Should automatic downloads be on by default in the `next release`?

[Thorn]

I always took it for granted that automatic downloads would be on by default in the next version of tremulous(If there is ever to be one). However, yesterday, this was said to be untrue by a well known contributer to the game.

The reason for downloads to be kept off was `They are a security risk` This may be true to a really minimal sense, but shouldn't they be slightly restricted instead? Even more so, the client should know not to play on suspicious servers.

I'd be really interested to hear what the mappers have to say about this.

[Plague Bringer]

Auto-download being on by default would be great. There should be a warning that it's on, though, and what the risks are.

[Rocinante]

I think someone in-the-know about the security risks should speak up about what the exact problem is (I know it relates to code that can be run which is downloaded from the server automatically, but not specifically what might be done to circumvent that and keep the client safe).  But I would love to see some way to enable auto-downloads, perhaps in a tiered way:

• All maps & non-executable code on by default
• All executable code off, but with the option to turn it on (QVMs, etc) with a very stern warning of why it's a bad idea
• An in-game "Do you want to do this" kind of option which can ask if you really want to trust that QVM you just downloaded

On one hand, the constant "Are you sure?" dialogs of Windows has created a generation of people who blindly click "yes" when asked a question, but I think I'd rather see that than the situation where really good maps don't get played because everyone disconnects when it gets loaded.

[gimhael]

There are probably many ways in which a prepared pk3 can infect a client system. But I don't think that manual downloads are in any way more secure than automatic downloads. (Well maybe a malicious server owner could redirect your client to contact a server he wants to DOS.)

[googles]

I haven't tested alot of my theories, simply because i don't feel i should create a malicious pk3 at all, but.......

I have been doing a little digging for my own, and it seems that QVMs themselves can load DLL files independently. This allowing someone to place a DLL in the pk3, have the cgame load it, and then do w/e they want. Now im not totally sure weather im allowed to speak of this on here or not. Considering the "cheating" stuff that has been going around, but im pretty sure this is fixed in the latest SVN and this shouldn't be a problem. But like i said, these are only theories i have..

Also, as TJW himself said. Any type of auto download can be a security risk, the best we can do now is either remove the cgames/ui/game's ability to load DLL files and hope that the community would be considerate enough not to distribute malicious packages

[gimhael]

The loading of DLLs is disabled on pure servers and it is disabled by default on non-pure servers.

Personally I'd remove that feature completely. The performance of the native compiled code is probably only a few percent better than the compiled bytecode and according to my benchmarks the client spends only ~5% of its time in the qvm code anyway.

[amz181]

I was going to vote yes... Then i realised i have no idea what a QVM or a PK3 is... And then i realised i am pretty crap at tremulous...And then things went downhill from there 

[Undeference]

Bug 3038 comment #1
Some of the comments here are not entirely accurate. Others may potentially be close to breaking forum rules.

[Ender]

Auto-downloads via libcurl are enabled in TremFusion. And yes, it's very, very nice. You should go get it, I think you'd like it.

https://www.tremfusion.net/trac/wiki/Releases

-Ender

[Rocinante]

Auto-downloads via libcurl are enabled...

They're enabled on the release I compiled on my desktop too; but that doesn't have anything to do with the possible problems that they create, nor the discussion of whether or not to have them turned on by default in the next release :>

[Odin]

Auto-downloads via libcurl have been available since tjw put up the famous "tjw build".

[sticks]

auto downloads are definitely a positive thing for a game to have and i think to not make it standard with trem would be a disservice to the community. most online games are already set now for auto dls and the auto dl feature avoids the confusion of how and where to install things if you download them manually

[benmachine]

There are known security risks in the current implementation of QVMs, but the point is that even if they are addressed then running code on your computer is still an inherently Bad Thing from a security standpoint. There WILL be a buffer overflow or a bug exploit somewhere and noobs who don't know the difference between a bad server and a good one will get caught in the crossfire. I say noobs because that's basically who we're talking about - in 1.2 there will be an Options screen on the main menu with an "allow downloads" choice so I really think that anyone who comprehends the risk will not have a problem. Even without the security flaws, it is very easy to at least ruin your game of Tremulous with some well-placed menu or config files.

