Divi
commented
10 years ago Like I said in the @jaagupkymmel issue, i'm not very confortable with people who want to use our data to hack/cheat. Even if we deal with spectator data, like you said, one day we can found a leak. I'm agree with the idea to communicate with Riot and let them a chance of fixing the leak.
There are two solutions to avoid leaking :
- create a private repo for our commits and publish a weekly/monthly commit on the public repo to stay open-source, it's very important.
- have trust in our members to not commit or communicate a discovered leak and stay fully open-source on this repo.
In all cases, we must have trust in our members, even if we choice to create a private repo. There is a only one bad thing : a private repo costs money (7$/month if we stay on github).
themasch
jaagupkymmel
Since we are working on reverse engineering technology which is used by literally millions of people, we should think about what happens when we find out on a serious security issue. @jaagupkymmel talked about this issue ~10 days ago and suggested to make the specification private so possible leaks won't turn out into public immediately. But we, as a community, decided to keep the specification open for everybody. I'm really happy with that decision but I feel like his points weren't really invalid. Even if the chance of security issues in the spectator part seems to be quiet low (only game related data should be exchanged with a non-skippable delay) I think we should be prepared for the day someone of us discovers something serious. I don't think we'll stop after we're done with spectator. That's our main focus right now and I'm pretty sure it will be for a long time but for me, loldevs is not only about understanding the spectator data. Its about everything related to the game.
So, long story short, I really think we should work out something like a "code of conduct for finding sercurity issues". Of course we can't handle everything right, we can't stop anyone from publishing his own results. But I think a "best practice"-guide might be handy for devs who find a leak and want it get fixed. I don't think anyone of the devs that are currently working under "the flag of loldevs" would exploit a leak they found.
I'd suggest that we agree on a written code of conduct that defines a responsible and fair behavior. Responsible disclosure seems the way to go in situations like these. That would mean, when a leak is found, we (or the person who found the leak) tells riot about the results and includes as much details as possible. With that message, a appropriate time limit is defined. The results aren't published by us (maybe we need to create a private repo for these?). After the give time, the results will be published, regardless whether the issues are fixed or not. This gives riot a chance of fixing the issue but also puts pressure on them so it isn't ignored.
But maybe, I'm just to paranoid. Am I? (That was a long, short story.. sry)