Sign in to follow this  
DuoDex

The Great Controversy

Recommended Posts

Ofcourse it should be added that a simple version check should be allowed in the official rules :)

Multiplayer is kinda obvious that data is being sent and as it`s a stand alone manual install, i doubt it needs an opt-in/out because it isn`t distributed with other mods

Share this post


Link to post
Share on other sites
The problem isn`t really the data sending but the fact it`s done without knowing or a way to disable it.

Then comes the issue with *that specific mod* to be distributed with other mods and when the popup appears, the user is left wonding "wtf" as there is no info being shown from where it comes, who created it and why it keeps cloning itself in the mod directory.

Wich brings me to another issue that is far greater then this, in my opinion:

Mods being distributed with other mods.

While I`m writing this, some dll or cfg nuked my entire game as some mod is using MM to screw with another and only see it now because I unlocked new parts.

STOP DISTRIBUTING OTHER MODS WITH YOUR MODS!

Add a required section! with links to required mods! so that we don`t override newer files because you didn`t update the ones that came with yours!

Module manager, Firespitter, KSPAPIExtensions.dll, scale.dll, b9/KW mm cfg`s and lets add for last out of my head RealSolarSystem.dll

Just stop it! I`d be happy with an opt-out if ya`ll would stop including old/other mod cfg`s!

Back on topic...

Don`t remember where it was posted that Squad classified version check as non gathering and did not require an opt-in, aslong as it`s only that.

There are a lot of demands in this debate from people who don't write mods at all. Or perhaps they don't write software at all.

All programs, from the simplest to the most complex, have dependencies. Not being able to include dependencies is detrimental to everyone: the users have a much higher barrier to use (deciding if they have all of the deps., installed in the exact right location (due to KSPAddon system, in this case), with the right versions). The mod authors then suffer because their work is harder to use. They also suffer because they have to provide technical support to people who may not understand what they are doing wrong.

Your demand of mods not installing mods is untenable and naive.

Share this post


Link to post
Share on other sites
It does not matter where Squad posted it. It needs to be stated clearly in the forum rules. You can't expect someone to abide by the rules if they can't readily see them in a specific place.

Fortunately, there's time for them to put all their changes in the rules at once before the new rules go into effect.

Share this post


Link to post
Share on other sites
STOP DISTRIBUTING OTHER MODS WITH YOUR MODS!

Add a required section! with links to required mods! so that we don`t override newer files because you didn`t update the ones that came with yours!

Module manager, Firespitter, KSPAPIExtensions.dll, scale.dll, b9/KW mm cfg`s and lets add for last out of my head RealSolarSystem.dll

If you actually would manage to install all dependencies for your mods, and their dependencies, IN THE CORRECT VERSIONS, IN THE CORRECT FOLDERS, I think you are equally capable to open the downloaded archive, and look at it's content to determine which dependencies are packed in.

Also:

  • Module manager can't be overwritten by older versions because the dlls have the version in their filename. If by accident, multiple versions are present, the newest one is used.
  • KSPAPIExtensions has a similar mechanism afaik
  • the whole point of mm cfgs is that one mod may modify another, and there was a lot of work invested to make them as compatible as possible with each other

Keep in mind, a Mod is not a regular application. In fact, if it were, it would always bring it's dependencies with it in some form or another.

A Mod is a MODIFICATION of the game created by a community member. This always implies:

  • It's a free piece of difficult work. Critisism may be necessary, but don't demand a technicality to be implemented in a certain way just for your convienience
  • It may break things. KSP's API is insufficiently documented, it has bugs, and most Mods have no proper Q&A (again, because they are free).
  • Stacking mods is even more likely to break things. Software even has bugs if all people working on it work within 20m of each other. With multiple mods, you have Squad providing the base and every modder building a bit on top of that - and often, on other mods.

If you don't understand what modding actually does to your game, you have equally little right to demand stuff from modders, who offer a piece of hard work for free. And the more you understand, the more reasonable suggestions you are able to make - and you are also more likely to just fix stuff yourself.