This kind of leads me on to another issue that many of you have overlooked. Assuming that your clients have autodownload on - better still, by default, such that they might not even know - you can put whatever shit you like in a zip and become a Community Modder like a shot. Take a look at the X and A servers, and imagine what it would be like if they had access to the class configs, models, sounds... currently modding is restricted to people who are serious about creating something worthwhile, because they know that their playerbase is reduced and that people joining will have intentionally opted in to their download and know what to expect. A culture of noobs who don't pay any attention to the downloading screen or any thought to how it might change their experience is in for a nasty shock.

Not that I'm completely against the idea. But it's far better to have a dialog like the one tjw recommended or Risujin coded. Of course we can never truly defeat the "yes/I agree/whatever" issue but it's certainly better than either option that has the computer decide. It would also be good if after downloading the pk3 and before opening it, you were given a listing of all the files it contained and the option to delete it and disconnect.

[tuple]

The implication that security could be preserved as mentioned previously in this thread is laughable.  All OSs are patched against known exploits.  Does this imply that there will be no more virus/worms/etc?  Autodownloads means one server could cause all sorts of problems, perhaps so quietly that the user won't know, to all sorts of people.

It should be disabled on download and offered to be turned on, per server would be best IMO.  It is the typical newbie coder attitude of "its fixed, what could possibly go wrong?" that should be avoided.  I've dealt with it for years.  "Sure, change these DB constraints on the production DB.  It only changes this, what could possibly go wrong?"  Then I watch as a server farm drops like a rock.

Having a system that downloads code means you need to control the place the code is distributed from.  If you cannot do that, which tremulous clearly cannot due to its nature of independent servers, then you need to make the user decide to put their machine at risk.  Your not enabling it on install is the warning that it is a security risk.  Computer security 101.

cue the complaints that browsers do that.  Yes, see the javascript/flash/ad nauseum methods of infecting/breaking/rooting computers.  Then realize that the people making browsers, even OSS, have paid employees working on it to wake up at 2am to code a workaround and they have automated distribution channels, and computer professionals expect them to have serious security issues due to their nature.

[==Troy==]

As It was suggested before. A simple script to check the pk3 for the qvm/ui files on the client side will allow you to choose whether you want to download the map file or the actual mod (if map file after download did contain the qvm/ui files it is immediately disabled and a warning is given to the client).

By disabling the autodownloads you are not only discouraging the servers to mod tremulous, but you are also discouraging the servers to run custom maps. And users turn on the auto downloads not because of the mods the server wants them to download, but mainly because they want to play a new map and cannot be asked to search it via google and dl/place it manually.

I can understand limiting the modding capabilities, but limiting the maps is a nonsence.

[googles]

Just to note, loading of DLLs is not the only thing, tremulous has various places that it can be exploited using a buffer overflow. Hell i know of a method off the top of my head that wouldn't require a download at all, it can be done server side on connect.

[kevlarman]

Just to note, loading of DLLs is not the only thing, tremulous has various places that it can be exploited using a buffer overflow. Hell i know of a method off the top of my head that wouldn't require a download at all, it can be done server side on connect.

http://bugzilla.icculus.org/

[+ OPTIMUS +]

most of us has autodownloads off and forced to quit when any new maps appears.
some of us has autodownloads on because we are curious.

some of us are in a huge pile of security danger.

BLEEHHHH

[googles]

Just to note, loading of DLLs is not the only thing, tremulous has various places that it can be exploited using a buffer overflow. Hell i know of a method off the top of my head that wouldn't require a download at all, it can be done server side on connect.

http://bugzilla.icculus.org/

Id rather pass it directly to a tremulous dev rather than post the exact way of doing it on a public bug tracker.

