search

Skidamek / AutoModpack

Enjoy a seamless modpack installation process and effortless updates with a user-friendly solution that simplifies management, making your gaming experience a breeze.
https://modrinth.com/mod/automodpack
GNU Lesser General Public License v3.0
89 stars 29 forks source link

Download mods ONLY from Modrinth/Curseforge #227

Open MichelJonkman opened 3 months ago

MichelJonkman commented 3 months ago

Motivation

This would basically fix the security issue, or at least make it just as safe as having users install a modpack

Description

Make users download mods from Modrinth/Curseforge and disable downloading directly from server by default.

Other information

No response

Skidamek commented 3 months ago

It's ok as a feature, but it doesn't really resolve anything. You can still upload viruses on modrinth/curseforge, if not just virus then there could be a backdoor. Just downloading mods from by most 'trusted' source doesn't mean it is 100% safe, because nothing truly is. Since not that long ago there was a drama with fractureiser.

maxomatic458 commented 2 months ago

I think thats actually pretty straight forward to implement Modrinth has this to get a mod from a sha1/sha512 hash and Curseforge has this to get a mod from a murmur2 hash (although the cf api usually requires a api key, there is also https://curse.tools/)

so the server could get all the download urls (probably cache them) and if a client joins it could compare the mods with the serve (maybe compare a hash of mod names)

if its not the same, the server would send the download urls via a game packet (if thats possible)

so there wouldnt be a need for a seperate http server (but this could still be used for mods that are not found on either modrinth or curseforge)

so i guess it would be a bit safer + you save bandwidth + you dont need to forward a seperate port

maxomatic458 commented 2 months ago

looks like something like that is actually already implemented https://github.com/Skidamek/AutoModpack/blob/e73aefad145be4156b10e545fda42e18afca00da/core/src/main/java/pl/skidam/automodpack_core/utils/Json.java#L92

Skidamek commented 2 months ago

looks like something like that is actually already implemented

Yes, it is implemented already and that works great.

This issue is about adding feature which forces client to download mods only from modrinth/curseforge and not from server host at all. (At least that's how i interpret these words)

Make users download mods from Modrinth/Curseforge and disable downloading directly from server by default.