|
03-03-2005, 02:32 PM
|
A Griffon
|
|
Join Date: Dec 2004
Server: Neriak
Posts: 273
|
|
__________________
|
03-03-2005, 02:36 PM
|
|
A Griffon
|
|
Join Date: Oct 2004
Server: Blackburrow
Posts: 352
|
|
Quote:
Originally Posted by Quib
This is something I'd discourage probably. I know I'm personally uneasy enough about using executable files I get off of websites, but that one might update itself without me knowing would bug me even more.
I trust taco-man, but I'd be more worried about someone else modifying the auto-updater and posting it somewhere else on the internet and doing mischievious things. We'll need to slap a bunch of "if you didn't get this from eq2interface.com" warning everywhere we link the auto-updater. If the auto-updater had the power to update itself, a malicious version that grabs a really nasty executable and runs it could be bad news.
Quib
|
I understand completely where Quib is coming from on this, a malicious version could wreak havok on our community. Not sure if this is possible or not but would it be possible for the Updater to check it's own MD5 Checksum, and verify that against a value on the Update Site. If the Checksums do not match, the updater does not run. Could this also work as follows, say there is a newer version of the Updater Available, the Auto Updater matches the Old Version stored on the Updater site, and a Message Box appears informing the user that they must download the new Offiical Release of the Updater.
__________________
[Guild Leader] Tiggler is my Main, Humudce is my Alt on Blackburrow.
|
03-03-2005, 02:48 PM
|
A Griffon
|
|
Join Date: Dec 2004
Server: Neriak
Posts: 273
|
|
I see where you are all coming from, however I counter that there are safe ways to autoupdate - but of course this won't be much of an issue once the updater gets more finalized.
Ahh well, it was just an idea
__________________
|
03-03-2005, 03:16 PM
|
A Griffon
|
|
Join Date: Jan 2005
Posts: 720
|
|
Quote:
Originally Posted by Humudce
I understand completely where Quib is coming from on this, a malicious version could wreak havok on our community. Not sure if this is possible or not but would it be possible for the Updater to check it's own MD5 Checksum, and verify that against a value on the Update Site. If the Checksums do not match, the updater does not run. Could this also work as follows, say there is a newer version of the Updater Available, the Auto Updater matches the Old Version stored on the Updater site, and a Message Box appears informing the user that they must download the new Offiical Release of the Updater.
|
A modified version could easily make the auto-updater look at a different web-based MD5 value, bypassing any safety precautions of checksum'ing itself. As it is now, someone could modify the updater to download some nasty executable, but it has no way of overwriting itself or running any executable code it downloads.
On second thought, it does: it could download an exe and use the auto-launch EQ2 routine (modified) to execute this newly downloaded file.
I bet it'd take me 30 minutes or less to hex edit the current updater exe to do this (just as an example for how easy it'd be to make a malicious version).
All paranoia aside, I don't think the auto-updater will have any reason to update itself after we agree on a final version. The code will be flexible to accept a downloaded index of files (well, it also ready does this) and their checksums to update (not a hard-coded list) and the news download could tell users if there is (on the off chance) a new version of the updater available.
Basic rule for safety, get the updater from maps.eq2interface.com or from the EQ2MAP download section and you'll be fine (well, once it's at those places). Also make sure the updater you're getting was posted by taco-man as he'll be the only one uploading it from the EQ2MAP team. The real trick will be making sure the general EQ2 public knows to never get a copy of the updater from somewhere else.
Hopefully this post didn't scare anyone; just trying to make sure you all know the risks invloved with using executables, and especially ones that have internet access.
Quib
|
03-03-2005, 03:46 PM
|
|
A Griffon
|
|
Join Date: Oct 2004
Server: Blackburrow
Posts: 352
|
|
Point well made Quib.
Education is the key here. If you didn't get the file from map.eq2interface.com, or www.eq2interface.com that was uploaded by Taco-Man, you don't have the official release.
The key here is knowing who you are downloading from.
I write executable installers for all of my Mods (and for the Team's MAP mod too), but these are only available to my fellow guild members. My guild members know that I am the only one that can upload the installers (aka, I'm the webmaster of the site too), and that I would never put malicious code into them. I wrote the installers to help those in my guild that are less knowledgeable about computers and installing these interfaces and mods.
