Replace PolyMC with successor

[starcraft66]

Issue description

As discussed in https://github.com/NixOS/nixpkgs/issues/196460, the PolyMC minecraft launcher project appears to have been compromised and its meta-data server cannot be trusted anymore. The package has been marked as vulnerable, however there is not yet a suitable replacement launcher complete with meta-data server to make it usable.

Non-compromised PolyMC maintainers have started a spin-off fork at PlaceholderMC. Discord discussion for PlaceholderMC: https://discord.gg/hX4g537UNE

Leaving this open as a tracking issue for the moment.

[cx405]

Being unable to trust maintainers means being unable to trust the package. I feel like we should've learned this after the npm hacktivism thing, but apparently it bears repeating.

• unless I know person or company physical address and name, IOW it is physically sitting next to me, it can't be trusted.
• term "we" is not applicable in personal informational exchange, unless you are valid representative of an organization, which you should then name.
• other issues you mentioned ("hacktivism") are irrelevant as they unnecessary multiply and shift the topics, the issue is strictly availability of a specific piece of software.
• removal of software should be done only in case of documented, proven threat or definite technical problem as there are people using and depending on the software.
• personal opinions, feelings and so on have nothing to with software.
• reference to CVE, OVE and other things are manipulation, for bugs are necessary part of software. Both clients seem to depend on bug to function, which is fine since official client is broken. I would use official client if it weren't broken, but it is, and here we are. Adobe Flash had a ton of CVE, web used it for lack of alternative. Linux had, has and will have ton of CVEs, some include system bricking through visiting a webpage.

On personal note: I installed PolyMC, it is working fine, parts of it are more current than in Prism. I will be observing both projects, but unless there is technical necessity, there is no point (strictly for me) switching the base. From the looks of it - creating the technical difficulty (including this "bug") was part of the Prism's agenda, which speaks against using it as the correct procedure is advertising and forking, - not replacing.

This discussion is closed from my side, reason being not productive. Happy coding.

[Derpford]

The guy who took over PolyMC kicked all of the other maintainers out and started making changes. This is an immediate threat, because the same permissions that allow you to change the ToS and code of conduct also allow you to change everything else. To claim otherwise is like claiming that RCE proof-of-concept demos don't count as RCE because they "only" pop calc.exe.

Linux had, has, and will have tons of CVEs, yes. The linux kernel team generally fixes those issues as soon as they can, and issues CVEs to warn the community while they are working on a fix. The fix for a "the current owner of the repo is doing shady shit" vulnerability is to switch to a different repo, which the original maintainers of PolyMC did by switching to Prism.

I'm curious which features are "more current" in PolyMC than in Prism, seeing as it had a dev team of one guy when the fork happened. Looking at the commits since the "remove leftoids" one, there's been a number of bugfixes, and...the ability to edit the image and position of the cat icon in the toolbar. Unless the ability to put Big Floppa on your minecraft launcher is a killer feature, I don't think that helps your case.

[cx405]

The guy who took over PolyMC

Owner, root.

kicked all of the other maintainers out and started making changes.

Owner, root.

This is an immediate threat, because the same permissions that allow you to change the ToS and code of conduct

Even rm -rf. Owner, root.

Unless the ability to put Big Floppa

I would use official client if it weren't broken, but it is, and here we are. use official client if it weren't broken

[Derpford]

...so you see the problem here, then? If one person kicks all other maintainers out, they have essentially privilege-escalated. They are now root. That is the problem.

[cx405]

so you see the problem here, then? If one person kicks all other maintainers out

Minecraft 1.19.4 works for me. People have been kicking themselves out since Pontius Pilatus. Earth still rotates.

[Derpford]

It's not people "kicking themselves out". One guy kicked everyone else out. Those who got kicked out forked the repo because the repo was owned by a guy who thought it was acceptable to kick everyone out so he could make changes without anybody else stopping him.

[cx405]

It's not people "kicking themselves out". One guy kicked everyone else out.

Its exactly "People have been kicking themselves out since Pontius Pilatus. Earth still rotates."

How is this drama related to ability to run the minecraft client I purchased? Fork, if you disagree. Fork is not destructive. Fork != Replace. Replace IS destructive. If you "Replace" there should be valid technical reasons. Root removing non-root isn't a valid technical reason.

[Derpford]

There is a valid technical reason. The technical reason is "our supply chain is compromised". If the root cannot be trusted and has removed all other contributors' permissions, that's a security issue.

[Minion3665]

I'm a nixpkgs maintainer of PrismLauncher and the person who PRed to replace PolyMC with PrismLauncher.

We replaced PolyMC due to the risk it poses as a project that downloads code at runtime with metadata controlled (without any package update or way that someone running PolyMC can vet the changes) by a maintainer who suddenly removed all other maintainers from the project. We believe this is an intolerable risk in the supply chain (effectively RCE if the maintainer willed it) and additionally that not removing the package would lead to people using it without being aware of the risks.

If you'd still like to run PolyMC, you are welcome to override the src attribute of our package, but we won't be maintaining it in nixpkgs.

I'm aware this isn't the resolution you wanted, but we're not going to reinstate PolyMC. Please, both of you, stop arguing in the issue comments.