Also, about bug reports. About every author wants the output_log.txt alongside a bug report, and yet, people have to be always reminded of that. It's not like professional, sold software were there is first level support paid to walk everyone through the basics again. You are talking directly to developers here, and they can fix a bug a lot faster, if you find out as much as possible about it, and provide all the information.

I work as a software developer, it was a long day, I'm sorry if this became a bit of a rant.

  • Like 1

Share this post


Link to post
Share on other sites
There are a lot of demands in this debate from people who don't write mods at all. Or perhaps they don't write software at all.

All programs, from the simplest to the most complex, have dependencies. Not being able to include dependencies is detrimental to everyone: the users have a much higher barrier to use (deciding if they have all of the deps., installed in the exact right location (due to KSPAddon system, in this case), with the right versions). The mod authors then suffer because their work is harder to use. They also suffer because they have to provide technical support to people who may not understand what they are doing wrong.

Your demand of mods not installing mods is untenable and naive.

And when mods get updated your users have a nightmare trying to keep all dll`s and cfg`s to the latest version while alot of modders are still including older versions.

I still see mods wich have been updated to 24.1 include old KSPAPIE, MM dll`s, scale.dll and not to mention Firespitter dll`s.

Keeping track of required mods is easier with updates then try to fix forgetting/lazyness of including latest mod depenencies.

Rather see everyone use "DataDir/plugins/" so that we can prevent either multiple copies, multiple versions spread over several mods and easy dll updates.

If people want a mod, they will take a minute to grab dependencies and as most use the same ones, this is easy and easy to keep updated.

Share this post


Link to post
Share on other sites

  • KSPAPIExtensions has a similar mechanism afaik

If you don't understand what modding actually does to your game, you have equally little right to demand stuff from modders, who offer a piece of hard work for free. And the more you understand, the more reasonable suggestions you are able to make - and you are also more likely to just fix stuff yourself.

I work as a software developer, it was a long day, I'm sorry if this became a bit of a rant.

KSPAPIExtensions.dll doesn`t have this.

I had a headache in the IR thread trying to fix the invisible menu, it came down to 2 issues:

1. tweakscale and IR while both were being updated

2. after that was fixed, Extraplanetary Launchpads had an old version and it broke again, updating that one aswell and everything was fixed

I understand with modding does, involves and can nuke the game.

Problem is that nearly every one includes their dependencies and trying to prevent old files being a headache.

Yes, I check every download to prevent old modules coming back using their size :)

  • Like 1

Share this post


Link to post
Share on other sites

I think the thread was about the privacy issues and such, let's stay there :)

Share this post


Link to post
Share on other sites
KSPAPIExtensions.dll doesn`t have this.

I had a headache in the IR thread trying to fix the invisible menu, it came down to 2 issues:

1. tweakscale and IR while both were being updated

2. after that was fixed, Extraplanetary Launchpads had an old version and it broke again, updating that one aswell and everything was fixed

I understand with modding does, involves and can nuke the game.

Problem is that nearly every one includes their dependencies and trying to prevent old files being a headache.

Yes, I check every download to prevent old modules coming back using their size :)

It *had* it. .24 broke it. We haven't had time to fix it yet.

Share this post


Link to post
Share on other sites

Let's keep it on subject, please.

Share this post


Link to post
Share on other sites

Hi, you might remember me from some great threads like StillBetterThanSpyware.

For the record now that Squad has adopted something resembling a decent default policy w/r/t user privacy, I have no problem saying that I don't have any issues with ModStatistics as a concept, what was disconcerting was the implementation and lock of response leading up to the 0.24 release by several concerned parties (most of which has been explained as unavoidable), but that's all water under the bridge.

Back to my point on implementation, my major concerns there were two-fold.

