Jump to content

mods for the steam workshop

ivysaur406879
 Share

Recommended Posts

K^2

K^2

Posted
Posted

If the mod only contains assets, it's totally doable. But you don't want any mods with custom code coming through the Workshop. It's a huge vulnerability. Still, would be nice for mods that just add custom parts that rely on standard functionality.

Link to comment
Share on other sites
mcwaffles2003

mcwaffles2003

Posted
Posted

Personally, I dislike the steam workshop. Communication there is difficult to follow and even if the mod support is still hosted on here in parallel that would just divide the community and probably make the devs job more difficult. 

And just anecdotally, I have found browsing for mods and implementing them via CKAN to be the best way to apply mods for any game I've ever added mods to. Factorio comes in a distant 2nd.

Link to comment
Share on other sites
The Aziz

The Aziz

Posted
Posted
On 3/12/2021 at 4:34 AM, K^2 said:

But you don't want any mods with custom code coming through the Workshop.

I wonder how some mods for, let's say, cities skylines or truck simulator work then. I suppose they don't interfere with game code and just work on top of it. Plus, at least in truck sim case, mods are just separate .scs files, probably acting like archive for everything inside.

Also, it was probably a dev choice to not allow anything other than craft files in the workshop. It may change for the sequel.

Link to comment
Share on other sites
Gargamel

Gargamel

Posted
Posted

If the game is available on any platform other than Steam (GoG, Epic, KSP store), then using the workshop is right out the window. 

But seeing how CKAN is the greatest mod manager I've ever seen, for any game, way better than the workshop on many many fronts, I'd rather they stuck with that in particular. 

Link to comment
Share on other sites
jastrone

jastrone

Posted
Posted

i would really think this would be cool too but sometimes when modding gets so easy it is expected to be played with mods. such games are teardown and beam.ng drive where it fits with having mods since there is not much content in the game but ksp is a bit different and the entire game can change with just one mod. 

Link to comment
Share on other sites
K^2

K^2

Posted
Posted
11 hours ago, The Aziz said:

I wonder how some mods for, let's say, cities skylines or truck simulator work then. I suppose they don't interfere with game code and just work on top of it. Plus, at least in truck sim case, mods are just separate .scs files, probably acting like archive for everything inside.

Well, there's code and there's code. The problem with KSP mods is that they are distributed with a compiled DLL plugin. That can contain absolutely anything and is about as secure as running an executable you downloaded straight off the internet. In fact, in a lot of ways even worse, because it's easier to sneak a DLL file past  antivirus software, as it might not match any known signatures, and malicious behavior is easier to obfuscate if you can use engine API for parts of it. So downloading a stranger's KSP mod is a huge risk. The reason this hasn't flared up yet is because KSP modding community is fairly niche and basically works on reputation. With KSP2 reaching for wider audience and if there will be Workshop support, this all goes out the window. A bad actor with burner Steam account and KSP2 key could hit thousands or tens of thousands of machines with malicious software, and that will make it worth it for somebody.

There are ways to address it. Unfortunately, I haven't looked at either Cities Skyline or Truck Simulator mods, so I can't comment on these specifically, but there are safe (to within reasonable definition) ways to distribute code with UGC. The general approach is to create a sandbox for imported code. Even an executable is reasonably safe, because if you create a separate process with no kernel modules, and only provide your custom API, which is carefully designed to prevent malicious operations, then all the code can do is talk to your API and perform actions in the game. In that case, worst it can do is break something in the game. This is a lot of work, however, and I wouldn't even fully trust myself with something like this, so this would take a security expert hire to do this right.

A better approach is to run the code in some sort of a VM. Now, there are plenty of stories where VMs have been exploited to gain arbitrary code execution, so not just any VM will do. Fortunately, the entire internet relies on existence of fast, reliable, and secure VMs - specifically, for JavaScript on web pages. Letting modders run JavaScript is an excellent way to have them extend the game without creating giant security holes.  JavaScriptCore used by all iOS devices or V8 used by Chromium and Android devices are good candidates, as they are well tested and open source. The only disadvantage here for a game like KSP2 is that you'll need to make sure your API has JS bindings, but C# actually makes that very easy with Attributes. At work, we are using these to create Python bindings inside all of our C# tools, and while it's a bit of an effort to set up a custom attribute like this initially, thereafter, any API call you are using in parts code you want to be accessible from JavaScript would just take something like [JavaScript] attribute and just work. From there on, it's just a matter of making sure your API doesn't provide any arbitrary file or network I/O and you're set.

Finally, you can run your own VM that you make sure cannot be exploited. It's hard to do in general, but as discussed in logic gates thread, VPL is actually a good way to achieve it. It's generally a lot easier to secure a node-based script, because all the relevant data can be required to be stored within a node. Then even if you transpile the VPL into bytecode for evaluation on conventional VM for efficiency, so long as you only distribute the raw VPL with your Workshop entries and your transpiler does good error checking, then you can have all the performance of a good bytecode VM with security and ease of use of VPL. Win-win-win, but not just any software engineer is going to be able to set all of this up. It requires a fairly senior person with background in scripting, so unless there is strong desire to have VPL in KSP2 in general, I would still go with JavaScript as a better option for Workshop.

(Links all over the place, because I realized I'm using too much jargon and abbreviations.)

Link to comment
Share on other sites
Dientus

Dientus

Posted
Posted

So do we know how mods will be implemented in ksp2? Will it be coded dll or exes? Will it be LUA or Java? Or will it be pure script interpreted by the engine?

 

Im sure most of us have seen all types and I am not arguing what is the best way, too messy. I am asking if there is anything stated by devs as a finality as of this date?

 

Link to comment
Share on other sites
K^2

K^2

Posted
Posted
29 minutes ago, Dientus said:

So do we know how mods will be implemented in ksp2?

I don't think we've heard anything about it. But it looks like KSP2 is using the same monobehavior GameObject patterns in Unity as KSP, so DLL plugins would be the most straightforward and easiest way to make it happen. If they aren't planning for any serious Workshop integration, that might be all we get. But it is just me guessing. I would also like to know something a bit more concrete.

Link to comment
Share on other sites
Kernel Kraken

Kernel Kraken

Posted
Posted
On 3/11/2021 at 9:34 PM, K^2 said:

If the mod only contains assets, it's totally doable. But you don't want any mods with custom code coming through the Workshop. It's a huge vulnerability. Still, would be nice for mods that just add custom parts that rely on standard functionality.

Well, Garry's Mod had a whole bunch of completely custom mods running through the workshop. Mods like the ACF or whole new game modes have been added that need a single click on the "subscribe" button to install. The workshop essentially does what CKAN does, it's just an integrated mod loader.

Link to comment
Share on other sites
K^2

K^2

Posted
Posted
1 hour ago, Kernel Kraken said:

Well, Garry's Mod had a whole bunch of completely custom mods running through the workshop. 

IIRC, GMod uses Lua scripts for that. People have found remote code execution exploits in Lua in the past in other projects. I don't know what the status of it in GMod is and how well sandboxed the scripting system is, so I'm not going to promise that it's safe, but it can at least be made sufficiently safe.

In the modern world, JavaScript is far better for performance, security, availability of libraries and support, and ease of debugging than Lua is by a considerable margin. That wasn't quite the case back when GMod first appeared, so for legacy games like this, I don't mind Lua too much. For anything modern, if you are going with Lua instead of JS, you're objectively doing it wrong.

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...