A poll about digital trusting

Questions about the LÖVE API, installing LÖVE and other support related questions go here.
Forum rules
Before you make a thread asking for help, read this.

Are you interested in PGP/GPG use to trust the libraries/part of code ?

Poll ended at Tue Jul 14, 2009 4:47 pm

I don't know what is PGP :rofl:
3
23%
I know what is PGP but I don't use it :roll:
8
62%
I know what is PGP and I use it but not for Löve :)
1
8%
I know what is PGP and I use it, and I would like to be able to use it with Löve :megagrin:
1
8%
 
Total votes: 13

User avatar
TsT
Party member
Posts: 161
Joined: Thu Sep 25, 2008 7:04 pm
Location: France
Contact:

A poll about digital trusting

Post by TsT »

I wonder to add some checksum on the library ... and why not using GnuGP (GPG or PGP) to check and trust the libraries.
I can do that for my game and my libraries without asking... but I think, if there are enought people that are using it, it would be good to have this check.

I create this poll to evaluate the number of people that are know or use PGP or GPG.

Best Regards,
My projects current projects : dragoon-framework (includes lua-newmodule, lua-provide, lovemodular, , classcommons2, and more ...)
User avatar
osgeld
Party member
Posts: 303
Joined: Sun Nov 23, 2008 10:13 pm

Re: A poll about digital trusting

Post by osgeld »

im at work and im lazy, care to provide some easily obtainable information?
User avatar
bartbes
Sex machine
Posts: 4946
Joined: Fri Aug 29, 2008 10:35 am
Location: The Netherlands
Contact:

Re: A poll about digital trusting

Post by bartbes »

Apparently I'm still the only one who voted (yes, I'm the 100% 2), somehow I never cared about PGP, or similar technologies.
User avatar
TsT
Party member
Posts: 161
Joined: Thu Sep 25, 2008 7:04 pm
Location: France
Contact:

Re: A poll about digital trusting

Post by TsT »

PGP is Pretty Good Privacy software ( http://en.wikipedia.org/wiki/Pretty_Good_Privacy )
GPG is GnuPG, Gnu Privacy Guard ( http://en.wikipedia.org/wiki/GNU_Privacy_Guard )

The both software are similar (except PGP is more commercial than GnuPG).
They are usually used to :
- send secret (encrypted) message between 2 persons.
- send a signed message and the reader can check and be sure the message has not been changed.

This last feature can be interesting for lua/love.
This kind of software are massively used on linux distributions. Each software (packages) are signed with the author(s) keys and the distribution team key.

Even Microsoft started to use PGP signature in his security newsletter to allow people to check that the content of the newletter is not changed.

In the case of love ...

Currently you can check the content of a .love file before running it.
But in some case (for example : LUBE) when you run the game, it download some update, and automatically load them.
By this way you can not check if something is bad inside the updated files.

This feature don't protected again bad authors, but it protected you if the remote server (where the game try to download the updates) are hacked.

Another advantage is when every developers sign their files, you can always know who is the autor, where report a bug and must of all, who is the legal owner of the code (who choose the licence).


If you want sell, or distribute freely your game, you normally only able to do that if you know and respect the whole licences of every part of the code. The worst case is having a good game with some part built over unknow part of code.

I'm almost sure I'm the only one game author that is thinking about the licence... but it's not a problem :D

For my last argument, if nobody is afraid, I can build a virus with love, for demonstration :P

Best Regards
My projects current projects : dragoon-framework (includes lua-newmodule, lua-provide, lovemodular, , classcommons2, and more ...)
User avatar
rude
Administrator
Posts: 1052
Joined: Mon Feb 04, 2008 3:58 pm
Location: Oslo, Norway

Re: A poll about digital trusting

Post by rude »

Do you want trusting from me (the LÖVE binaries and source) or do you want trusting for .love files? If the latter, how do you imagine it will work?
User avatar
TsT
Party member
Posts: 161
Joined: Thu Sep 25, 2008 7:04 pm
Location: France
Contact:

Re: A poll about digital trusting

Post by TsT »

rude wrote:Do you want trusting from me (the LÖVE binaries and source) or do you want trusting for .love files? If the latter, how do you imagine it will work?
My first goal is trusting every file contains in a .love file.
And let the user choose if he want :
- running the game without trusting at all
- running the game only if every file are signed
- running the game only if every file are signed by a list of known autors (if I want only run code from a limited authors)

I particulary think about intercepting the require() and love.filesystem.include() function to check before loading.
I'm affraid about loading of code that comes from remote unkwnow site... :)

I don't think about the love binary itself because I'm under linux, I compilate my own love, then I think my love binary is safe (even I don't check the source at all, but I have trust on you Rude :D )

Regards,
My projects current projects : dragoon-framework (includes lua-newmodule, lua-provide, lovemodular, , classcommons2, and more ...)
User avatar
whitebear
Citizen
Posts: 86
Joined: Sun Mar 15, 2009 1:50 am

Re: A poll about digital trusting

Post by whitebear »

Well why the heck not? Or are there some disadvantages such as newbie projects being completely rejected by love.exe
User avatar
TsT
Party member
Posts: 161
Joined: Thu Sep 25, 2008 7:04 pm
Location: France
Contact:

Re: A poll about digital trusting

Post by TsT »

whitebear wrote:Well why the heck not? Or are there some disadvantages such as newbie projects being completely rejected by love.exe
I think about the feature. I don't speak about set the "reject almost everything" by default.
I'm thinking about game makers, or people that want more control, more security.

A newbie want his game run, download automatically what it need, and be able to play as quick as possible.
Me, not. I want be able to launch a game and be sure that nothing bad will be done.

For exemple :
I launch a game, and play it if this game use simple love call or try to load files embeded in the .love it can, I will not see any difference than the current version of love.
But if the game need network support, and try to connect to a remote site, I want love pause the game and ask me to approve the connexion.
After that if the game download some files and try to load them I will be happy if these part can be checked with a trust feature, and show my "I'm trying to load this file created by Mr X, do you want load it or stop?".

I'm already working to have secure space before running the game. (I will release the alpha2 soon).

Regards,
My projects current projects : dragoon-framework (includes lua-newmodule, lua-provide, lovemodular, , classcommons2, and more ...)
JamesGecko
Prole
Posts: 8
Joined: Sat Jan 31, 2009 7:10 pm

Re: A poll about digital trusting

Post by JamesGecko »

Honestly, I'd be hugely surprised if there are more than three end users who care about this. Everyone else is just going to click "approve everything!" because some games break if you don't. Training users to always approve useless security dialogs is bad, because once they get into the habit of doing that, they'll be more likely to approve real security dialogs for system-wide options.

Hasn't rude said in the past that the final version of LOVE is going to be sandboxed so it can't do any damage to the system? I want that, not this.
TsT wrote:But if the game need network support, and try to connect to a remote site, I want love pause the game and ask me to approve the connexion.
I don't want that; it's disruptive and most Windows firewalls already do it. The end result will be users clicking through two approval dialogs. This seems like a complicated solution for a problem that has already been solved.
User avatar
Zorbatron
Citizen
Posts: 78
Joined: Wed May 27, 2009 6:58 pm

Re: A poll about digital trusting

Post by Zorbatron »

It's pretty easy to avoid loading a virus, just check the source and determine whether you trust them or not.

Require released games with custom libraries to provide the library source and a md5 hash.
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Google [Bot] and 2 guests