Should automatic downloads be on by default in the `next release`?

[gimhael]

My point is that when a server I usually puts a new map in it's rotation, then I will download it either manual or automatic with the expectation that there is no executable code in it. I may open the zip file and check if there are QVMs included or decompile the maps or whatever, but I would very much prefer if the engine checks this for me and gives a warning message. Usually you should only have QVMs in the data.pk3 and maybe one or two mods. That can be kept in the .cfg, no need for a database.

The GPL gives me the right to get the source code to any QVM I download, so I can read it, check it, modify it. Only if I redistribute it I am bound again by the GPL. An EULA is a contract that the creator (not the distrubutor) of the software wants the user to accept. So they are indeed very different things. I just wanted to note that the distributors of QVMs, (i.e. anyone who puts a pk3 with a qvm file in it on a webserver) is legally bound by the GPL.

[David]

There is no reason a QVM should ever be in a pk3 inside ~/.tremulous/base.
vms-*.pk3 is in the install folder, and mods should be in there mod folders.

IMO all pk3s should be forced to comply with the naming-scheme already in use, and whats loaded from them would then depend on the prefix on the name.  That way you don't need to check the contents, as trem wont even bother looking for a qvm in a pk3 that doesn't start vm- or for data in a pk3 that doesn't start data- (or the loaded map's pk3)

[Syntac]

Wow, a lot of people posted while I was at work.

A buffer overflow in the loading code and you can run arbitrary code.

If you add code to prevent buffer overflows, that exploit won't work.

[David]

Fixing a buffer overflow is easy, its finding it before the bad-guys that's the hard bit.
Also, this is an open source game.  Once a fix is released the bad people have it.  In closed source you have the time it takes them to decompile it, here you don't.
Unless you can get the update everywhere in a few hours, then its probably better to not release it until someone bad finds it.

And all the image / model / map code is old.  It's over the "acceptable security" threshold.

[cactusfrog]

There is also the challenge of getting a popular server. 

[Amanieu]

There is no reason a QVM should ever be in a pk3 inside ~/.tremulous/base.

I want to use my custom QVMs on an unpure server.

[Lakitu7]

There is no reason a QVM should ever be in a pk3 inside ~/.tremulous/base.

I want to use my custom QVMs on an unpure server.

It's pretty much a given that all bets of any resonable sanity are off, in an unpure server. Actually, their causing odd behavior on unpure servers is part of the reason why vm downloads to base are a bad idea.

[Amanieu]

Well maybe if unpure wasn't so much of a failure and didn't load any pk3 from the base folder, then it would work. See my new pure system in tremfusion.

[Lakitu7]

Well maybe if unpure wasn't so much of a failure and didn't load any pk3 from the base folder, then it would work. See my new pure system in tremfusion.

Removing it / making it optional is not a "new pure system." It's a new client behavior for sv_pure 0, which is the only server option. Thus, it's a new unpure system. Billing your features and projects deceptively is a bit of a theme with you though.

Unpure is a failure because Pure is the fix. Pure is only bad to you if you do not wish to allow server owners to choose how the game is played on his/her own server on which you play for free.

Obviously I do not speak for the developers, but I can still say pretty confidently that it's extremely doubtful that sv_pure is going anywhere in Tremulous. Solutions derived for your little pretend-Tremulous world that do not/could not/will not apply to Tremulous are entirely irrelevant to the discussion at hand.

[David]

In general using a QVM not sanctioned by the server will cause problems due to incompatibility.
If you happen to be smart enough to make sure your QVM works with the server in question, then you're a "power user" and can do what you want, just don't expect any one to offer you help when it goes wrong.

[Chomps123]

I SAID YES FOR THIS CAUS IT IS A LOT EASER FOR UNEXPERIENCED PLAYERS.

[your face]

K

[A Spork]

Ahem.

CAPS LOCK IS CRUISE CONTROL FOR COOL!!!!!!!!!!!!!


On Topic, Maybe it would be a good Idea to have the option to turn Autodownloads on and off during the install process. Now, it wouldn't fix the problem of people blindly clicking yes, but really, Is it really our problem if someone decides to do something potentially stupid/dangerous to their computer without thinking it through?

[kevlarman]

let the thread die please, there's a newbie friendly solution to the download problem in the works for 1.2.