MWSE, Lua and OpenMW compatibility

General discussion regarding the OpenMW project.
For technical support, please use the Support subforum.
User avatar
AnyOldName3
Posts: 2666
Joined: 26 Nov 2015, 03:25

Re: MWSE, Lua and OpenMW compatibility

Post by AnyOldName3 »

There's still the possibility that someone releasing malware as a mod will decide that most modders are more technically minded than your average Joe, and so may be reluctant to run CliffRacersAreVladamirPutin.exe, but would feel safe installing CliffRacersAreVladamirPutin.omwaddon, and that therefore, the malware will take longer to be noticed and hit more people if it's packaged as a real mod.
User avatar
psi29a
Posts: 5355
Joined: 29 Sep 2011, 10:13
Location: Belgium
Gitlab profile: https://gitlab.com/psi29a/
Contact:

Re: MWSE, Lua and OpenMW compatibility

Post by psi29a »

Doesn't have to be viruses, it could be a low-priority crypto-coin miner. That would fly under the radar of most, if not all, virus scanners for example.

I mean, you come off saying that it is hypothetical that there could be a virus in a mod but it hasn't happened. I point out that it isn't hypothetical, it has happened and yet you backpedal a bit and still suggest that a it won't happen. I mean, that's a _really_ shaky argument given that you didn't even know about the event that happened.

It's a valid security concern to sandbox your scripting.

If your only reason for running software, via scripting, is because the engine can't be modified to do what you need it to, you have a point. But OpenMW can be modified to expose the functionality needed which negates the whole point having to run other software.
NullCascade
Posts: 121
Joined: 16 Jan 2012, 07:58

Re: MWSE, Lua and OpenMW compatibility

Post by NullCascade »

psi29a wrote: 14 Jun 2018, 20:01Doesn't have to be viruses, it could be a low-priority crypto-coin miner. That would fly under the radar of most, if not all, virus scanners for example.

I mean, you come off saying that it is hypothetical that there could be a virus in a mod but it hasn't happened. I point out that it isn't hypothetical, it has happened and yet you backpedal a bit and still suggest that a it won't happen. I mean, that's a _really_ shaky argument given that you didn't even know about the event that happened.

It's a valid security concern to sandbox your scripting.
Where did I backpedal? I literally linked to an interview where I made the exact same argument weeks ago. Here's what I said, in written form:
NullCascade wrote:So, this is a hard question, because their concerns are completely valid. The new scripting language lets you do -- you're downloading basically fully capable programs to your computer, rather than just an esp file with a couple of lines of mwscript in it. So, if someone wanted to deliver a virus via this new system, they could. But, Oblivion and Skyrim have had these features for years and years now. And I don't think I've ever heard of a Skyrim-delivered virus before. Modders need to, you know, be careful, and not download sketchy software, just like you wouldn't go to, you know, some weird site and download weird program. You shouldn't download sketchy mods from people. But I think with popular sites like the Nexus, where there's accountability and if someone tried to deliver something malicious there I think they'd get shut down pretty fast. I just don't think it's an issue worth worrying about. Sure, they're right, but we have so much history with having these features in other games and it has never been an issue. So, I'm just not really that concerned about it.
DarkElfGuy wrote:Oh yes, I can't think of really any, you know, mods pretending or well uploaded as viruses that has happened at any time in the history of our community. I seem to recall, I think, that the Nexus implemented the virus scanning software more as a response to public opinion than a specific incident, though I can't quite remember if there was something or not. I don't think there was.
NullCascade wrote:Yeah, I'm not sure. But every time you download pluggy, or Frostfall, or any of these mods that ship with a Oblivion or Skyrim DLL, that's all precompiled code and that's not limited to Morrowind's or Oblivion's or Skyrim's sandbox. So they can go, and can delete your files, or do whatever. But what they're actually doing is loading in some extra library that they need, or they're adding some functionality or some logic that isn't practical or isn't viable to write in the sandbox. And I think that offering that power to modders is more important than trying to keep security in mind for what we are. Something could again be caught pretty easily. I just don't think it's worth limiting modders in the name of security. To be clear, a lot of projects also use lua for this system. A bunch of emulators, a bunch of professional software -- I think OBS uses it. It's not an uncommon practice, and it's not really common for viruses to be delivered via plugins to these software. I mean, if you can convince a user to download your plugin or your code you've sort of already won as a malicious software writer, right? Just getting them to download something is enough. If you can convince someone to download a SKSE plugin, you can probably convince them to download an executable and run it.
Your counter-argument to this and my somehow-backpedaling comes from something entirely unrelated to the discussion at hand. Someone compromised the Nexus site. That has nothing to do with script extensions. That's like OpenMW shouldn't be executable because someone who works at GitHub got compromised. There's just no connection.