Firstly the lack of opt-in which I feel didn't respect user privacy and rights, and despite other people saying "it's just a mod!" there are legal ramifications to the things we program. Secondly was the fact it reported on every single assembly loaded into the KSP execution space (see first point re user privacy). If the purpose for ModStatistics is to report on mods which want to collect those statistics, I feel a far better way to do so would be to expose an interface (like FARAPI, blizzy toolbar), and start up one instance of ModStatistics (in it's own GameData\ directory) and have the mods which want statistics reported report via that interface. If the user doesn't want to report statistics, they opt out of one mod on startup and then delete the GameData directory if they wanted (future upgrades would prompt again in this case). This model (DLL in it's own GameData directory) seems to be almost universally accepted for every other plugin out there, I can't figure out why a different approach was necessary in this case. An additional benefit of this model is that mods could report mod-specific statistics if necessary (error counters, how long windows are open to see what users are actually doing with the mod) via an interface similar to statsd that the collector/reporter mod implements. This is far more useful (and more invasive, but it's opt-in, so it should be acceptable to most privacy conscious observers) than raw 'X people use mod Y'

Second point on implementation is the GUID. This gets into the legal ramifications area if anyone from the EU/Canada/Mexico is involved (those being the top 3 I found having laws w/r/t cookies and tracking of users). It's an easy way to de-duplicate reports so you can get 'how many users are using X', but there are less invasive ways such as tracking hours in each mod (which you can aggregate anonymously) and dividing by tracked number of hours running the statistics mod which gives you a percentage of users using each mod. Then you just need to quantify the number of people reporting statistics which is trivial enough if you limit reports to 1 per day/week (some known time interval) so you can collect statistics on how many reports were in a period, and from that (and our percentage calculated previously) how many users are using each mod.

And now derailing into a couple of other items I've been thinking about recently.

One thing I'm surprised nobody in the community has tried to standardize yet (which would help with statistics reporting, and dependency resolution via auto-updaters) is standardizing a module manifest file. Something trivial like json or ini format which can list the URL to check for (URL to latest manifest file) and download updates (URL in the latest manifest leading to latest download). Other mods could then declare dependencies in their manifest (linking to the other mod manifests) so an auto-update tool could automatically update dependencies. I know there's some people working on something similar to this, not sure how far along it is. This would also help with the statistics mod being able to report on parts mods (scan directories for manifest, have a key in the manifest for the mod declare it's desire to be reported in statistics). This also prevents the dependency hell experienced by some users (where updating other mods overwrites configs) since your manifest would specify what paths are mandatory updates (like part modules, and plugins) and what are optional (like config files).

Auto-updating is something I'm disappointed Squad didn't address (except I guess it has to be opt-in) in the rules. Cryptography is hard to get right, and good cryptography is necessary in my mind for secure auto-updating. To that end I don't think it's a good idea (or responsible) to implement this in a plugin, and it should be in an external app instead where someone only has to get the cryptography right once. I feel cryptography (in the form of file signing) is important here because we're downloading executable code to user machines, and right now with the auto-updaters people are writing now a compromise of your server (if hosting yourself) or your github/kerbalspace credentials means every active user of your mod is open to downloading malicious code (and you helped the malware author do it). Keeping this out in an external app means the code only has to be written and updated in one place so more eyes are on it and that app can validate the file (based on an SSL or GPG signature verification) before extracting to the KSP directory (I'm thinking the manifest would have SHA1/SHA2 of the zip, and the manifest would be signed with the mod author's private key). User's would be prompted the first time they install a mod to trust the key that signed it for future updates. This prevents the potential attack described above (where your hosting is compromised and the plugin replaced with something malicious) so long as your private key remains secure.

Some of this is off-topic for the OP, but this seemed like a decent place to start a conversation around these points.

Share this post


Link to post
Share on other sites
Auto-updating is something I'm disappointed Squad didn't address (except I guess it has to be opt-in) in the rules. Cryptography is hard to get right, and good cryptography is necessary in my mind for secure auto-updating. To that end I don't think it's a good idea (or responsible) to implement this in a plugin, and it should be in an external app instead where someone only has to get the cryptography right once. I feel cryptography (in the form of file signing) is important here because we're downloading executable code to user machines, and right now with the auto-updaters people are writing now a compromise of your server (if hosting yourself) or your github/kerbalspace credentials means every active user of your mod is open to downloading malicious code (and you helped the malware author do it).

This is entirely unnecessary for almost all update checking I've seen. Pretty much all mods with update checks seem to only check the latest version available and alert you when a new version is available; they don't download any executable code. Indeed, they *shouldn't* ever download executable code, because not everyone wants to update right away (e.g. with craft-breaking updates). Version checks don't need cryptography, because faking them provides no benefit - someone who goes to the forum thread or other download location will discover that there is no update anyways, and if the download location itself is compromised, there's still no downside to the automated version check (manual checking would lead to the same outcome), you just have bigger problems.

