Open MichelJonkman opened 3 months ago
It's ok as a feature, but it doesn't really resolve anything. You can still upload viruses on modrinth/curseforge, if not just virus then there could be a backdoor. Just downloading mods from by most 'trusted' source doesn't mean it is 100% safe, because nothing truly is. Since not that long ago there was a drama with fractureiser
.
I think thats actually pretty straight forward to implement Modrinth has this to get a mod from a sha1/sha512 hash and Curseforge has this to get a mod from a murmur2 hash (although the cf api usually requires a api key, there is also https://curse.tools/)
so the server could get all the download urls (probably cache them) and if a client joins it could compare the mods with the serve (maybe compare a hash of mod names)
if its not the same, the server would send the download urls via a game packet (if thats possible)
so there wouldnt be a need for a seperate http server (but this could still be used for mods that are not found on either modrinth or curseforge)
so i guess it would be a bit safer + you save bandwidth + you dont need to forward a seperate port
looks like something like that is actually already implemented https://github.com/Skidamek/AutoModpack/blob/e73aefad145be4156b10e545fda42e18afca00da/core/src/main/java/pl/skidam/automodpack_core/utils/Json.java#L92
looks like something like that is actually already implemented
Yes, it is implemented already and that works great.
This issue is about adding feature which forces client to download mods only from modrinth/curseforge and not from server host at all. (At least that's how i interpret these words)
Make users download mods from Modrinth/Curseforge and disable downloading directly from server by default.
Motivation
This would basically fix the security issue, or at least make it just as safe as having users install a modpack
Description
Make users download mods from Modrinth/Curseforge and disable downloading directly from server by default.
Other information
No response