You can say it's not hypothetical all you want, but your "evidence" is tangential at best.
psi29a wrote: 14 Jun 2018, 20:01If your only reason for running software, via scripting, is because the engine can't be modified to do what you need it to, you have a point. But OpenMW can be modified to expose the functionality needed which negates the whole point having to run other software.
Yes. Because having a bunch of forks is both healthy for the community, and healthy for security. /s

OpenMW will never add the support that every modder wants, it will have to be done via engine forks. Which is terrible.
User avatar
wareya
Posts: 338
Joined: 09 May 2015, 13:07

Re: MWSE, Lua and OpenMW compatibility

Post by wareya »

Shallow forks are great, actually. You could just make a fork that adds the very most basic bits of IPC needed to make most unsafe mods work, and modders can use that and keep it up to date with "upstream" openmw. It wouldn't be problematic at all.
NullCascade
Posts: 121
Joined: 16 Jan 2012, 07:58

Re: MWSE, Lua and OpenMW compatibility

Post by NullCascade »

wareya wrote: 14 Jun 2018, 21:37Shallow forks are great, actually. You could just make a fork that adds the very most basic bits of IPC needed to make most unsafe mods work, and modders can use that and keep it up to date with "upstream" openmw. It wouldn't be problematic at all.
There's a reason this FOSS mentality has never caught on. It's a nightmare for end users. It works for you, it works for me. It doesn't work for the guy that just wants to play Morrowind with his favorite mods and maybe an updated engine.
User avatar
psi29a
Posts: 5355
Joined: 29 Sep 2011, 10:13
Location: Belgium
Gitlab profile: https://gitlab.com/psi29a/
Contact:

Re: MWSE, Lua and OpenMW compatibility

Post by psi29a »

NullCascade wrote: 14 Jun 2018, 21:07Yes. Because having a bunch of forks is both healthy for the community, and healthy for security. /s

OpenMW will never add the support that every modder wants, it will have to be done via engine forks. Which is terrible.
Isn't that the moment that modder stops being a modder and becomes a developer/programmer?

You assume a lot when you say every, so I'm going to assume that for the moment, you mean yourself. ;) You want to be able to do anything you want, and you have with MWSE. Some modders are all over that, that's great for Morrowind because Morrowind never gave modders the ability to _ask_ for features to be implemented.

OpenMW is forked all the time. 500+ on GH alone but I doubt that is what you mean by forking, you mean something like TES3MP? Isn't TES3MP long-term goal to be included back into OpenMW? You're now calling TES3MP fork of OpenMW terrible. I think you need to hold back on the hyperbole and focus.

Say that Zini is persuaded to make Lua the defacto scripting language, deprecating mwscript in the process and meeting you half-way.

You offered to see MWSE being developed in a way that made sure mods created with MWSE would also play nice under OpenMW.

