is there anything we can do about the fact that the add-on is 1.3 MB in size? that's really loving huge.
i mean, RTB was 1.4, and I don't know what we can do... still worth keeping in mind, yeah?
just had a long discussion with nullable. a bunch of ideas came up for BAM
* right after I posted this post *
teozkr (Nullable): eh
teozkr (Nullable): I'd still say anything below 50mb is a neglegible size :p
Lugnut: 1mbps internet doesn't play nice with 1.5MB add-ons in a game that usually has 1-3KiB scripts
Lugnut: and.. yes i just used 3 different units in one sentence
teozkr (Nullable): good point, but it's still a one-time download that would take about 12 seconds
teozkr (Nullable): and still pretty small compared to mods containing, say, models or audio
Lugnut: i guesssssss
Lugnut: oooooh
Lugnut: we should have a diff-based updating system
Lugnut: aahahahaha
Lugnut: that'd be cool and so loving unimportant
teozkr (Nullable): :P
teozkr (Nullable): yeah considering what it is for it'd be really cool (since you could piggyback on that for updating other add-ons as well)
Lugnut: it would work really well because scripts get updated more often than models and such, right?
Lugnut: quick easy updating
teozkr (Nullable): yeah
Lugnut: that actually /should/ be a thing
teozkr (Nullable): problem is in order to do delta updates you either need to write binary files or give up on compression
Lugnut: the only problem is we would need
Lugnut: yeaeh
Lugnut: exactly that
Lugnut: ironically
teozkr (Nullable): giving up on compression would also mean giving up on stuff like automagickally removing stale files
Lugnut: to save data transfer, we have to give up saving disk space
Lugnut: what do you mean by stale files
teozkr (Nullable): well, let's say MyAddOn v1 contains server.cs and impl.cs
teozkr (Nullable): in v2 impl.cs was renamed to implementation.cs
Lugnut: with a delta update, unless handled specifically, impl is still there
Lugnut: yes?
teozkr (Nullable): yeah
teozkr (Nullable): while with zips that would be done automatically
Lugnut: just a simple fileMove or something though
Lugnut: the delta system would have to be made manually
Lugnut: just add in support for moved files...
teozkr (Nullable): well yeah
Lugnut: probably more difficult than i'm thinking
teozkr (Nullable): or rather, add in support for removed files
teozkr (Nullable): since a rename is basically just a copy-and-delete
teozkr (Nullable): (same for moves)
Lugnut: i think you would need client side monitoring on the dev's side : if the file is moved, note that it was /moved/ not deleted and a new one was coincidentally made
teozkr (Nullable): well, explicit support for renaming would be an optimization
Lugnut: moved VS [deleted and a new one made]
teozkr (Nullable): not needed for v1
teozkr (Nullable): funny thing is that git actually already tracks stuff like that
Lugnut: stuff would still be cool though
teozkr (Nullable): yeah
Lugnut: does git work in binary or ascii?
Lugnut: can we backpack off of a git repo in torquescript????
teozkr (Nullable): git works in binary
Lugnut: now /that/ would be fun
Lugnut: damn
teozkr (Nullable): but you could have a proxy server that repacks it so torque can handle it
Lugnut: could we make an
Lugnut: yeah
Lugnut: external script in python or some stuff
teozkr (Nullable): like brickbucket :P
Lugnut: runs
Lugnut: idk
Lugnut: git log or whatever and sees the diffs
Lugnut: or even just
Lugnut: git diff > diff.txt
teozkr (Nullable): yeah
Lugnut: then have torquescript hadle everything else
Lugnut: we should probably have a build.sh file in the bam-addon
teozkr (Nullable): not sure how well bash scripts would work, considering how windows-centric blockland is in general
Lugnut: no on
Lugnut: no no
Lugnut: that would be on our side, the dev team of bam...
Lugnut: however
teozkr (Nullable): well yeah
Lugnut: for mass support for add-on devs
Lugnut: that would need more care...
Lugnut: wait
Lugnut: i think you already said this
teozkr (Nullable): but anything that could cause a higher barrier to participation in development would be a bad thing no?
Lugnut: what if when the developer uploads their new add-on
Lugnut: and we approve it
Lugnut: it gets processed like i said
Lugnut: they just have to pump in a new add-on
teozkr (Nullable): that could be done yeah
teozkr (Nullable): or even cooler, instead of uploading a zip file
teozkr (Nullable): just supply a git tag!
