phit
commented
2 years ago I'm gonna leave this open to track this issue now that the old support is also removed on stable, read the 0.6.16 changelog for more context.
Open josesilveiraa opened 2 years ago
phit
commented
2 years ago I'm gonna leave this open to track this issue now that the old support is also removed on stable, read the 0.6.16 changelog for more context.
peterix
commented
2 years ago Yep. Definitely wanted.
The current issue is the TOS explicitly disallowing the use of the API: https://support.curseforge.com/en/support/solutions/articles/9000207405-curse-forge-3rd-party-api-terms-and-conditions
As a prerequisite to the use of the Platform API and/or any SDK, each Developer will be issued a unique API Key (the “API Key”), which is non-transferable and may not be shared with any third party. Developer may not disclose the API Key to any third party, except to such employees who are subject to corresponding confidentiality obligations (each, an “Authorized Recipient”).
Using the API requires embedding the API Key inside the binary, thereby disclosing it to every user and non-user (basically anyone who downloads the binaries). I would be immediately in breach of contract if I implemented this.
A plausible workaround would be to wrap the API in my own API and essentially have that key only on a server. However...
Developer shall not, and shall not allow any third party, to (a) copy, sublicense, adapt, modify the Platform, Platform API and/or any SDK; (b) rent, lease, modify, copy, loan, transfer, sublicense, distribute or create derivative works of the Platform, Platform API and/or any SDK; (e) conceal your identity or geographic location when accessing the API, including accessing the API through a proxy server or VPN;
This can be interpreted as directly forbidding that too. It is also something I effectively have no control over. The user can access the API however they may wish, and I am in breach of contract if they do?
Developer represents and warrants that no External App (including any content provided by users) shall (a) contain any defamatory, libelous, obscene, hateful or otherwise offensive materials, (b) infringe or violate any intellectual property rights, moral rights or privacy rights of any third party, (c) violate any applicable law, rule or regulation,
This is impossible. I can't prevent you from naming your instances using the N word. Well, I guess I could, but I would consider that a gross overreach. Personally, I consider such overreach immoral. On a practical level, this is not something I could ever enforce, and if this is something the TOS requires, it cannot be satisfied.
Overwolf and its licensors have exclusive right, title and interest to the Platform, the Platform API, the SDKs, all materials, data and information provided through the foregoing, any related documentation and all enhancements, derivatives, bug fixes or improvements to the foregoing. Except as expressly provided in these Terms, nothing herein will be construed to confer any ownership interest, license, or other rights upon Developer by implication, estoppel or otherwise as to any technology, intellectual property rights or products of Overwolf or any third party.
This seems like OverWolf is claiming copyright ownership of all mods??? I don't think this is intended.
Developer shall defend, hold harmless and indemnify Overwolf and its employees, consultants and affiliates, from any losses, liabilities, costs, damages or expenses incurred in connection with any claim alleging or relating to (a) the Developer’s breach of these Terms or (b) the infringement by any External App of any applicable laws, rules or regulations, or any third party intellectual property, moral or privacy rights. Developer shall provide Overwolf with prompt written notice of any such claim advanced by a third party, including any governmental authority. Overwolf may be represented in any proceeding regarding such a claim by counsel of its own choosing at its own expense.
I believe anyone implementing the API is already breaking the TOS, because the rules are fundamentally impossible to satisfy.
Upon termination of these Terms for any reason Developer shall cease the use of the rights licensed hereunder including, for the avoidance of doubt, (a) cease all use of the Platform, Platform API and/or any SDKs, and (b) promptly delete or destroy all copies of any API Key. Developer shall ensure that all Authorized Recipients shall similarly delete or destroy all copies of the API Key. The termination of these Terms solely with respect to one or more specific External Apps shall not affect the parties’ rights hereunder with respect to other External Apps.
Wow. The picture in my head of this is me wielding my trusty sledge hammer and destroying user's hardware because it contains the API Key. A bit over the top, but along the lines of what this says. What if you tattoo the key on your body as a form of protest?
As ridiculous as that sounds, this is a legitimate concern: http://www.geekytattoos.com/illegal-tattoos-aacs-encryption-key/
Anyway, I have requested the API Key and have it. But:
The TOS needs to be fixed before I consider doing anything like this. I talked to (who I believe is) a representative of OverWolf and their interpretation of these rules are nowhere near as destructive. But the fact remains that these rules say what they do. Not enforcing the rules and having them in place creates a possibility of suddenly enforcing the rules for arbitrary unrelated reasons. I do not want to be in that position.
No amount of reassurances that 'we are cool and the rules mean something else' is enough.
josesilveiraa
commented
2 years ago Yep. Definitely wanted.
The current issue is the TOS explicitly disallowing the use of the API: https://support.curseforge.com/en/support/solutions/articles/9000207405-curse-forge-3rd-party-api-terms-and-conditions
As a prerequisite to the use of the Platform API and/or any SDK, each Developer will be issued a unique API Key (the “API Key”), which is non-transferable and may not be shared with any third party. Developer may not disclose the API Key to any third party, except to such employees who are subject to corresponding confidentiality obligations (each, an “Authorized Recipient”).
Using the API requires embedding the API Key inside the binary, thereby disclosing it to every user and non-user (basically anyone who downloads the binaries). I would be immediately in breach of contract if I implemented this.
A plausible workaround would be to wrap the API in my own API and essentially have that key only on a server. However...
