search

pmmp / PocketMine-MP

A server software for Minecraft: Bedrock Edition in PHP
https://pmmp.io
GNU Lesser General Public License v3.0
3.28k stars 1.56k forks source link

Automatic dependency resolution #2505

Open SOF3 opened 6 years ago

SOF3 commented 6 years ago

In light of the rising number of "API plugins" in the plugin ecosystem, there might be the need to have PocketMine install dependencies automatically.

Proposal 1: Dependency URL in plugin.yml

It is proposed that the following format be allowed in plugin.yml:

depend:
  FormAPI: https://poggit.pmmp.io/get/FormAPI

If the plugin FormAPI is not installed, PocketMine will automatically download it from the URL provided.

Proposal 2: Dependency version in plugin.yml

It is proposed that version constraints be allowed in plugin.yml in a similar way to the extensions property. In conjunction with proposal 1, the syntax could be like this:

depend:
  FormAPI 1.1.0: https://poggit.pmmp.io/get/FormAPI/^1.1.0

(Note that the ^ syntax is not supported in Poggit yet, and it is just an example)

Proposal 3: Common dependency resolution

If two plugins depend on the same plugin but at different versions, PocketMine should attempt to resolve the dependency for the higher version. For example, if there are two plugins:

name: PluginOne
depend:
  FormAPI 1.0.0: https://poggit.pmmp.io/get/FormAPI/1.0.0
name: PluginTwo
depend:
  FormAPI 1.1.0: https://poggit.pmmp.io/get/FormAPI/1.1.0

PocketMine should note that PluginTwo requires a higher version, so its dependency should be used instead of PluginOne's dependency. If FormAPI 1.0.0 was already installed, it should be automatically updated.

Problem: This allows automatic installation of plugins. Is this bad?

The same could be achieved in plugins by downloading the plugin in onLoad() and loading it first. I would not consider this as a new attack vector, considering that plugin.yml should be reviewed in the same way as the PHP code.

SOF3 commented 6 years ago

A prerequisite of proposals 2 and 3 is to enforce semantic versioning in plugins. Many years ago, there were plugins that looked like this:

version: 1.5.0 THE REDSTONE UPDATE DOWNLOAD NOW
jasonw4331 commented 6 years ago

I think this was a feature of pocketmine-soft 🤔

lukeeey commented 6 years ago

It was

SOF3 commented 6 years ago

Are you referring to this? It only loads plugins listed in pocketmine-soft.yml. I am talking about plugins requested by the plugin, not plugins requested by the user.