Lugnut: "higher barrier to participation"
Lugnut: requires use of git
Lugnut: i don't know very many TS only devs with git
teozkr (Nullable): I mean as an optional feature of course :p
Lugnut: only people I know of that use version control are people like you, me, port, brian smith, trinick, etc
teozkr (Nullable): or mercurial or whatever
Lugnut: we all know multiple languages
teozkr (Nullable): Slayer
teozkr (Nullable): BAM itself
Lugnut: interesting common denominator
Lugnut: yeah, but those are worked on by the more advanced group of devs
teozkr (Nullable): as I said, doesn't have to be mandatory
teozkr (Nullable): but could be a nice QoL feature for the people who actually use some sort of VCS
Lugnut: in that respect, yes, definitely yes
... about quality assurance...
Lugnut: anytime i see [an addon] that might be using eval() i get super loving nervous
teozkr (Nullable): eh
Lugnut: not because the devs are /malicious/ (although there seems to be a bunch of them nowadays) but because it's really hard to use eval right
teozkr (Nullable): on one hand I'm not too fond of any kind of manual QA, and it'd also require quite a bit of manpower
teozkr (Nullable): on the other hand, I'd suggest a blanket ban on anything calling eval or co :P
Lugnut: is there such a thing as automated?
Lugnut: i would say automated with really easy to trip detectors or something
teozkr (Nullable): yeah
Lugnut: like if it does just one thing that doesn't seem perfectly okay, put it up for human review
Lugnut: otherwise pass it
teozkr (Nullable): yeah
teozkr (Nullable): basically a security review
Lugnut: keeps the bar for human review above the "every single thing" level, but still allowing a lot of human interaction
teozkr (Nullable): but I don't really like when it turns into a quality review like RTB did (is the model pretty?)
Lugnut: furthermore, automatically passed add-ons should go in a big fat list
Lugnut: for review when a review team member is feeling bored
Lugnut: or something
Lugnut: but yes
teozkr (Nullable): hehe yeah
Lugnut: eval()
Lugnut: tcp objects
Lugnut: file*() commands
Lugnut: /anything/ that is just a little bit iffy
teozkr (Nullable): think there was a function_call or something as well
Lugnut: cal()
teozkr (Nullable): which is basically eval except less suck
Lugnut: call()
Lugnut: it's a clean
Lugnut: yeah
Lugnut: prevents eval injection or some dumb thing
teozkr (Nullable): but still dangerous
Lugnut: /that/ should be double checked
Lugnut: .... we should be writing these down... // so I did
teozkr (Nullable): http://bldocs.nullable.se/html/namespace_server_1_1_global.html#aff8f84aaa111abe1bb06a5cde5558164
Lugnut: we're not gonna sound the alarm whenever an add-on calls /any function on the default list/!!!
Lugnut: oh wait i'm a dumbass
teozkr (Nullable): :p
teozkr (Nullable): schedule as well
teozkr (Nullable): allows arbitrary code execution
Lugnut: stuff that /is/ a point for injection vulnerabilities, isn't it
Lugnut: should probably flat out deny any use of crash()
Lugnut: i don't know if it works
Lugnut: but even fi it doesn't it shouldn't be in someone's mod
teozkr (Nullable): it does
teozkr (Nullable): IMO, flat out deny both eval and crash
teozkr (Nullable): with eval causing a message about how call/schedule can be used instead
Lugnut: three lists nullable
Lugnut: a: automatically approved, for later review when someone is bored or something
Lugnut: b: tripped alarms. most activity from review team is here. called "call" or something
Lugnut: c: code red bullstuff - "eval" or "crash" usage. possibly consider banning user depending on severity
Lugnut: mod review team does work at b
Lugnut: administrative team does c
Lugnut: ... what if we allowed a to be public?
teozkr (Nullable): yeah
teozkr (Nullable): well
teozkr (Nullable): wouldn't a just be anything that isn't on b or c?
Lugnut: yeah
Lugnut: pretty much
teozkr (Nullable): what if something isn't on any of the lists?