Developer shall not, and shall not allow any third party, to (a) copy, sublicense, adapt, modify the Platform, Platform API and/or any SDK; (b) rent, lease, modify, copy, loan, transfer, sublicense, distribute or create derivative works of the Platform, Platform API and/or any SDK; (e) conceal your identity or geographic location when accessing the API, including accessing the API through a proxy server or VPN;
This can be interpreted as directly forbidding that too. It is also something I effectively have no control over. The user can access the API however they may wish, and I am in breach of contract if they do?
Developer represents and warrants that no External App (including any content provided by users) shall (a) contain any defamatory, libelous, obscene, hateful or otherwise offensive materials, (b) infringe or violate any intellectual property rights, moral rights or privacy rights of any third party, (c) violate any applicable law, rule or regulation,
This is impossible. I can't prevent you from naming your instances using the N word. Well, I guess I could, but I would consider that a gross overreach. Personally, I consider such overreach immoral. On a practical level, this is not something I could ever enforce, and if this is something the TOS requires, it cannot be satisfied.
Overwolf and its licensors have exclusive right, title and interest to the Platform, the Platform API, the SDKs, all materials, data and information provided through the foregoing, any related documentation and all enhancements, derivatives, bug fixes or improvements to the foregoing. Except as expressly provided in these Terms, nothing herein will be construed to confer any ownership interest, license, or other rights upon Developer by implication, estoppel or otherwise as to any technology, intellectual property rights or products of Overwolf or any third party.
This seems like OverWolf is claiming copyright ownership of all mods??? I don't think this is intended.
Developer shall defend, hold harmless and indemnify Overwolf and its employees, consultants and affiliates, from any losses, liabilities, costs, damages or expenses incurred in connection with any claim alleging or relating to (a) the Developer’s breach of these Terms or (b) the infringement by any External App of any applicable laws, rules or regulations, or any third party intellectual property, moral or privacy rights. Developer shall provide Overwolf with prompt written notice of any such claim advanced by a third party, including any governmental authority. Overwolf may be represented in any proceeding regarding such a claim by counsel of its own choosing at its own expense.
I believe anyone implementing the API is already breaking the TOS, because the rules are fundamentally impossible to satisfy.
Upon termination of these Terms for any reason Developer shall cease the use of the rights licensed hereunder including, for the avoidance of doubt, (a) cease all use of the Platform, Platform API and/or any SDKs, and (b) promptly delete or destroy all copies of any API Key. Developer shall ensure that all Authorized Recipients shall similarly delete or destroy all copies of the API Key. The termination of these Terms solely with respect to one or more specific External Apps shall not affect the parties’ rights hereunder with respect to other External Apps.
Wow. The picture in my head of this is me wielding my trusty sledge hammer and destroying user's hardware because it contains the API Key. A bit over the top, but along the lines of what this says. What if you tattoo the key on your body as a form of protest?
As ridiculous as that sounds, this is a legitimate concern: http://www.geekytattoos.com/illegal-tattoos-aacs-encryption-key/
Anyway, I have requested the API Key and have it. But:
* I cannot disclose the key, therefore it cannot be used in any sort of client software. * I cannot put it in a proxy in order to hide it from third parties, because that breaks a different clause of the TOS. * There are deeply concerning, unenforceable things in the TOS. If I tried to enforce them, I would have to break various laws, and the limits of what I consider moral.The TOS needs to be fixed before I consider doing anything like this. I talked to (who I believe is) a representative of OverWolf and their interpretation of these rules are nowhere near as destructive. But the fact remains that these rules say what they do. Not enforcing the rules and having them in place creates a possibility of suddenly enforcing the rules for arbitrary unrelated reasons. I do not want to be in that position.
No amount of reassurances that 'we are cool and the rules mean something else' is enough.
wow, that really sucks
josesilveiraa
commented
2 years ago I was reading FTB App source code and I saw that they're using an API wrapper, but you said that it's against ToS
peterix
commented
2 years ago I don't know what separate agreements does FTB have with OW / CurseForge.
peterix
commented
2 years ago And I am not interested in backroom deals.
josesilveiraa
commented
2 years ago I think a good workaround wold be parsing manifest.json from a downloaded CurseForge zip and download all the mods from it since it provides every mod id
graytoowolf
commented
2 years ago Is it possible to allow users to apply and set APIKEY by themselves?
peterix
commented
2 years ago I think a good workaround wold be parsing manifest.json from a downloaded CurseForge zip and download all the mods from it since it provides every mod id
The API is required for this.
Is it possible to allow users to apply and set APIKEY by themselves?
If I hold the door open for you while you rob the house, I believe it makes me also a thief.
peterix
commented
2 years ago And if you mean the user actually going through the manual application process, then that's kinda hilarious. It is an online form that a human processes manually.
If I made people do that, it would just mean hell for whoever is processing these applications. I have no intention of attacking OW/CF staff.
peterix
commented
2 years ago So all that would mean is that you go and steal the key from the official app and plug it into MultiMC (which would be trivial to automate).
Thereby making me complicit.
graytoowolf
commented
2 years ago Why steal keys in official apps. Users can also apply for developer APIKEY.
graytoowolf
commented
2 years ago There is no limit to apply for APIKEY
peterix
commented
2 years ago Did you read my reply?
peterix
commented
2 years ago There are about 800k users here. Them applying for keys on a manually processed form is pure insanity.
peterix
commented
2 years ago Anyway, everything has been said here. The TOS must be fixed before this is allowed anywhere near MultiMC again.
Role
Modded Minecraft.
Suggestion
Add CurseForge online support and/or .zip importation
Benefit
so that we can enjoy more modpacks
This suggestion is unique
You may use the editor below to elaborate further.
No response