Can we get sockets?

[SoniEx2]

I'm kinda trying to implement git in CC...

[mikeemoo]

Nope, sorry. Too high security risk.

[SoniEx2]

@mikeemoo Can we at least get a git?

[mikeemoo]

No sorry.

[asiekierka]

Assuming that TCP sockets were only available to whitelisted IP and port combinations, how are they a security risk?

[mikeemoo]

Righty, here we go:

For starters, OpenPeripheral appeals to maybe (generously) 5% of the modded minecraft user base. I'd guess that out of that small percentage of people a far smaller percentage of people actually write their own non-beginner code, and an even smaller percentage would actually understand what sockets are and how to use them. The majority of those who know how to use them wouldn't have a use for them.

Total user base: tiny tiny tiny tiny tiny percentage of people

If you want to then lock it down to an admin defined whitelisted IP for security reasons, the userbase shrinks even more.

Aside from the security risks, there's also the high probability of things 'going wrong' - considering that even ComputerCraft still has many issues with regards to hanging threads and whatever else, adding a socket layer on top of that would turn into a huge clusterfuck.

Not to mention that I can almost smell the amount of bugs entered into the bug tracker or sent to us on IRC, the majority of which will be purely down to the user implementing something wrong or getting different responses from their socket than they're expecting.

The risk/appeal/effort ratio is way out of whack.

As for a git client, I really do not like the idea of trying to support git from inside a game. Way too many potential issues to deal with - file conflicts, authentiation.etc. If it's something you really want then I suggest creating a custom HTTP app and use standard computercraft methods.

[Vexatos]

If you really want such things, use OpenComputers. It depends on a native Lua library, so you are able to have such things without any problem.

[progwml6]

this is an extremely high security risk regardless... if OpenComputers allows you to do such things then they need to seriously redesign that mod

having a common mod with user's authentication info when it's not specifically meant for that ex: irc integration mods is a large security breach waiting to happen

[asiekierka]

None of you have still proven any of the security issues. Bugs and PEBKAC cases are one thing, but actual security issues are another.

The only one I would see is players abusing TCP sockets to abuse server bandwidth, but you can do that with HTTP too.

[progwml6]

the larger issue is that computers can be accessed by all, and thus someone could possibly breach the credentials with relative ease

[SoniEx2]

@progwml6 I'm not sure if you know but on linux you can encrypt keys with a password and stuff

[asiekierka]

Yes, so don't use credentials or encrypt them? TCP is not only used for login. Personally, I would like to see telnet clients, for instance, or faster communication with my own custom servers.

Also, OpenComputers lets you lock computers so only the owner can access them.

[progwml6]

which can STILL be breached... MC should not have access to such things, and this leads to the possibility of users using a MC server to run DDOSing and other issues

[asiekierka]

progwml6 - I can still run DDoSes with the HTTP API alone, with a whitelist you can pretty much ensure that the only servers connected are ones which aren't stupid.

Not to mention, I'm trying to solve this issue with EnderNet 2 - cross-server computer communication that removes the need for HTTP or TCP APIs and rate limits the communication automatically.

[progwml6]

all of those are still dangerous to have in MC reliance on anything being secure is foolhearted at best

[SoniEx2]

@progwml6 overencrypted files are pretty secure

[asiekierka]

Yes, so is having TNT because you can blow things up, or locked chests because they can be broken into. sigh

You cannot try to fix every problem a user can potentially cause by limiting the user in every way you can think of. iOS tried to do that and kind of failed.

[SoniEx2]

TNT can crash servers too

[Vexatos]

Yea, let CC download the JDK via the HTTP API, from 5 computers at the same time. Have fun.

[GenPage]

To put it bluntly, the amount of time that would be needed to be put into this feature does not out way the cost. I cant see anyone using git anymore than they do with the pastebin API. The deal about crashing servers and security is cute but @mikeemoo already completely addressed the issue. It a complete clusterfuck waiting to happen.

[Sunstrike]

How about this; you want such insecure features? Implement them in your own mod.