Brickbucket - Effortless low-latency auto-updating

[DontCare4Free]

Today, when developing an add-on, your options for auto-updating usually consist of having none, building your own, or using RTB.

With all three options you usually end up having to repackage your add-on every time you release it. In addition to this, each approach has it's own disadvantages. Having no auto-updating at all quickly gets tedious for your users if you need to update something, and people aren't very likely to actually update. Building your own takes a non-trivial amount of work, and delivers an inconsistent user-experience to your users. RTB has a lot of latency, and it's not unusual to have to wait for days, if not weeks, before your add-on or update is actually released to your users, making it inconvenient for regular releases and almost impossible to use for beta releases and similar. What if releasing an update was as simple as pushing the update to your Bitbucket or GitHub repository, and it'd then be released to users within 5 minutes?

So is this a replacement for RTB, then?
No. RTB provides a lot of features that Brickbucket does not even plan to offer, including stuff not related to add-on management (RTB Connect), as well as a useful service for discovering add-ons. Brickbucket is supposed to come into the picture after you've "sold" the add-on to the user.

Features

• No extra effort for you as the developer, just push it to Bitbucket or GitHub as usual (make sure to structure your repository layout like this)
  
• Updates released to users within 5 minutes
• In-game auto-updater
• Web-based endpoint that automatically repackages your add-on for Blockland, and includes the metadata required for Brickbucket to function
• Open source

Status
Server - Working
Client - Not yet started

Links
Server Bitbucket repository
Issue tracker

[Ad Bot]

[Brian Smithers]

uh
neat?

[Evar678]

uh
neat?

Very.
I want to see this happen.

[Port]

Seems awesome.

[elm]

Cool, but I don't use any repositories and don't plan to.

[DontCare4Free]

Very.
I want to see this happen.

Seems awesome.

Thanks.

[Ephialtes]

The reason RTB has high latency for updates is to ensure there's security for users (plus a lack of mod reviewers atm). This is just a way for anyone with repo access to semi-immediately push anything they want with no kind of oversight to everyone who has their add-on.

This isn't the real world where developers of popular software have reputations and integrity - this is Blockland where most users will screw eachother over without a second thought. Babysitting is absolutely required. If this is to be released I think you're going to need to educate and warn potential end users on the substantial risks of accepting any kind of code updates from basically anyone.

[Zeblote]

RTB has a lot of latency, and it's not unusual to have to wait for days, if not weeks, before your add-on or update is actually released to your users, making it inconvenient for regular releases and almost impossible to use for beta releases and similar.

Because you can be sure that an add-on that is on RTB is going to be secure
Think of a situation, let's say someone creates a huge ui overhaul that almost everyone downloads, and because someone has pissed him off he wants to get "revenge" and uploads an update to delete everyones saves and add-ons

How would you prevent that?

[DontCare4Free]

The reason RTB has high latency for updates is to ensure there's security for users (plus a lack of mod reviewers atm). This is just a way for anyone with repo access to semi-immediately push anything they want with no kind of oversight to everyone who has their add-on.

Security vs convenience. RTB provides better security with it's mod review, but on the other hand it doesn't work very well for prereleases, because then you want to push out an update fast (and I'm not sure about what the rules say about those anyway). Besides, this is essentially how the add-ons forum works already, and you can already roll your own auto-updater if you want to, this just makes it less of a hassle.

This isn't the real world where developers of popular software have reputations and integrity - this is Blockland where most users will screw eachother over without a second thought. Babysitting is absolutely required. If this is to be released I think you're going to need to educate and warn potential end users on the substantial risks of accepting any kind of code updates from basically anyone.

While it may not be as lasting, reputation is still definitely a thing in Blockland.

Because you can be sure that an add-on that is on RTB is going to be secure

See the above.

Think of a situation, let's say someone creates a huge ui overhaul that almost everyone downloads, and because someone has pissed him off he wants to get "revenge" and uploads an update to delete everyones saves and add-ons

How would you prevent that?

I wouldn't. I don't believe it'd be beneficial in the end to severely limit the usefulness  just because of the off chance that someone might push a malicious update (ruining his/her reputation, would you run an add-on by cciamlazy?). That said, of course, updates wouldn't be interactionless (you'd still have to OK the installation of the update). In addition, to mitigate the problem, the GUI could give you a link to the diff between your current version and the update, giving you a relatively convenient way to review the update yourself if you're into scripting.

[Plexious]

The reason RTB has high latency for updates is to ensure there's security for users (plus a lack of mod reviewers atm).

I wish I could be a mod reviewer but there's probably 50 people more eligible than me.

[Ephialtes]

While it may not be as lasting, reputation is still definitely a thing in Blockland.