Share this post


Link to post
Share on other sites
This is entirely unnecessary for almost all update checking I've seen. Pretty much all mods with update checks only check the latest version available and alert you when a new version is available; they don't download any executable code. Indeed, they *shouldn't* ever download executable code, because not everyone wants to update right away (e.g. with craft-breaking updates).

I mentioned this because there have been some mods, such as the one this debate is all about, which did exactly this. It downloaded new executable code into the GameData folder.

Share this post


Link to post
Share on other sites

When you look at games that have successful modding communities, games that because of that fact have been around for years or even decades (lets say sim city 4 for example), the mods for these games are based on content and the fun that the user has because he/she has been playing it for all these years. Maybe not even that really, maybe just a modder creating something that he wants to share because he thinks others will enjoy it, or maybe even for such a simple thing as ego.

KSP, as it is now, is in such a primal stage that I don't see how a data gathering mod can really make a significant impact on what the mods for this game have to give. Even an update checker seems premature as the game is only updated so often, and all the mods are generally updated around that time and then wait for the next update for months. There is absolutely no reason for any mod for KSP at this point to include any code that sees something outside the users own /KSP folder whatsoever.

I mean this is all just some random persons opinion, but really... just what exactly do these kind of "mods" do for expanding the ksp modding community? To the average person that downloads a mod, it will do nothing except prompt someone when they start the game after installing it. If you want to share some cool rocket parts or something great, but really? KSP modders are making data collection programs now? Really? This is not facebook.

Share this post


Link to post
Share on other sites
I mean this is all just some random persons opinion, but really... just what exactly do these kind of "mods" do for expanding the ksp modding community? To the average person that downloads a mod, it will do nothing except prompt someone when they start the game after installing it. If you want to share some cool rocket parts or something great, but really? KSP modders are making data collection programs now? Really? This is not facebook.

There is some value plugin authors could get from a statistics package, just not the current one in it's current state. With an API the plugin authors could export statistics on how long users keep certain plugin windows open (e.g. how often each MechJeb window is open, how frequently the user interacts with it, would give statistics on what modules are most used), how frequently they use the features in the plugin, runtime statistics (how long does this function take to run on my user's computers). This is all good positive feedback which can help steer development of the plugin. If nobody's using feature X, why spend developer time on it?

Share this post


Link to post
Share on other sites
There is some value plugin authors could get from a statistics package, just not the current one in it's current state. With an API the plugin authors could export statistics on how long users keep certain plugin windows open (e.g. how often each MechJeb window is open, how frequently the user interacts with it, would give statistics on what modules are most used), how frequently they use the features in the plugin, runtime statistics (how long does this function take to run on my user's computers). This is all good positive feedback which can help steer development of the plugin. If nobody's using feature X, why spend developer time on it?

That sounds more like an OS than a mod for a game that is still in its early stages, which is exactly my point. This isn't gathering feedback for windows XYZ, there is no point and not really much benefit from gathering data from users of KSP. I mean, at this stage, why not just simply ask on the forum? Or... you know... read it. There are pages and pages of feedback on every major mod, including kethane and kas.

So why is a mass of user data required to slightly change a few values on a kethane converter?

It isn't, it just isn't necessary. He did it simply because he could.

Edited by RSF77

Share this post


Link to post
Share on other sites
That sounds more like an OS than a mod for a game that is still in its early stages, which is exactly my point. This isn't gathering feedback for windows XYZ, there is no point and not really much benefit from gathering data from users of KSP. I mean, at this stage, why not just simply ask on the forum?

Selection bias/users are notoriously bad at self reporting. Automated statistics gets you a decent cross section of people and no bias in the reporting (I don't want to admit I use mechjeb auto ascent/maneuver/landing features in public, so I'll say the only thing I use is orbit/surf info and they're great!)

Share this post


Link to post
Share on other sites
Selection bias/users are notoriously bad at self reporting. Automated statistics gets you a decent cross section of people and no bias in the reporting (I don't want to admit I use mechjeb auto ascent/maneuver/landing features in public, so I'll say the only thing I use is orbit/surf info and they're great!)

