PSA: SuperString

Discussion in 'Community News and Announcements' started by eyamaz, Nov 8, 2014.

Thread Status:
Not open for further replies.
  1. You might have to live with the fact that at least EvilSeph + Wolvereness attempted to kill Bukkit/CraftBukkit, while Mojang did not. The legal situation for continuation of modding will always be problematic no matter what technique you apply. Mojang can alter the client at any time, change the EULA, rename the game, and kill off future modding. One thing is sure, by killing Bukkit or attempting to, you certainly don't rescue other people from anything. So far the opposite has happened - people rely on a system grown by real community effort in the past, and a couple of people with some idea about what's the case and what not try to kill it off. I seriously doubt that any modders are in danger legally, provided that Mojang is tolerating the project, so there remains little to back you up there, about the future aspect i have commented already. It's just a very egocentric attempt to end the world, be prepared for resistance :).
     
  2. What I personally would like to know is if the "approved in about 3 minutes" claim is being disputed or not?
     
  3. What's the line-count?
     
  4. 3 minutes can be a long time for 81 lines. Level of standards and reaching that level (quality) are two things though.
     
    korikisulda likes this.
  5. asofold Oh I'll agree, when just checking for maliciousness you can get through classes very quickly. Some classes are hundreds of lines long yet are, in a large part, simple getters and setters which are immediately obvious that they're not malicious on their own.

    However, for a case such as this: one which is dispatching a command from console which is determined by getting values from a list and, heck, has a variable called "scoreOpCode"... if this was missed, maybe 3 minutes suggests it was a little rushed in the checking?
     
    korikisulda likes this.
  6. Offline

    slipcor

    You are free to have your opinion about that, but I strongly disagree. EvilSeph did not kill, he announced the death. The Wolve part is mute to me because of what I said above. I can give you a more detailed explanation about how I see the whole takeover thing, but that would be offtopic now and it does not make much sense to argue about it. Some day Mojang will explain all the things. Until that happens, my desire to invest time into Bukkit again drops with every day without a public statement from someone in charge of Bukkit.

    I can agree with my decision being egocentric, as it was my decision to join and to quit, anyways.
     
    ThePixelPony and CaptainBern like this.
  7. That's something they should auto-check, lol.
     
  8. Offline

    Zenexer

    "scoreOpCode" sounds relatively normal to me because "opcode" is a common programming term that has nothing to do with Minecraft. That being said, given the context, any occurrence of "op" should warrant closer inspection, and I'd like to think I wouldn't have overlooked such a method.
     
    Uristqwerty likes this.
  9. I also don't want to go into the details, but it reads as killing, if you declare the end, to stay project lead till the end and to not let others in. I don't use my power of imagination here (yet), it doesn't seem to be needed, i'll also ignore posts of the kind "but he hasn't stated that he won't let duffy duck continue the project" and things like that.
    They should also look for "bomb", "white powder" and several other words typical for an exploit :p

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 10, 2016
  10. Offline

    ColonelHedgehog

    I know why Curse tries to approve things so quickly. It's because they have to double up since the ratio to (active) Curse staff to BD staff is something like 1:3. What's worse is I've noticed if the staff don't approve something within the hour, the plugin developers get impatient and tell people to download via GitHub or they upload the file to MediaFire. However, I think that plugin devs should suck it up and be able to wait for a period of time that is reflected by a more diligent process of scanning, especially with all these people throwing rocks at the Curse staff, trying to see how many malicious plugins they can get under their noses.
     
  11. Offline

    toothplck1

    Because its not like the reason the project was ended was because nobody wanted to join and help.. that couldn't be it at all....
     
    slipcor likes this.
  12. Offline

    ZanderMan9

    While I really hate to call anyone out and attack them, the Curse team seems to be doing a bit of a bad job here.
    The issue I see is that the initial release was OK, and they saw that. They then assumed (assume makes an ASS out of U and ME) that the second release would also be fine; a reputation system, sort of. They probably figured a little bug had been fixed and that nothing major had changed so passed right over it.
    Normally, I'd say to the reviewers of code, be pretty trusting, but nowadays, there is no reason to trust an inch, sadly to say.
     
    andrewpo likes this.
  13. Offline

    Skionz

    People used to complain about the slow review time and now they complain about the fast review time.
     
  14. Offline

    toothplck1

    *Fast approval time "review time" implies that it is reviewed.
     
  15. Offline

    xTrollxDudex

    Please tell the staff to learn Java because this is absolutely ridiculous. Please give proof that more than 0 people check every file in the queue.
     
  16. Offline

    Opacification

    A slow job done very well is a lot better than a quick one done poorly.
    Curse staff really need to get their shit together, this is incredibly disappointing, and I feel like this is just going to keep happening.

    Such a shame that the good old BukkitDev staff are gone.
     
  17. Offline

    ColonelHedgehog


    Well sorry, but this isn't going to change.
     
  18. Offline

    hkminegod

    Shouldnt the curse staff credit the author for bringing the malicious plugin to attention?
     
    ThePixelPony likes this.
  19.  
  20. Offline

    RawCode

  21. Offline

    ThePixelPony

    Umm, this has never, ever happened before with the old Bukkit team and they weren't even paid.
     
  22. Offline

    Marten Mooij

    " getServer().dispatchCommand(getServer().getConsoleSender(), scoreCode + " " + player.getName());"
    Yeah, they should of definitely caught this.
     
  23. Any command dispatching that doesn't check specific permissions should get marked :p - they should use an IDE with plugins to support the process better :p.

    Dispatching 2-letter commands without them being stated in the plugin.yml is also dubious.

    That's wrong, simply. Ex-staff had a couple of years of training as a team. Things happened.
     
  24. Offline

    Druxe0

    I am not a programmer, but simply a server owner who stays involved with bukkit. I once tried to learn programming though, and I understand some of this code.

    https://github.com/fierescope/Super...gmail/fierescope/SuperString/SuperString.java

    The bottom should have been fairly easy to find malicious code in. I personally think curse staff aren't as used to reviewing code like this. My thoughts are that they should review for a bit longer amount of time.

    The ex-staff were also sloppy when they started, most likely. It will take some time. Just maybe you should review it and then have a program to automatically search for specific pieces of code.
     
  25. I don't think people should be claiming that Curse are new to this and that they'll get used to it... Curse maintain that standards have not dropped (much), meaning such claims are completely invalid.
     
    korikisulda and lol768 like this.
  26. Offline

    lol768

    korikisulda, slipcor and AdamQpzm like this.
  27. Offline

    Lolmewn

    10 points to you!
     
  28. Offline

    Eathuis

    This is happening too often for my liking. Additionally I would like to point out that the ONLY reason you found out about the malicious plugin was because the author of said plugin informed you. I'm sorry but BukkitDEV is no longer safe for use.
     
  29. Offline

    bdubz4552

    Just throwing this out there, but someone on Sponge claims to have uploaded the same plugin four times in a row in a span of a few minutes, and they were all approved within a few minutes.
     
Thread Status:
Not open for further replies.

Share This Page