Linking to unapproved files

Discussion in 'BukkitDev Information and Feedback' started by black_ixx, Apr 4, 2013.

Thread Status:
Not open for further replies.
  1. Hey guys!

    I know that the Bukkit staff has strict rules but some actions are just disproportionate I think.
    Some days ago I've fixed a weird bug of my plugin. Because it was not approved yet - and the server owners needed it - I've linked the file with a comment but the link got removed because it's not allowed to link unapproved files. Ok I could understand it this time. This prevents unexperienced server owners from downloading malware or "bad" plugins. But then yesterday I've fixed another bug and uploaded the file. I got a lot requests of server owners that they need the plugin as soon as possible so I've linked the file again. My comment:

    "I've fixed this mistake. You can download the new build here: <Here was the link to the latest build but it got removed by staff again. Sorry I am not allowed to link it. Wait until it was approved.>
    But it was not approved yet. So use it at your own risk. Well last time when I've posted the link to the new file my comment got edited because it's not allowed to link not-approved uploads."

    And again it got edited. Yay -.-

    I've started a little conversation with the person who edited the comments.
    He said that it is only allowed to link to a CI server with a disclaimer.
    Why is it not allowed to link to BukkitDev with a disclaimer?!

    Well I know the Bukkit staff has a serious job and a set of rules but rules can be changed.

    Wouldn't it be possible to allow the linking to unapproved files if you paste a specific disclaimer and warnings too?

    Young unexperienced server owners won't download this files and the other owners know what they do. Also they are probably able to get the difference between a little project with one download and bigger plugins. I think everybody should be able to decide whether to download this files or not at his own.
     
    fromgate and Inscrutable like this.
  2. Offline

    blha303

    black_ixx Because I could upload something with malicious code to BukkitDev and link to it before it's approved. People download it, it infects stuff, then they get upset at BukkitDev staff for not pouncing on this bad plugin file. I think with CI links, there isn't that implied guarantee.
     
    muffinjello likes this.
  3. But what's about allowing the linking of unapproved files when the project has more than 10.000 downloads?
    This would reduce the risk a lot. Nobody who tries to spread his "bad" plugin will get this amount of downloads.
    And then there would be warnings and a disclaimer too.
     
  4. Offline

    Lolmewn

    You would be surprised. I occasionally have to reject big plugins because they 'forgot to remove testing code', or simply have a sneaky backdoor. Or don't follow the auto-updater rules.
    Besides, this would be unfair against starting developers.

    If you have a huge bug that is fixed, that would otherwise crash servers/corrupt worlds, stuff like that, you can report the file, explain the situation and request an immediate review. This will make it quicker, but will only be done if your reasonings are valid.
     
  5. Offline

    CreeperShift

    Oh god, after reading this, I better take my link down and get a CI running -.-
    Lolmewn
    I have a -BETA- version of my plugin, which should NEVER EVER EVER EVER show up on the release section of my plugin (where all my other files are).

    Now I provided that version for some of the people using my plugin because they want to help me test it.
    I've written a 5 line disclaimer, stating that the risks and that it's an unapproved file, that it's intended as a beta test and which version you should download instead, if you don't want to use the beta version.

    Now tell me, if I put up a CI all I have to have is a 2 line disclaimer. How is that any different? Just because a CI is overkill for my plugin I'm not allowed to do it? I've written a giant ass disclaimer, it should be enough. It should be treated the same way as a CI. I don't see whats all the fuss about it.
     
    Hoot215 likes this.
  6. Offline

    Xaymar

    Can't you just put the CI disclaimer and instead link to where you upload your Beta builds? I have a similar setup, except that Jenkins automatically uploads them there.
     
  7. Offline

    Lolmewn

    CreeperShift I'm gonna leave this to TnT, he's best at answering questions like that ;)
     
    CreeperShift likes this.
  8. Offline

    CreeperShift

    That's essentially what I'm currently doing. But by the looks of it that's not allowed :/

    Lolmewn
    PFF :p newb :D
     
  9. That's exactly what I wanted to do, but it seems like it's not allowed. I would really support a little change of the rules.

    If the link was at an extra page with a big disclaimer only people who really need the file would find and download it.
     
  10. Offline

    TnT

    black_ixx
    We will re-examine the policy, but at this time it will remain as stated.
     
    jorisk322 likes this.
  11. Offline

    CreeperShift

    TnT

    Well that's a bummer, at least hopefully you are going to change it in the future.

    @Thread

    Anyone know a good CI Jenkins tutorial?

    I have a Jenkins server and a subversion setup, which has all the sourcecode from eclipse in there for the plugin, but I'm not sure how to go from there and how to compile/build it :/ Never done this stuff before.
     
  12. Offline

    lol768

    Are you using Maven for your plugin?
     
