AThousandShips
commented
5 hours ago It doesn't say that though, it says it isn't needed not that it won't happen, it could be a bit clearer but it doesn't say:
it won't disclose the source code
Open pochoco24 opened 6 hours ago
AThousandShips
commented
5 hours ago It doesn't say that though, it says it isn't needed not that it won't happen, it could be a bit clearer but it doesn't say:
it won't disclose the source code
fire
commented
3 hours ago No source code disclosure needed for mods
As far as I know, the current status of the gdscript byte code encoder is that it runs very few optimizations, and Godot Engine's gdscript bytecode can be decoded by https://github.com/bruvzg/gdsdecomp in easy-to-do ways.
Source code disclosure means that gdscript byte code encoding can be obscured, which isn't possible unless you use a cryptographically signed box, similar to a box with multiple locked containers where the game developer releases the key on a schedule or a steam release on a particular day where the release decryption key is released, and the data is accessible.
Source code disclosure is unrelated to the sandbox concept of executing mod code that will be blocked from running "notepad.exe" on your computer. See https://github.com/godotengine/godot-proposals/issues/5010 and my godot-sandbox project.
You argue that arbitrary remote code execution that causes Godot Engine to dump its source code is source code disclosure, but that isn't strictly promised here in the documentation.
fire
commented
3 hours ago We have developed a Godot Engine resource name based allow list technology for our V-Sekai social VR project, and I have posted the branch here: https://github.com/V-Sekai/godot/tree/resource_loader_whitelist_4.4
@lyuma worked on it if you want details.
Your Godot version: v4.3.stable
Issue description: This documentation page says that when using PCK resource packs for mods or texture packs, it won't disclose the source code, but if a user puts a script in the PCK, it can get access and read all of the scripts. This can be dangerous for public releases of games or apps.
It would be a good idea to allow the dev choose what gets imported with
ProjectSettings.load_resource_pack()(like textures or sounds) and avoid loading custom scripts.URL to the documentation page: https://docs.godotengine.org/en/stable/tutorials/export/exporting_pcks.html#
If you know how to fix the issue you are reporting please consider opening a pull request. We provide a tutorial on using git here: https://docs.godotengine.org/en/stable/community/contributing/pr_workflow.html, writing documentation at https://docs.godotengine.org/en/stable/community/contributing/docs_writing_guidelines.html and contributing to the class reference here: https://docs.godotengine.org/en/stable/community/contributing/updating_the_class_reference.html