Beherith]

Ill just edit the widgets and add a signature from prev widget.

Also, why the hell is would someone who doesnt even play, want to interfere with other players?

[eyu100]

Ill just edit the widgets and add a signature from prev widget.

What do you mean? The (digital) signature is unique for each widget, so you can't copy it from another one. The gadget is customized to contain the mod maker's public key.

Also, why the hell is would someone who doesnt even play, want to interfere with other players?

I thought this might be useful for some mod makers.

edit: I meant a digital signature from the mod maker that would work like a WHQL signature (http://en.wikipedia.org/wiki/WHQL_Testing)

[Niobium]

I see all this talk about banning/restricting widgets, when there are really no major examples out there of widgets that give a significant advantage and are not readily available.

[zwzsg]

widgets that give a significant advantage

The last six monthes I have been using a widget that plays the entire game for me, allowing me to win over half of my matches, without doing anything beside picking the start pos and activating the widget.

I must say it made my gaming experience much more relaxing, now that I don't have to stay in front of the computer, paying attention to the game and giving orders to the units. The only downside is that too many times it slaugthered newbs players before I could realise it and turn it off.

readily available.

I am of course not releasing it to the public, as if it fell in the wrong hand the situation could become quite awry.

Spoiler:I don't play BA.

[Caydr]

I see something like this as an eventuality... there are going to be widgets that even the widget-lovers think are pure cheese. Developers can either choose to wait until that happens and then have a crisis (as much as a game engine can have one), or they can start working on a solution before that happens.

What worries me is when the day comes that you're playing someone and have to wonder whether you're winning because of the widgets you have, or because of your own skill. Or worse, the opposite, and people start accusing each other of being cheaters all the time. Who likes playing games that are well-known to be easily exploitable?

Or how about when PURE or another game attempts to make a commercial run of it and all the reviews focus on the fact that a game centered around multiplayer makes absolutely no attempt whatsoever to prevent what even now a lot of people consider cheating? And this is only now, when widgets are a relatively development for Spring and the game is still very unknown. Security in obscurity doesn't last forever.

IMO whitelisting is the only way to go. It still allows for tons of flexibility, and all it takes is an officially-released patch for each mod to update the definitions periodically. Making 1kb patches for Spring games/mods is ridiculously simple, and I don't think I've heard of a mod that doesn't have at least one new release of some kind every few months.

If whitelisting is made available, I will at least try to show some restraint in what types of things I ban. Even if it was in my power, I probably can't disable metal maker AI anymore, people are too used to it.

Edit: It's come to my attention that PURE features a free GPL widget...checker... thing. Why is nobody mentioning it?

[aegis]

wait, what's this I hear?
widgets aren't synced?
spring is open-source?

I can just recompile without signature checks?
oh.

[eyu100]

wait, what's this I hear?
widgets aren't synced?
spring is open-source?

I can just recompile without signature checks?
oh.

If there was a particular widget that was being abused often, the mod could have a gadget that auto-kicks when it detects that the widget is being used (it might lead to kicking innocent people, though).

EDIT: Removed a paragraph. One more thing: there is an (unrealistic) way to disable all widgets in a way that is extremely hard to circumvent. With a (drastic) engine change, it could become prohibitively hard to modify the source code to support widgets, although the change would require all widgets and gadgets to be completely rewritten (so obviously this would never happen). Add a bunch of new (synced) features and restructure the code to completely break the widget interface . Since the engine would change so much, it would be extremely hard to write a new interface that allows old widgets to work.

[smoth]

trying to block widgets is like trying to fap to a turtle humping a shoe. Sure you can try and stop it but someone out there will find a way to get off on it.

[aegis]

if even *one* widget works, I can bypass the signature check and modify it to load additional widgets.

[TheFatController]

If you outlaw widgets only outlaws will have widgets!!

[manolo_]

stupid question of a non-programmer:

why dont u forbide command-giving widgets and implement the needed stuff into engine (metal maker, custon formation) and the other widgets like defense range are still allowed

[Auswaschbar]

stupid question of a non-programmer:

why dont u forbide command-giving widgets and implement the needed stuff into engine (metal maker, custon formation) and the other widgets like defense range are still allowed

Like the "NoHelperAIs"-option, which does exactly this?

[det]

You should check out XTA, it has a really cool singing gadget.. badoop boop boop bop

[Pendrokar]

The last six monthes I have been using a widget that plays the entire game for me, allowing me to win over half of my matches, without doing anything beside picking the start pos and activating the widget.

I must say it made my gaming experience much more relaxing, now that I don't have to stay in front of the computer, paying attention to the game and giving orders to the units. The only downside is that too many times it slaugthered newbs players before I could realise it and turn it off.

Maybe in 2020...

If there was a particular widget that was being abused often, the mod could have a gadget that auto-kicks when it detects that the widget is being used (it might lead to kicking innocent people, though).

Widget renamed to FluffyLittleWidget

[CarRepairer]

implement the needed stuff into engine (metal maker,

Run.


Okay I have an idea...

Implement it in spring so that when a multiplayer game begins, spring will upload everyone's local widgets to everyone else. That way after the game is over anyone can review what was used. You don't have to worry about restrictions and signatures and legitimate "nice" widgets being hurt, but in a serious tournament like environment if you really really care about it, this would allow you to know if someone "cheated too much."

[manolo_]

implement the needed stuff into engine (metal maker,

Run.


Okay I have an idea...

Implement it in spring so that when a multiplayer game begins, spring will upload everyone's local widgets to everyone else. That way after the game is over anyone can review what was used. You don't have to worry about restrictions and signatures and legitimate "nice" widgets being hurt, but in a serious tournament like environment if you really really care about it, this would allow you to know if someone "cheated too much."

sounds good, but who will decide which widgets are good and which are "evil", i mean, some say defense range is a piece of satan

[Pendrokar]

Implement it in spring so that when a multiplayer game begins, spring will upload everyone's local widgets to everyone else. That way after the game is over anyone can review what was used. You don't have to worry about restrictions and signatures and legitimate "nice" widgets being hurt, but in a serious tournament like environment if you really really care about it, this would allow you to know if someone "cheated too much."

Before the game:
Cut LuaUi/widgets/*
Paste to Spring/widgets/

In-game:
Paste back in LuaUi/widgets/
/luaui reload

[edit]
[edit2] Or better yet just disable LuaUI before the game and then enable it when ingame