That may be true.

Somewhat ironically, given this whole situation with mod statistics and all, I kind of subscribe that mods should be made so you enjoy them yourself creatively and then if you want to share them then you do so regardless of opinion.

I guess some people just enjoy making data gathering mods.

Share this post


Link to post
Share on other sites

I think this is a moot point and we can be very pragmatic about it. European law forbids software from having this behavior. So it cannot be published in Europe. I presume other territories around the world have similar rules. Pragmatic solution is therefore: Don't break the law. You can collect statistics, if you clearly and in detail explain what is being collected and allow users to opt-in, opt-out is not good enough. All problems would go away at that point. Not everyone might like it but they'd have very little to complain about since if they don't opt-in it does not relate to them.

We can argue all day but in the end our opinions are irrelevant just like how our opinion of Majir is irrelevant. The law is the bottom line.

Before the whole controversy started I have suggested ways around the issue while still allowing Majir to collect his data. Easiest way is probably to have a mod that checks if new versions of mods exist and download them for the user. You can analyse the requests the mod makes to the server to your hearts content since it is information gathered as a side effect of a service to a user. Not as a service to the mod owner. Restrictions remain but they're much more lenient. Those suggestions and warnings were ignored. And his popularity took a hit. Everyone who'se been around the block could see it coming from a mile away. It's simple cause and effect, not rocket science. The world and the people in it aren't going to act different because we want them to.

I am pleased about the position Squad has taken in the matter. It's clearly practical and balanced and seems to abide by European law.

(I keep mentioning European law specifically because I'm informed about that version only. I'm quite certain other territories have similar laws. I expect my argument would still be true if you replace European by most other territories. At any rate, a lot of KSP customers are in Europe, the laws are relevant and abiding by them shouldn't really inconvenience anyone as they're quite reasonable.)

Share this post


Link to post
Share on other sites

This topic and communities reaction to it fascinates me. I feel that the modder had a simple choice and it was his. He could either take to heart the negative reaction from people to his mod and change it, or he could hold true to it's his mod and if you want to use it you "opt-in" by downloading it anyway. He would have to suffer the consequences in either case. As far as other mods that bundled this particular mod with them, it would be up to that publisher to make the same choice. Then they are rewarded or punished by the community.

As far as legality in any territory, I find it hard to believe that Modstatistics was in any danger of prosecution. I had his mods installed, and new it was recording my computer. To me the fine print was pretty large in comparison to say Google or Facebook. How is FB/Google not in violation of these laws if Modstatistics is? Every instance of a mod that is bundled with Modstatistics I saw had right next to the click to download button a sentence saying it contained this mod. When you sign up to FB or search on Google, the fine print is pretty small and hard to find.

The other thing I find humorous (although it doesn't negate anyone's objection to these types of "spyware") is that the US has all your data unencrypted anyway and are doing far more dangerous things with it. But we need to really get outraged at a free mod we download so we can make this awesome game a bit more complex. I wonder if that's due to our helplessness against the US government. Here our voices are obviously heard.

One last thing. This will be self policing. While I understand Squad's reaction and feeling required to do something, it didn't take long for someone to replace a good portion of the mods that used this spyware. It won't be long before someone replaces the last remaining mod (KAS) and no one will even bother with downloading a mod that includes spyware. Modders will see that in order to have the best mod, the best practice would be to open it up like Karbonite. No amount of data will be able to compete with a mod that is made from the entire community.

Share this post


Link to post
Share on other sites

If you can't be bothered to read what a file that you are about to download does, you have no buisness downloading that file, end of story.

Every mod that includes modstatistics clearly states that it includes it, and at the very least contains a link to the modstatistics thread which clearly explains what modstatistics does, and how to disable it. At that point, you have the choice to not use that mod, or to follow the simple instructions to disable it.

Anyone who neglects to perform this basic step of computer 'hygiene' has no buisness downloading files, much less installing mods.

Anyone calling modstatistics 'spyware' is indulging in pointless histrionics.

