PSA: SuperString

Discussion in 'Community News and Announcements' started by eyamaz, Nov 8, 2014.

Thread Status:
Not open for further replies.
  1. Offline

    Lolmewn

    mairi likes this.
  2. Two wild claims:
    a) I don't claim it's the same level.
    b) Proof for auto-approval?

    Likely they don't check plugins at the same level of quality yet, due to having less experience with it and due to lack of man-years. However using diff-tools could explain the higher processing speed, but also is dangerous, because it is difficult to come up with reliable mechanisms that both speed up checking and provide the same level of quality.

    If you assume they used "advanced tools", of course they need experience with the draw-backs of that kind of mechanism. It could involve things like storing the whole process in a database including per-file and per-significant byte-code hashes allowing to spot unchanged files and bytecode quickly, manual and automtic tagging of files and spots in decompiled-code, having invalidations conditions for databse entries, like number of skips or passed time since last check or on finding new relations with other files, both manually and automatically, also excluding certain content from ever being skipped (auto + manual). Of course being able to make more mistakes often is a good reason not to do it, concerning reviewing for security issues. Such methods are by no means easy to design, because you can make many mistakes, but i am sure that you can reach the same reliability but higher speed with assisted review. All in all it's probably quite expensive to just invent a working system, but the main point is to have a better quality insurance, and to help tracking stuff faster that humans tend to make mistakes with ("mark all file access, reflection, command dispatching, ..."). To come back to the first sentence of this paragraph, you could assume that they checked uploads for "established plugins" less throrough or with a diff-tool, which probably lead to the faster processing and lead to the mistakes on follow-up uploads, or that there was confusion about what an "established" plugin is, but all that's speculation, given the few events it's just as probable, that they just slipped past the exploits with open eyes, despite looking at the code. With fatigue or just lack of experience that's possible, if you like it or not.

    Given public information Curse did not come in, but Bukkit staff left first, then Curse took over. (enough of that)

    The next thing to do is count lines vs. minutes. With good hardware and fast on-site access some things are possible. I don't know if they're professional with java, what professional would be, orhwat their "java level" is anyway.

    Maybe they started the process with some short-cut system or rushed through things to please users, it still remains speculation. Do you have a big plugin a professional can't review in the time that it actually took to get approved?

    Edit: I also assume they went a little more lax on project approval and some other rules that don't concern security, which i don't mind, given the situation - there is no need to claim they deliver the same quality of service as the Bukkit team did just before.

    I don't see a "miss rate" in that document, is there any details known?

    Technically you can only reach donwloaders with a public statement, so i do prefer that, knowing that not all people come back quickly, to check if the plugin developer has been banned in the meantime.

    Did Bukkit staff decompile plugins with pen and paper?

    There exists tools for java that consume CPU, e.g. in use when using tools, don't be so picky, the interesting quesiton is about a plugin that can't be reviewed by a pro (assuing they are) - so 70 lines in 1 minutes is possible, especially if you overlook exploits and if you round down "almost two minutes" to two minutes one minute. As i said - fast connection to site, fast hardware, fast review... no questions ..... except "oops".

    I would be interested in numbers though, like last time, but one probably can't have everything...

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 10, 2016
    mairi likes this.
  3. Offline

    Deathmarine

    A post...
    that I wrote...
    replying to someone's post...
    expressing my objection to allegations of statement...
    responded with iterated responses by..
    why?

    An interjection after every view point is really odd,
    I must say you don't work for Curse now do you?
     
  4. Alright, let's iterate statements that hadn't been done before, objecting what you wrote, at least partially:
    • You claimed that staff would have"notified everyone that needed notified" - i objected indirectly, roughly with "they can't possibly know whom to contact if people already have downloaded malicious plugins, thus a public announcement is the only way to reach them".
    • Extra forum category for PSA.
    • You called them "something...nonesense" - i suggested using a mirror in an indirect way, despite not liking that formula. I can't read your version from posts by Kaelten, you seem to neglect the posts attacking Curse staff between PSA and the "update on former slip-throughs". Edit: No problem with whomever ending the spiral of aggression in such a case.
    • Rest.. ok.
    Call it odd, but i don't get paid by Curse. You probably overinterpret those intersections, because you regard them with a constant time paramter?
     
  5. Offline

    Deathmarine

    So you don't agree with the previous methods of damage control, and you agree with the PSA.
    Okay... sure. Have you really examined that situation?

    I'll quote you, quoting me with said quoted nonsense.

    A: Curse claims that they had no interaction or idea what bukkitdev did.
    B: Magic happens and they know everything and claim we did a shit job.

    This is a fairly blanketed statement at the work we did. I acknowledge we were not perfect but to claim the above considering previous statements is ignorant and irritating which is the kind of thing which invokes rage.

    I just was merely identifying that you have snapped off on every opinion on the forum, not even accepting a viewpoint but dismissed with near blind prejudice, so ignorance. See below:



    No with multiple tools that we created. I'm sure that response was not meant for me as my original was in no way directed to you.

