Why is no one contributing to discretion?

[Gannon8]

Okay, how 'bout this then?

A script will examine the python script being sent to the client. It will complain if:

• A module other than the "discretion" module is imported (which will have the math and random modules imported, for convenience [maybe stringIO too])
  
• The script uses any suspicious functions (eg. open, save)
  

 

If it does, it will warn the user, display what modules are being loaded if its that, and prompt if he wants to continue.

 

I posted for a python-c API level solution, hopefully I will get a response.

[Bak]

The problem is I don't trust my ability to come up with a complete list of "suspicious functions". It's much better to say what is allowed, rather than what isn't allowed.

 

I also don't have a complete understanding of how python works under the hood, especially under adverse conditions of someone purposefully trying do something bad. This would require the python bytecode compiler, interpretter, and the import scanner to be bug free, which is just too much risk for an unknown amount of gain.

[Dr Brain]

I've never seen the advantage of a client side script. If there's something you'd like to do client side, then make a protocol addition so you can make a server side script.

 

I can see someone wanting to easily LVZ related events, but perhaps the LVZ format should be extended instead?

[Samapico]

The only application for client-side scripts I could think of would be HUD-related things...

 

Why not make up some kind of home-made simple language with event-based functions, and simple commands to display stuff, play sounds, move things in the HUD, ...

Anything that has to mess with the ship, like shipchanges, shipresets, warp, should be handled server-side anyway.

[»jabjabjab]

I don't know how hard it is to make Security good with a open sourced client, but I think it would be wise somewhere between now and the near future to uhh close the source (I already know that it's opened and people have it) but since you have a zone now that invites people, your going to get more attention than just the Developing community. I mean if you close it now it's not like your going to become priitk, because even mr. ekted didnt get to view the code. (poor fella) Edited June 26, 2009 by jabjabjab

[Kilo]

The advantage of client side is that it is not subject to lag on the client's screen and provides a richer experience. Indeed it would only be mostly useful for graphical things.

[Bak]

I don't know how hard it is to make Security good with a open sourced client, but I think it would be wise somewhere between now and the near future to uhh close the source (I already know that it's opened and people have it) but since you have a zone now that invites people, your going to get more attention than just the Developing community. I mean if you close it now it's not like your going to become priitk, because even mr. ekted didnt get to view the code. (poor fella)

 

closing the source adds very little to the security of the client. Anyways, I'm fairly certain my anti-cheat system will work, and I will encourage people to try to break it in an effort to make it more robust (after it's done, of course).

[»jabjabjab]

If we try will you still ban us?

[Gannon8]

Probably, so do it on an alias account

 

Anyway, I found this for restricting python: http://code.activestate.com/recipes/496746/

I could edit this to allow discretion to be imported, and to allow exception handling.

Unfortunately, as someone pointed out in another forum, it does not stop code like 10**10*10 from eating all the memory of the program, but I could probably restrict multiplication, division, and exponentiation to certain values (ex. multiplication and division to 5 digits, and exponentiation to 5 digit on the input and numbers <= 5 for the factor)

Really, I think your main threat would be a fake biller stealing your password, since if a python module crashes, you could probably just do Ctrl+alt+del and kill it, whereas we all know what would happen if someone stole your password.

 

Really, It's your client. Do what you want with it.