  • Like 1

Share this post


Link to post
Share on other sites
If you can't be bothered to read what a file that you are about to download does, you have no buisness downloading that file, end of story.

Every mod that includes modstatistics clearly states that it includes it, and at the very least contains a link to the modstatistics thread which clearly explains what modstatistics does, and how to disable it. At that point, you have the choice to not use that mod, or to follow the simple instructions to disable it.

Anyone who neglects to perform this basic step of computer 'hygiene' has no buisness downloading files, much less installing mods.

Anyone calling modstatistics 'spyware' is indulging in pointless histrionics.

The only flaw in that argument is that a lot of folks just download the new version of their favorite mods, and were a bit surprised when they came with extra stuff. Yes, in a perfect world, people would go to the forum post of each mod they grab every single time there is a new patch, and read all of the fine print. We do not live in that world. Even the opt-out bit, which seems obvious to those of us used to modding, is a challenge to some of our users.

This does not make them bad people (heck, I got surprised in my own save, and I daresay I have some business downloading a mod from what one would assume is a pretty safe place - the Kerbal forums - or Curse, the official mod repo). The reality is that dealing with mod users is an ugly, messy, less than perfect business.

People constantly break our stuff. They break it, change it, and are surprised when we don't support it. Again, they are not bad people, but placing an assumption of a certain universal level of technical savvy and due diligence on those users - or trying to tell them they should not do things that may hurt them, break stuff, or cause unintended or unexpected (yet well documented) consequences - is a recipe for sadness. This is reality, and why opt-out was, and still remains, the best choice. Squad's decision on this should not be a surprise.

Share this post


Link to post
Share on other sites
European law forbids software from having this behavior. So it cannot be published in Europe.

I've been following this topic for a while and seen this mentioned several times. Not living in Europe I did some googling and as far as I can tell this was not actually illegal under European law.

For the law to apply, it has to be personally identifiable information sent, meaning information that can be used to find you (or your computer) remotely. The only piece of information that might qualify was a random number that acted as an identifier of which computer the report came from so the same computer could be identified across multiple reports.

How does a random number that exists in two locations (on your computer and on the server as it saves the report) act as personally identifiable information? Personally identifiable means that it is information that a person can use to track you down. The only place the number exists is on your computer, if they've found your computer to compare the random number to, they've already found you.

Therefore I don't see how this was illegal, in the legal sense of the word.

To be clear, I am asking this question from a LEGAL perspective. I am not asking or commenting on the moral right/wrong of everything that has happened.

D.

Share this post


Link to post
Share on other sites

The other thing I find humorous (although it doesn't negate anyone's objection to these types of "spyware") is that the US has all your data unencrypted anyway and are doing far more dangerous things with it. But we need to really get outraged at a free mod we download so we can make this awesome game a bit more complex. I wonder if that's due to our helplessness against the US government. Here our voices are obviously heard.

I think it is worth pointing out that this capability is available to just about anyone with the will to do it, not just government agencies. Almost any kind of router is capable of dumping pcap in some form, and that's just the easy option.

The only difference is in the scale of the information collected.

I should point out that there are a myriad of legitimate reasons why network admins do it, this is not some sort of evil-genius scenario. This has been going on since the beginning of time from both a computing and a communications perspective.

It's just that the average guy hears about it now, and it sounds bad. Because their illusion of privacy has been shattered.

Share this post


Link to post
Share on other sites
...It's just that the average guy hears about it now, and it sounds bad. Because their illusion of privacy has been shattered.

I almost burst out laughing when I heard this. As a self-taught network admin with experience in data collection (don't ask), the whole Snowden thing was just like "So what?". I see the network traffic that comes through my servers. About 15% of it is Google-related (that's a lot). Furthermore, if you ask Google what that stuff that is they either don't respond or say "Customer service data".

I'd prefer that the government have my data then Google.

And I'd prefer the KSP community to be able to look at anonymous statistics about me then to having the government do that.

Share this post


Link to post
Share on other sites

Has anyone realized that manually downloading a mod and manually installing it by dragging it to a specific folder on your computer is a pretty onerous opt-in process? No one is going to do that accidentally/unknowingly.

Comparing KSP mods to hidden spyware is a pretty good stretch.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this