AutoModpack icon indicating copy to clipboard operation
AutoModpack copied to clipboard

Published 20 hours ago verified publisher icon Skidamek

Download mods from Modrinth/Curseforge

Open MichelJonkman opened this issue 3 months ago • 4 comments

Motivation

This would basically fix the security issue, or at least make it just as safe as having users install a modpack

Description

Make users download mods from Modrinth/Curseforge and disable downloading directly from server by default.

Other information

No response

MichelJonkman avatar Mar 31 '24 14:03 MichelJonkman

It's ok as a feature, but it doesn't really resolve anything. You can still upload viruses on modrinth/curseforge, if not just virus then there could be a backdoor. Just downloading mods from by most 'trusted' source doesn't mean it is 100% safe, because nothing truly is. Since not that long ago there was a drama with fractureiser.

Skidamek avatar Mar 31 '24 16:03 Skidamek

I think thats actually pretty straight forward to implement Modrinth has this to get a mod from a sha1/sha512 hash and Curseforge has this to get a mod from a murmur2 hash (although the cf api usually requires a api key, there is also https://curse.tools/)

so the server could get all the download urls (probably cache them) and if a client joins it could compare the mods with the serve (maybe compare a hash of mod names)

if its not the same, the server would send the download urls via a game packet (if thats possible)

so there wouldnt be a need for a seperate http server (but this could still be used for mods that are not found on either modrinth or curseforge)

so i guess it would be a bit safer + you save bandwidth + you dont need to forward a seperate port

maxomatic458 avatar Apr 23 '24 16:04 maxomatic458

looks like something like that is actually already implemented https://github.com/Skidamek/AutoModpack/blob/e73aefad145be4156b10e545fda42e18afca00da/core/src/main/java/pl/skidam/automodpack_core/utils/Json.java#L92

maxomatic458 avatar Apr 23 '24 17:04 maxomatic458

looks like something like that is actually already implemented

Yes, it is implemented already and that works great. (besides that currently fetched link is sometimes not being used to download).

This issue is about adding feature which forces client to download mods only from modrinth/curseforge and not from server host at all. (At least that's how i interpret these words)

Make users download mods from Modrinth/Curseforge and disable downloading directly from server by default.

Skidamek avatar Apr 23 '24 17:04 Skidamek