Cubyz icon indicating copy to clipboard operation
Cubyz copied to clipboard
verified publisher icon PixelGuys

[MODS] Mod registry design

Open Argmaster opened this issue 7 months ago • 2 comments

Introduction

By registry we mean online server like catalogue of trusted mods (mod is a 3rd or 1st party source code that extends Cubyz engine with additional content) that were verified by 3rd or 1st party. The purpose of the registry is to move the responsibility of reviewing moda code from non-tech savvy users to those who are used to working with code. This does mean that players have to trust the 3rd party that verified this code, but in open source it is inevitable to rely on trust at some point in dependency tree, you are not able to verify everything yourself, thus we consider this approach a fair compromise.

Because Cubyz is an open source project we won't be investing time in designing the registry or modding interface in a way that gives closed source mods or registries way to restrict access to source code and we will ignore any issues that request such features.

Assumptions

  • Players should be able to add online registries they trust in launcher and they should seamlessly merge into one catalogue of mods
  • Registry should contain information about what Cubyz versions they support, who made them, where to download the source code from and the hash of the source code to verify that it didn't change since review
  • Registry may contain multiple versions of same modification so we should have version resolution algorithm that picks latest version compatible with Cubyz version you have ATM
  • Registry should not contain mod source code itself
  • Registry should be cached locally
  • Registry should be versioned
  • Launcher should allow you to view what was added to registry and what was removed
  • Mod distribution format should allow both assets and source code to be identified and downloaded
  • Adding Mod with version X should disallow re-publishing that version with different sources code (preferably at all) to ensure stability for mod packs and to reduce risk of supply chain attacks.
  • Players when joining modded servers must be informed that is is modded, what are the mods and where they come from
  • Players when joining server should be offered an option to automatically download the mods and add their sources to the registry
  • For 3rd party registries that are not already added to launcher trusted registry list we should always display a warning message about potential consequences of installing malicious software
  • We should include 1st party registry by default in launcher and we should maintain a very limited 1st party registry, mostly with features we discussed for core game but were discarded or implemented in significantly changed way
  • We should ensure that source code linked in registry does not disappear, so registry should have built in tools for managing is on its own, but separately from metadata.
  • Regardless of the registries launcher should support direct installation of mods from zip archives in predefined format, possiby with dedicated file extension and metadata attached.

Questions

  • Do we want to allow proper dependency trees to allow library mods or should people figure that out on their own?
  • Should we use git or other VCS or design the protocol ground up? Biggest advantage of git at the moment is that there is a fee infrastructure offered by GitLab, GitHub etc, but it may change anytime.
  • Should we store mod versions as Zip archives next to the registry package metadata? There were cases where people pulled their source code from registries, either out of spite or for righteous reason which was very disruptive.
  • Should we use Python, Postgres and Containers or alike stack to create proper server infrastructure for uploading, storing and transferring mods?
  • Should we look for existing package manager infrastructure to rely on?

Argmaster avatar May 28 '25 14:05 Argmaster

Do we want to allow proper dependency trees to allow library mods or should people figure that out on their own?

No, dependencies should be resolved by the modpack creator, I believe this is also how it's handled in minecraft.

Biggest advantage of git at the moment is that there is a fee infrastructure offered by GitLab, GitHub etc, but it may change anytime.

Note that all of these services also allow direct source download as tar.gz or zip.

Should we store mod versions as Zip archives next to the registry package metadata? There were cases where people pulled their source code from registries, either out of spite or for righteous reason which was very disruptive.

I think this should be in the responsibility of the registry maintainers. Third party maintainers could just fork the mods in question and add a link to the fork in their mod list. This has the advantage of also preserving the entire history and might make easier for other people to take over development of a particular mod.

Should we use Python, Postgres and Containers or alike stack to create proper server infrastructure for uploading, storing and transferring mods?

No, it should be possible to host a registry on github. E.g. I hosted a java maven repository for some of Cubyz's java dependencies at one point, and it was very convenient that I could do so without hosting my own dedicated server.

IntegratedQuantum avatar May 28 '25 14:05 IntegratedQuantum

Do we want to allow proper dependency trees to allow library mods or should people figure that out on their own?

Yes, but have the launcher figure the dependency tree and download the dependency mod or mods.

No, dependencies should be resolved by the modpack creator, I believe this is also how it's handled in Minecraft.

I think mods should specify that it requires a different mod for it to work. As you (IntegratedQuantum) mentioned, Minecraft the mod doesn't load if you don't have its dependency installed and shows you that (see attached screenshot). Image

Should we use git or other VCS or design the protocol ground up? Biggest advantage of git at the moment is that there is a fee infrastructure offered by GitLab, GitHub etc, but it may change anytime.

I think GitHub is too big now to go and charge users. I mean they do offer paid tiers, and I think that's all what they're going to do and have enough money from that.

Should we use Python, Postgres and Containers or alike stack to create proper server infrastructure for uploading, storing and transferring mods?

We could make a repo that has multiple json files that have all of the information about the mod like where the source code is at and where the launcher should download from and the name of the mod or that can be taken from the name of the json but the json could contain the description of the mod. And if we do this then this could be 1st party mods as we would need to approve a PR to add a mod to the registry.

SafeShows avatar Nov 16 '25 21:11 SafeShows