Player Data Tracker is (still) wrong from March 3 Google Drive change

[andrewsf]

Google Drive: https://drive.google.com/drive/u/0/folders/1RqWDGzttM38V11Rtt3h85E2WpWm5kEYs

Commit 665f99e downgraded the Player Data Tracker mod from 3.1.0.5 to 2.7.3.3 (which removed features and reintroduced bugs long fixed). The SHA1 hash verification started failing on PlayerDataDump.dll for a month.

The hash being wrong should have been a red flag that led to the URL getting replaced with a proper download. Instead, commit b9e08be changed the hash to further reflect the old 2.7.3.3 version.

Please update back to the correct version. It may also be a good idea to audit all <SHA1> changes made since 665f99e.

[SFGrenade]

i think the repo is public for people to make pull requests to fix the links and SHA1's

[andrewsf]

Only a trusted contributor should make changes regarding validity and trust.

[Ruttie2006]

yeah everyone can make a pr to fix modlinks/add new modlinks. the pr's do ofc get looked at.

[Ruttie2006]

Instead, commit b9e08be changed the hash to further reflect the old 2.7.3.3 version.

yeah, this was because i had no idea that it was a older version, i only knew that the SHA1 was wrong ¯\_(ツ)_/¯

[RedFrog6002]

If only some people could modify modlinks things would be much slower regarding adding or updating mods

[andrewsf]

If only some people could modify modlinks things would be much slower regarding adding or updating mods

I take your point, but this is an application that downloads and installs executable software. The hash is a security feature to couple trust of the individual mod downloads with trust of the mod installer and its maintainers. That is, if you trust the mod installer, you implicitly trust the software that it installs. Updates should only go as quickly as they can while maintaining that chain of trust.

The fact that the SHA hash was failing validation for a month and that it was corrected by re-generating using the incorrect binary (which could have been malware) suggests that the check is not always doing its job on this project and the installed software is not being vetted. Maybe that's OK.

With that in mind, later this week I will set up an environment & submit a PR if someone more prepared doesn't get to it first.

[fifty-six]

The PR changed a large amount of the hashes because it was migrating after the previous hosting setup went down. The downgrading of the mod as a result of this, while unintended, still has the mod link pointing to a trusted source, the drive created by us as a result of the previous hosting going down. This isn't anywhere near a "malware" attack.

Migrating was done mostly by getting links using a self-written script which took a zip from every mod folder, which didn't account for multiple zips in every folder. While it getting the wrong one is a mistake, and an unfortunate one at that, it's nothing near a vulnerability. I've gone ahead and fixed it, but calling this a red flag for malware is a bit much given how often people put wrong SHA1s in and have to replace them later.