In the past I uploaded several Executable Installer Versions to the www.eqinterface.com site, for my EverQuest Mods (alot of exchanges via e-mail to get them approved, including providing the install script I used). I have no plans to make any of my Mods use installers that have been uploaded to eq2interface.com because of the inherent risks involved with executable programs available for download. I do upload Executable Installer Versions on my Guild Web Site as I am the only one that can change the files available there.
__________________
[Guild Leader] Tiggler is my Main, Humudce is my Alt on Blackburrow.
|
03-03-2005, 03:48 PM
|
|
A Griffon
|
|
Join Date: Oct 2004
Server: Antonia Bayle
Posts: 3,287
|
|
Is it possible to create a website based update, strictly. Such as through java or something similar? I'm not to keen on that subject, but maybe it could be another possiblity if all else fails (in the sense of security).
|
03-03-2005, 04:05 PM
|
A Griffon
|
|
Join Date: Jan 2005
Posts: 720
|
|
Well, I've sorta blown the security thing out of proportion; as long as people get the updater from eq2interface from taco-man, it's safe. I'm more concerned about the updater being too powerful, and someone modifying it and releasing it elsewhere and it really ruining someone's day.
I have no idea how hard it'd be to make a web-based updater. I have half a year's formal experience with java and I absolutely hate it. Writing files to a particular folder probably sets off a lot of security alarms in most browsers doesn't it? Plus the user'd have to point the web-based updater to their custom UI folder each time they use it; which would be tedious if they have EQ2 in it's default install location.
The route we're taking now will be effective and easy (for the end user). One of the problems with a modular setup is if a user is missing an XML file, EQ2 won't load. Having the auto-updater will ensure they have every file necessary.
On another note, it's impressive VB has developed far enough to do stuff like this. Last time I worked with VB was VB 3, and man was it unwieldly and non-powerful. I don't even think VB 3 was Win95, I think it was still for making stuff that worked on Win 3.11.
Quib
|
03-03-2005, 05:14 PM
|
A Griffon
|
|
Join Date: Dec 2004
Server: Unrest
Posts: 306
|
|
Quote:
Originally Posted by Drumstix42
Is it possible to create a website based update, strictly. Such as through java or something similar? I'm not to keen on that subject, but maybe it could be another possiblity if all else fails (in the sense of security).
|
I asked about this awhile back, and quib wanted my concerns clarified. I shared them with a guy at work who uses the map mod and he thought the autoupdater was sweet. And when he asked why I had reservations about it, I didn't have an answer. I'm not really worried about hacked code. I just don't like to worry about running extra programs or making changes too often with stuff.
I'd be happy to visit the eq2maps download page once every month or so or when I am about to explore areas that don't have maps to see if a new version of the mod has been released.
|
03-03-2005, 06:15 PM
|
|
EQ2MAP Updater Author
|
|
Join Date: Nov 2004
Server: Antonia Bayle
Posts: 1,349
|
|
although it is an "extra" file to run, it launches eq for you so that its 1 less file to run so it balances out.
|
03-04-2005, 12:55 PM
|
A Young Mystail Rat
|
|
Join Date: Dec 2004
Server: Antonia Bayle
Posts: 4
|
|
Idea
About the auto-updater, wouldn't it be best for it to check it's version again the latest one online. Then, if there is a new one available, open up a browser window so you can download the latest installer online.
|
03-05-2005, 03:41 AM
|
|
A Griffon
|
|
Join Date: Jul 2004
Server: Everfrost
Posts: 604
|
|
Thought I'd mention that I made a skin for my UI..
Currently It can be downloaded/viewed here:
http://www.eq2interface.com/forums/s...&postcount=389
Once I know it's working 100% "as intended" I will include it with my main download
Keep up the good work team!
|
03-05-2005, 10:22 AM
|
|
EQ2MAP Updater Author
|
|
Join Date: Nov 2004
Server: Antonia Bayle
Posts: 1,349
|
|
just so you know, the updater should be 100% compatable with custom skins even when its set to do all files.
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 05:39 AM.
|
|