[sticks]

so many games already use auto dls though, even with the possibility of getting a virus. if the risk was that great, then games would not come with the feature enabled. i agree that by disabling this you are doing a disservice to the community my disallowing mods and new maps to be more readily accepted. besides just look back to trems roots. . .

[Odin]

Just to note, loading of DLLs is not the only thing, tremulous has various places that it can be exploited using a buffer overflow. Hell i know of a method off the top of my head that wouldn't require a download at all, it can be done server side on connect.

http://bugzilla.icculus.org/

Id rather pass it directly to a tremulous dev rather than post the exact way of doing it on a public bug tracker.

/query Timbo

[Lava Croft]

besides just look back to trems roots. . .

You think people got a hold of the Tremulous Q3mod via automatic downloads? Man, if I had known that at the time it would have saved me a lot of aggravation while downloading tons of tiny pk3 files!

Automatic downloads should be disabled by default, since you should not force automatic downloading of stuff onto people, ever.
If a person does not have the common sense to find the menu option that relates to enabling automatic downloads, I think that
person might just be too thick for a game of Tremulous.

[daenyth]

Originally I thought it should be on, but after reading this, no. It definitely should be off, for the reasons people have been saying.

Aside: any way to change my vote on the poll?

[==Troy==]

The thing that some people do not realise is that having those security risks does not make it safer to have autodownloads off.

As long as there are custom maps people WILL turn the autodownloads on. Just to be able to play them. They are not aware of security risks and unable to tell a mod from the map. And having them off by default is both restricting the customs maps AND not helping the security problem.

The only proper solution (besides fixing the holes) is to split the map downloads and mod downloads. and have the latter disabled with a warning when you enable it.

[gimhael]

Except that map paks might contain exploits too. Almost any file format has had it's exploitable buffer overflows or similar bugs. Same goes for the network protocol, unless you prove that the code has no bugs (and then prove that the compiler you used has no bugs and that the CPU you run it on has no bugs, etc.) there is always some risk.

At the end of the day, running a pak is a matter of trust in it's origin, just like opening an email or a web page.

But I agree, that the autodownload option should be available, but disabled in the default settings.

[rotacak]

Should be on. Anyway everybody turned it on already. Only noobs don't know where to allow it and then are on every server same default maps, because noobs don't know how to download map or how to turn on autodownload so they don't want maps that can't play. 

If one requester appear before downloading map starts "Download this map? It's security risk, blah blah, it can kill your dog, blah... YES/NO" then it will solve all.

I don't know anyone who downloading all maps manually and checking their content. 

[googles]

Trust plays a big part in the whole security issue, from what i have seen there is no reason to hurt any of the players on tremulous. From my experience alot of the players are nice....I guess its times like these you just have to have trust in the community...

[+ OPTIMUS +]

how about a straight QUESTION whenever the server wants you to download something?

server XYZ needs you to download the following file to be able to play at this place: "UTCS.wtf" wich is supposed to be a MAP /pure
server XYZ needs you to download the following file to be able to play at this place: "grangerp0rnz00rz.wtf" wich is supposed to be a MOD /unpure /requires: wHagg1n4z.wtf wich is a MAP

[==Troy==]

Except that map paks might contain exploits too. Almost any file format has had it's exploitable buffer overflows or similar bugs. Same goes for the network protocol, unless you prove that the code has no bugs (and then prove that the compiler you used has no bugs and that the CPU you run it on has no bugs, etc.) there is always some risk.

At the end of the day, running a pak is a matter of trust in it's origin, just like opening an email or a web page.

But I agree, that the autodownload option should be available, but disabled in the default settings.

Buffer overflow is a bug, not a security risk. Whats the difference if the game will crash, or player will not be able to play on the server/s ?

The real security issue is that the server can make the client download and execute code on the client side, and especially escape the VM sandbox. And here the client can have the check for the vm/dll files in the pk3, and auto-disable those packs that have them.

[==Troy==]

*double post*