Feature Request: Remove backdoor features
NyxaYu opened this issue ยท 8 comments
Is your feature request related to a problem? Please describe.
After looking at this mod's source code I have determined that this mod provides backdoor access to the owner (Lightman314) and allows them to use any of the administrative commands within it.
This can be seen across the following files:
Describe the solution you'd like
Remove the backdoor access from all mod version, update the CurseForge page informing players of this issue and make the io.github.lightman314.lightmanscurrency.secrets.*
package publicly viewable to see the extent of the security issue.
Describe alternatives you've considered
There are no other alternatives.
Additional context
Your a disgrace to the modding & open source community ๐
I say that this mod is within Lightman's control and what he wants to in terms of how he wants to handle pay-to-win (PtW) servers using LC as a middle man. I agree that this feature is a bit cheat-y, but on the other hand, one should not be obtaining things within the game using real world currency. Perhaps a simpler way to check if the server is pay-to-win would be to have the mod check if there is a specific API tied to giving out items and such based on transactions and have it crash the game upon boot until either LC or the PtW plugin(s) are removed. I also agree w the idea of making the secrets directory more transparent and letting others view it and leaving comments to allow others to see what the code is doing to allow for the downfall of PtW servers. Lightman is doing an amazing job caring for this mod and he only wants to make sure his creation isn't being used to make users real life money. While officially reporting the server to the Mojang officials that it is in violation of the EULA/MUG would work, those processes take time and even then if the server in question is within a modded instance, there's a high likelihood that Mojang/Microsoft won't even consider it, leaving it to the community to fend for themselves. So my question here would be: would you rather wait forever for a higher entity to take action on a server despite not even knowing if they will handle a modded instance, or would you want to take things into your own hands to ensure that the server owners know that what they are doing is wrong? Also, pushing a complaint may work once or twice, but then said owners might get wise and just use another mod as the middle man and the cycle will continue, that or another server will take its place.
As you've noted, you've successfully listed all three places that I have backdoor access to:
The lcadmin
command, the lcbank
command, and LC Admin Mode itself (which is just an extension of the lcadmin
command backdoor)
In addition, I also have backdoor access to a lightman
command that mostly just does what the lcbank
command does, but with the ability to give/take to/from a players wallet directly.
The purpose of these backdoors is so that I can crack down on any pay-to-win servers that attempt to use my mod as its medium to violate Mojang's TOS, as I 100% do not condone any illegal usage of Minecraft, which is part of why I've elected to ignore fixing any issues that only occur on cracked versions of the game where a players UUID isn't constant due to it not being linked to their Mojang Account, etc.
If you're concerned about any more dubious backdoor code being hidden in the secrets
package, which I'll admit is a fair concern as you don't know me and I could easily have some shady shit in there, you can easily look at what's in there yourself by simply de-compiling the jar and viewing the only class in the package and take a look at the code in there.
If it's really that big of an issue I don't mind unhiding that package from the open source code to make it more public that the backdoor exists for anyone willing to look into it, as well as to alleviate any concerns about any actual shady code being included with the mod. That said I legitimately don't think this is this big of an issue, but regardless I have no plans on removing this backdoor, and if this is that big of a deal-breaker for you, you're more that capable of simply choosing to not use my mod.
P.S.
For future reference, if you want the polite cooperation of a developer on such a sensitive topic, saying phrases like "Your a disgrace to the modding & open source community" generally aren't the best ways to get a calm and polite response...
P.P.S.
Strictly speaking, I didn't even have to make my mod open source in the first place before uploading to curseforge, and there are several mods out there that aren't open source, some of which heavily re-write core Minecraft code (such as Optifine), and I don't see people complaining about them potentially leaving security holes or violating player trust.
Very well, you've convinced me.
It shall be removed in the next update.
I've never had any need to use it, and you are correct that it's only proper use would be better handled by simply reporting the EULA violation to Mojang.
This still does not excuse the fact that the mod gives you access to the economy of any server using it.
The purpose of these backdoors is so that I can crack down on any pay-to-win servers
In other words you wish to deliberately use this access to "grief" on such servers. The proper way to handle such issues would be to report the EULA violation to Mojang and not engage in vigilantism.
you can easily look at what's in there yourself by simply de-compiling the jar
Yes me and many other developer's can easily look into it, however I don't expect the average server owner to be able to know how to decompile a jar or how to understand the Java that makes it work.
I also don't expect a mod to have such access and not report it anywhere so I don't go around decompiling every single JAR I happen to come across.
and I don't see people complaining about them potentially leaving security holes or violating player trust.
If I was complaining about the fact that you were potentially violating player trust or leaving security holes by having your mod closed source then this would be any other argument that the open source community is familiar with.
I am instead complaining about the fact that you are infact violating player trust.
Additional context Your a disgrace to the modding & open source community ๐
You're*
If you insist on insulting someone, at least do it properly
Just want to chime in and say that the mod author does not deserve insult of any kind for such a non issue. Calling this a "back door" is such a stretch.
Thank you lightman for keeping up with the children in this community. Know that your work and find still is appreciated by most.
Calling this a "back door" is such a stretch.
You must be mistaken. That is what a backdoor is.