  13. Offline

    CreeperShift

    Nope, Maven looked awfully complicated :O

    Is there no other way? :(
     
  14. Glad to hear! I'd really love this changes.
     
  15. Offline

    lol768

    I'd really push you to use Maven - it's the easiest way of doing stuff.
    I copied https://github.com/NuclearW/Template and made some changes as required.

    If not, you can write your own compile script and setup Jenkins to execute it.
     
    hawkfalcon, NuclearW and CreeperShift like this.
  16. Offline

    TnT

    The problem is, if you use a CI the entire responsibility is on you to ensure your plugins are safe, and people are warned (via the disclaimer) that they are leaving Bukkit to get the files from an untrusted source. Files from BukkitDev do not have that distinction - people assume they are safe because they come from the dev.bukkit.org site, even if you have a disclaimer stating otherwise.

    As mentioned, we will approve your file if you can provide solid reasoning for needing to jump ahead on the queue, and as always we will endeavor to ensure all files and projects are approved in a reasonable time.
     
  17. That's a point. People trust Bukkit to 100% because they CAN. With that change of rules "bad" plugins would be uploaded and linked at Bukkit and then there is no cause to stop them - until you have checked the plugin. Hm now I can understand the real sense of the rule.
     
  18. Offline

    CreeperShift

    So I understand your main issue here, so let me offer a solution:

    Similar to how jenkins is a new site, plugins that want to offer a special download link (unapproved), need to also link it offsite, but not as a direct download. They need to put the disclaimer similar to the CI, then when people click on the link they need to be shown a new page, clearly different than bukkit. (Like my own website, offering and explaining the file).
     
  19. Offline

    ZachBora

    CreeperShift When I'm downloading stuff on bukkitdev I don't really bother reading what's written in the text on the left. It's an update, and I gotta install it. I then put it on my test server, if it starts without error and seems to work in-game, I put it on the real server.

    If there isn't an update yet, I'll look for a dev build from a jenkins link. And I'll download it and test it locally, more than if it was a bukkitdev file. Because the thing I downloaded from jenkins doesn't mean it's ready, it could just be a test build that contains unfixed issues. Bukkitdev files shouldn't contain as many issues.

    Edit:
    The difference between this and a jenkins is that it's easier to see what was changed on this build. There is a link to a commit usually that shows what changed. It's not just some random build the person just did.
     
    Phiwa likes this.
  20. Offline

    CreeperShift

    Read above :p

    Also remember that I could easily upload the file with it's many issues dev.bukkit.org, sure they go through it, but not to fix my errors but rather to see if I've included any malicious code. The plugin itself could still break your world ;)
     
  21. Offline

    ZachBora

  22. Offline

    CreeperShift

    ZachBora

    It states nowhere that the commits have to show what changed :p If I ever get this CI running, I surely wont (I'm lazy)
     
  23. Offline

    drtshock

    CreeperShift if you use the github webhook then it automatically shows changes on each build.
     
  24. Offline

    CreeperShift

    I was planning on using subversion :p
     
  25. Offline

    xize

    Hmm whats exactly the difference between ci and direct hotlink a updated plugin which is your own bukkit dev project and a older version whas allready aproved?
    I agree these rules are implanted against malicious plugins but it seems quite unreasonable to disallow hotlinking but allow jenkins, why not show a github as evidence with a coresponse to the jenkins build and let the community check it for their self if its malicious or not is then a hotlink allowed?
     
  26. Offline

    !Phoenix!

    I wanted to ask myself about linking unapproved files and then found this. Could you help me out with these two things:
    1. Where can I find the current rules about linking unapproved files? I had no luck in the KnowledgeBase and the Wiki.. (didn't see it?)
    2. What is a 'CI'?
     
  27. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı

    BukkitDev guidelines are here - http://wiki.bukkit.org/BukkitDev:Project_Submission_Guidelines

    CI stands for continuous integration. A CI server allows for immediate building on code changes and is used by some developers to handle project compilation/packaging.
     
  28. Offline

    !Phoenix!

    Oh, yes, now I see it myself. I was only searching in the 'files' section (of this page) for it because that is where I expected to find the information. It also gives a hint at 'CI'.

    However, I was only able to find things about "linking to unapproved files on bukkit" and "linking CI's" in this thread.
    My problem:

    I don't have a CI and would like to link test-versions in Tickets that were created.
    Am I allowed to link to a file on my webspace with a disclaimer in front of it?
    Am I allowed to link a page on my website with a disclaimer and the link to that file?
    If yes - I guess the disclaimer should be the same as for CI-Servers?
     
  29. Offline

    TnT

    No, but you are allowed to PM the people you are directing the test at. If you want the test version available to the community, upload it and mark it as a beta/alpha and wait for approval.
    No.
     
  30. Offline

    !Phoenix!

    Hm, okay, too bad. Anyway, thanks for the information!

    Btw: If I really want to share a malicious plugin/version, would it be hard to do it using a (manipulated?) CI server? (Do you see what I did there? ;) )
     
Thread Status:
Not open for further replies.

Share This Page