Can we play ball?
User avatar
wareya
Posts: 338
Joined: 09 May 2015, 13:07

Re: MWSE, Lua and OpenMW compatibility

Post by wareya »

NullCascade wrote: 14 Jun 2018, 21:39
wareya wrote: 14 Jun 2018, 21:37Shallow forks are great, actually. You could just make a fork that adds the very most basic bits of IPC needed to make most unsafe mods work, and modders can use that and keep it up to date with "upstream" openmw. It wouldn't be problematic at all.
There's a reason this FOSS mentality has never caught on. It's a nightmare for end users. It works for you, it works for me. It doesn't work for the guy that just wants to play Morrowind with his favorite mods and maybe an updated engine.
It doesn't matter that it's FOSS. Modding guides would just direct people to a specific engine. It would just happen to be a fork of openmw.
Eli2
Posts: 52
Joined: 27 Nov 2011, 08:23

Re: MWSE, Lua and OpenMW compatibility

Post by Eli2 »

NullCascade wrote: 14 Jun 2018, 21:39 There's a reason this FOSS mentality has never caught on.
Go away troll.
plonk
NullCascade
Posts: 121
Joined: 16 Jan 2012, 07:58

Re: MWSE, Lua and OpenMW compatibility

Post by NullCascade »

psi29a wrote: 14 Jun 2018, 21:56OpenMW is forked all the time. 500+ on GH alone but I doubt that is what you mean by forking, you mean something like TES3MP? Isn't TES3MP long-term goal to be included back into OpenMW? You're now calling TES3MP fork of OpenMW terrible. I think you need to hold back on the hyperbole and focus.
:roll: This doesn't even deserve a real response.
psi29a wrote: 14 Jun 2018, 21:56Can we play ball?
Ball's in Zini's court. You're asking the wrong person.
wareya wrote: 14 Jun 2018, 22:13It doesn't matter that it's FOSS. Modding guides would just direct people to a specific engine. It would just happen to be a fork of openmw.
And what about when there's no specific engine that is acceptable? Zini doesn't want feature X, so it never goes in. ModMW is forked. Its maintainer doesn't have the same developer base as OpenMW, and it only makes a few niche features. People may prefer it over the main branch, but now you have two different attempts at solving the same issues. This just creates more headaches for mod authors, which in turn creates more issues for mod users.
Last edited by NullCascade on 14 Jun 2018, 22:23, edited 1 time in total.
Chris
Posts: 1625
Joined: 04 Sep 2011, 08:33

Re: MWSE, Lua and OpenMW compatibility

Post by Chris »

NullCascade wrote: 14 Jun 2018, 21:07 Yeah, I'm not sure. But every time you download pluggy, or Frostfall, or any of these mods that ship with a Oblivion or Skyrim DLL, that's all precompiled code and that's not limited to Morrowind's or Oblivion's or Skyrim's sandbox. So they can go, and can delete your files, or do whatever. But what they're actually doing is loading in some extra library that they need, or they're adding some functionality or some logic that isn't practical or isn't viable to write in the sandbox.
The main difference is, Oblivion's and Skyrim's (and Morrowind's) scripting sandboxes are currently static. They can do what BGS last had them capable of for their needs, and that's it. They don't continue to add new functionality to the game as the need arises from other games or mods. They also don't have to worry about non-Windows systems. Modders have no choice if the scripting engine can't do what they need.

This is not the case with OpenMW. OpenMW will continue to evolve for everyone, adding new features as people need in a way that benefits everyone, not just Windows users.
I mean, if you can convince a user to download your plugin or your code you've sort of already won as a malicious software writer, right?
If the code is not properly sandboxed, sure. But people expect mods to be fairly well sandboxed. They may get a little antsy if they see a .dll file, but by and large, if they just see an esp/omwaddon file or whatever, the worst they can expect is a corrupt save. But allowing Lua scripts to run under no or very light sandboxing will open up problems on unsuspecting players. IMO, it's reasonable for devs to not want to feel responsible for allowing it or to feel as if they broke the player's trust that the engine and things played on it are safe.
Yes. Because having a bunch of forks is both healthy for the community, and healthy for security.
Yes, actually, it is. Competition is good. If someone falls behind on providing what people want, people won't follow them. If something proves unsafe, people have alternatives to go to. Someone may want to target a niche that the main project can't reasonably pander to. Do you know how many forks of the Doom engine there have been over the years? The Doom modding community is still going strong with one of, if not the most popular fork being extremely tight on security because it's shown to be a healthy attitude to take compared to other forks that have been more lax.
Post Reply