It's absolutely not. Once people decide they're done playing Blockland, that reputation means nothing to them and they're free to forget up whatever they want with nothing holding them back - and this has happened far too many times to count now.

In addition, to mitigate the problem, the GUI could give you a link to the diff between your current version and the update, giving you a relatively convenient way to review the update yourself if you're into scripting.

I'm "into scripting" and I can't imagine myself ever doing that. The 99% of people who aren't into scripting also won't ever do that so it's fairly pointless.

I wouldn't. I don't believe it'd be beneficial in the end to severely limit the usefulness  just because of the off chance that someone might push a malicious update (ruining his/her reputation, would you run an add-on by cciamlazy?).

Blockland add-ons are barely reliant on having a strong reputation. I could create a new account, release some stuff gun mod, have a thousand users over the course of however long that takes and then flip a switch to provide everyone with an update that hijacks their key entry screen. People would be rebooting their games and handing their keys over to me within minutes.

The forums can't be compared to this because there's no notification of a new update. It could take days for someone to realise an update is available and that's days for someone competent to realise it's going to jack their key. In my experience the community has reacted pretty quickly to any malicious add-on releases on the forums.

There's no "off chance" here - we're dealing with kids who have unrestricted access to relatively large audiences. All it takes is for someone with a popular add-on to either allow any number of the recent drama trolls access to their repo or just get their account compromised (as has happened with various forum/email hijackings) and you've got a situation on your hands.

[DontCare4Free]

It's absolutely not. Once people decide they're done playing Blockland, that reputation means nothing to them and they're free to forget up whatever they want with nothing holding them back - and this has happened far too many times to count now.

This is a risk you take when you install someone's add-on regardless.

I'm "into scripting" and I can't imagine myself ever doing that. The 99% of people who aren't into scripting also won't ever do that so it's fairly pointless.

Valid point, but it's there so that you can choose to review the update without too much information overload. For example, here's the diff between the two last versions of Permissions.

Blockland add-ons are barely reliant on having a strong reputation. I could create a new account, release some stuff gun mod, have a thousand users over the course of however long that takes and then flip a switch to provide everyone with an update that hijacks their key entry screen. People would be rebooting their games and handing their keys over to me within minutes.

Low-maintenance add-ons such as weapon packs are a pretty good example of where RTB shines. The scripts aren't very complicated, there's little that can go wrong, there's not much to change after the fact. Compare this to, say, Slayer, RTB or Permissions which are bigger add-ons made by people you already trust, and with more moving parts and more that could go wrong (increasing the value of prerelease testing, which is one IMO the area where BB shines).

[Ephialtes]

Low-maintenance add-ons such as weapon packs are a pretty good example of where RTB shines. The scripts aren't very complicated, there's little that can go wrong, there's not much to change after the fact. Compare this to, say, Slayer, RTB or Permissions which are bigger add-ons made by people you already trust, and with more moving parts and more that could go wrong (increasing the value of prerelease testing, which is one IMO the area where BB shines).

Not sure how that was a response to what I said.  I'm not contesting the usefulness of this - it just has vast potential for abuse. The fact that anyone with a well downloaded add-on can just flip one day and decide to push out some malicious code over this thing to all their users makes it a danger. Even if it was discovered that an update contained an issue - what next? Someone has to get a hold of you to take down the repo to prevent other oblivious users from continuing to update.

I don't think pre releases should be handed out to all users anyway - that makes it a full release. I think it makes sense for pre releases to require you to make the effort to go to the dev thread, read about what you're downloading and the risks it entails so you can make a sensible decision.

[DontCare4Free]

Not sure how that was a response to what I said.  I'm not contesting the usefulness of this - it just has vast potential for abuse. The fact that anyone with a well downloaded add-on can just flip one day and decide to push out some malicious code over this thing to all their users makes it a danger. Even if it was discovered that an update contained an issue - what next? Someone has to get a hold of you to take down the repo to prevent other oblivious users from continuing to update.

What is there preventing you from pushing out a malicious update to RTB? What is there preventing me pushing out a malicious update for Permissions?

I don't think pre releases should be handed out to all users anyway - that makes it a full release. I think it makes sense for pre releases to require you to make the effort to go to the dev thread, read about what you're downloading and the risks it entails so you can make a sensible decision.

Exactly. You go to the dev thread, download the add-on, and this notifies the user when the prerelease is updated. It won't propose for you to update from the stable release to the prerelease.

[Evar678]

Nullable, perhaps implement a method for blacklisting any add-on that pushes out malicious code, preventing it from being used?

I do agree with Ephi here, this could be pretty dangerous without some form of moderation.