Trojaner
commented
1 year ago Closed sunnamed434 closed 1 year ago
Trojaner
commented
1 year ago 
sunnamed434
commented
1 year ago https://www.nuget.org/packages/ShimmyMySherbet.RocketExtensions.RocketMod.Redist
why versions are different?
SDGNelson
commented
1 year ago I do not like the modern trend of package managers - good to have a static copy in your project files IMO and know exactly what is being updated and when :D
sunnamed434
commented
1 year ago I do not like the modern trend of package managers - good to have a static copy in your project files IMO and know exactly what is being updated and when :D
Okay, then here is a security vulnerability, stores in the project a static copy of files anyone could say would like to update these static libs through idk let`s say fork - where is the trust? The owner of the repo may just update them, surely with static files the same but packages give more trust (anyone opens a project in IDE and could see hmm.. its ok everything is fine I can trust it, not saying about IDE vulnerabilities) as well these packages could become paid and you will probably lose access to them but anyway this is the last problem and they are stored on disk as packages with .DLLs.
negrifelipe
commented
1 year ago I do not like the modern trend of package managers - good to have a static copy in your project files IMO and know exactly what is being updated and when :D
Okay, then here is a security vulnerability, stores in the project a static copy of files anyone could say would like to update these static libs through idk let`s say fork - where is the trust? The owner of the repo may just update them, surely with static files the same but packages give more trust (anyone opens a project in IDE and could see hmm.. its ok everything is fine I can trust it, not saying about IDE vulnerabilities) as well these packages could become paid and you will probably lose access to them but anyway this is the last problem and they are stored on disk as packages with .DLLs.
There is no vulnerability because plugins are libraries they are not executable so they just use the dll libs as a reference the code that is executed from rocketmod is the one installed by the user in the modules folder so changing and adding malicious code to the reference libs isn't a problem
sunnamed434
commented
1 year ago I do not like the modern trend of package managers - good to have a static copy in your project files IMO and know exactly what is being updated and when :D
Okay, then here is a security vulnerability, stores in the project a static copy of files anyone could say would like to update these static libs through idk let`s say fork - where is the trust? The owner of the repo may just update them, surely with static files the same but packages give more trust (anyone opens a project in IDE and could see hmm.. its ok everything is fine I can trust it, not saying about IDE vulnerabilities) as well these packages could become paid and you will probably lose access to them but anyway this is the last problem and they are stored on disk as packages with .DLLs.
There is no vulnerability because plugins are libraries they are not executable so they just use the dll libs as a reference the code that is executed from rocketmod is the one installed by the user in the modules folder so changing and adding malicious code to the reference libs isn't a problem
Ok, thanks, I got it. Closing it, now I'm using Shimmy's RocketMod Redist, the last thing I don't understand is why versions are different in the repo of Nelson and Shimmy nuget.
This will improve dev experience (the thing is you just doing a few clicks in Visual Studio or somewhere else IDE, you don't need to have libs directory in your project and always updating Unturned to get these new libraries for rocket/checking Legally-Distinct-Missile releases, just open NuGet packages in IDE and check for updates even IDE could say this info that smth is actually got updated)