Lugnut: not possible
Lugnut: here's the how it works
Lugnut: dev makes add-on and uploads it > server processes using regex or something, dividing it into 3 categorys, described above > if it's in A, it gets put on the open downloads. if it's on B, it waits for humans to review. if it's on C, it'll probably never see the light of day
Lugnut: list A is a list of add-ons that got approved automatically, but have not been human reviewed
Lugnut: again, the bar to go from A to B is /really/ low
teozkr (Nullable): ahh yeah
Lugnut: ideally... i dunno, 30% make it into A, 65 into B, and 5 into C
teozkr (Nullable): IMO, most add-ons are just stuff like guns
Lugnut: yeah
Lugnut: and most of those would pass straight into A
teozkr (Nullable): which should go into A
teozkr (Nullable): yeah
Lugnut: in fact
teozkr (Nullable): unless they do something very weird
Lugnut: perhaps we could raise and low
Lugnut: yes
Lugnut: exactly
Lugnut: if it has strange checks maybe
Lugnut: just
Lugnut: i don't have examples
Lugnut: but abnormal behavior for guns
Lugnut: like checking for admin
Lugnut: or servercmds
Lugnut: idk
Lugnut: that's probably too low and might catch too many fish
Lugnut: oh, and all these lists would be sorted chronologically
teozkr (Nullable): IMO, guns etc should be under the same scrutiny as everything else
Lugnut: oh yes
Lugnut: but think about this
Lugnut: a server_ mod will probably have isadmin checks
Lugnut: but why does a weapon_ need that?
Lugnut: it's probably not doing anything malicious, but it's /abnormal/
Lugnut: we could probably
teozkr (Nullable): that's true
Lugnut: oh god
Lugnut: if one of us wanted to go all out
Lugnut: nullable
teozkr (Nullable): unless it's a rather overpowered gun :p
Lugnut: we could do statistical brown townysis // like bayesian statistics is what I'm talking about
Lugnut: like spam filtering
Lugnut: if a given item
Lugnut: after /all/ the above regex checks for things like call() and the like
Lugnut: if it passes all of those
Lugnut: but is somehow out of the ordinary
Lugnut: i don't know if we can do that
Lugnut: but that would be like loving AI
teozkr (Nullable): sounds like it'd be cool, but probably also not something for v1.0 :p
Lugnut: oh hell no
Lugnut: v1 will probably have totally manual everything goes into B
Lugnut: shortly thereafter will have other stuff
Lugnut: cause
Lugnut: who wants to do work or anything
Lugnut: trimming 40% of the work just by putting things into A is 2/5ths
teozkr (Nullable): hehe
Lugnut: i'm gonna log most of this down
Lugnut: specifically the idea parts
Lugnut: the delta updates, the list idea
Lugnut: auto parsing
Lugnut: probably skip the bits where i was bitching about other people complaining
teozkr (Nullable): :p
Lugnut: ooh
Lugnut: the mod reviewer interface could do diffs
Lugnut: when a mod is updated, why trawl through the whole codebase?
teozkr (Nullable): yes!
Lugnut: just show the new bits
teozkr (Nullable): though that is something that we'd get for free by integrating with git/mercurial
Lugnut: remind me how this integration would occur?
Lugnut: best I can think of is some kind of git hosting service that doubles as a blockland add-on thing
teozkr (Nullable): not neccessarily
Lugnut: i'm not getting the connection on the add-on developers side
teozkr (Nullable): remember that both git and mercurial use SHA hashes of the commits as identifiers, which means that we could trust an arbitrary host
teozkr (Nullable): so basically we would internally store say "BAM v1 corresponds to SHA audhfoiuhasf"
Lugnut: okay we need to back up just a tad
teozkr (Nullable): when it's approved, run a script that generates the zip
Lugnut: are we talking about BAM developement or BAM add-on hosting?
teozkr (Nullable): well, both
teozkr (Nullable): it makes sense that BAM would use itself to update itself, no?
Lugnut: anything is possible with us savvy users, but how do we use git in conjunction with a random developer updating stuff?
teozkr (Nullable): we could generate bitbucket repositories on a bot account or something
Lugnut: what difference does it make for the v1 thing if we can't go through git repos directly with torquescript? is it not an unneccesary layer of abstraction?
Lugnut: we could initialize them locally
Lugnut: port was saying they'd use [REDACTED??], so that might be hard
teozkr (Nullable): oh
Lugnut: we'd/they'd idk
teozkr (Nullable): yeah that might be a problem then, perhaps
teozkr (Nullable): well I think we could still do stuff that temporarily requires file I/O