    Lastly we freely gave our time to benefit the community and preformed to the best of our ability. If you want to criticize that against a paid staff then be my guest. So with that I retire the forum as well, I'm finished defending myself and the actions of our team against a game I haven't booted in over a year to play and a volatile dictator that wished to continuously make allegations, objections, lies, to impress the community. You can have them, they are all this community has, so I agree with the best suggestion; Learn java and decompile everything you install, OR write your own plugins.
     
    Lolmewn likes this.
  6. Offline

    Lolmewn

    Missed ones are part of "approved", not missed ones however are part of "deleted". Projects are also amongst those though.

    From all the time I've spent in DBO chat I can say that it was very, very, very rare that a malicious plugin would be missed. I would want to give "proof" or something but I simply don't have it, so either take my word for it or don't believe it :p
     
  7. Offline

    Kaelten

    A. I've only claimed that we didn't integer with how Seph and team wanted to run the site.
    B. No Magic, we've been working hard on this end, and I've _never_ claimed you guys did a shit job. Ever.

    The facts that I've seen support it, and I provided some examples in a previous post. I don't think it's worth while to go through and find more.

    I'm not sure what you mean by 'snapped off on', but when I comment on a opinion I try to do so by conveying fact. I'm also open to discourse on topics if people are genuinely interested in constructive discussion.
     
  8. Offline

    korikisulda

    Better be a good excuse, like lp0 being on fire, or something...
     
    asofold likes this.
  9. This is one of the rare cases where i don't need insider information to judge the issue. Of course you can't know who downloaded the plugins, unless all downloaders have download the files while ĥaving been logged in. The only way to reach them is a public announcement, which is the preferable policy. PSA could have its own category in the forums.
    They don't claim that, on the contrary. As far as i read the SuperString thread, ridicule and accusations have been thrown at Curse, before they stated "back with Bukkit there was slip throughs too". It's not so complicated and you are not backed up facts there - unless you never read OP posts.
    The statement you cite there is a direct answer to continued "bully" and people including ex-staff asking for it literally. It may appear problematic, but given the level of accusations and ridicule it doesn't appear too much irritating when reading it. Some readers are happy about obtaining more information, the statement does not include anything about "Bukkit staff was low XY" nor the quantity of events.
    I am not making an idiot of myself for free, you know? Now that we have that, i have to state, that you are citing a post outside of its context, it was a direct answer to someone else asking how better hardware could possibly speed up things (rough context).
    You are right, it was not meant for you, though disturbingly it also was not citing nor referencing you in any way.
    I am sorry for the situation, what i criticize is the "them vs. us" part.
    Thanks, i will try to use it as information.
     
  10. Offline

    Cyclometh

    At this point if I were on the Bukkit or Curse teams supporting Bukkit, I'd just suggest closing the whole thing down. Finally end it.

    Shut down BukkitDev and all plugin hosting, and finally put a capstone on Bukkit's arc instead of dragging it out.

    As sad as it is, Bukkit is dead. Let it die.
     
    korikisulda, DSH105, slipcor and 2 others like this.
  11. Offline

    toothplck1

     
  12. It's been declared dead many times, and it's not quite full-dead yet.
     
  13. Offline

    Toyz

    Intresting, intresting in deed after reading the whole topic, I can see the point of both sides... But instead of fighting over this whole PSA thing...

    Why don't we work as a whole and try and find a way to fix it, way not make a public jenkis server and make everyone complie under that. And link our Bukkits to the Jenkis and from the Jenkins it can be a approved complie job by staff, and once the code is approved it complies to the jar and goes live on the site...

    Honestly a simple plugin could handle a bulk of that I have wrote a few jenkins plugins in the past but nothing really usable outside of my personal Jenkins...

    I mean this would solve issues cause it allows staff to look directly at the source code... And they can approve the "build job" and then driectly upload to BukkitDEV.... What is the basic concept...

    Yes some plugins have over 4,000 lines of code... But honestly 4,000+ lines of code isn't that hard to look over including if it's java... now C++ is a differnt story... But the idea is the same...

    but ya... just my two cents... But this would actually require people to be adults about it
     
  14. Offline

    korikisulda

    <


    Imho, the Bukkit API should live on though.
     
  15. Triple certified: Source code review + certified build server + binary review. You could try to base review on donations, and not review by default. One does need some skilled reviewers in the background and money vs. review isn't too much fun in case of slip-throughs.

    If reviewing won't stabilize you could think of such and similar ways, e.g. seeking a transparent way of review that includes the "vote" by trusted reviewers who also get a scoring with slip-throughs, with or without donations. Of course with dropping the reviewing completely, the advantage of using the hosting site will be somewhat lower.
     
  16. Offline

    Druxe0

    All I see in this thread is pointless flaming over and over with the exact same accusations and responses.
    In my opinion, from what I've seen, the old unpaid volunteers were better then paid Curse staff. The retired mods, anyone who is tired of this, and developers should all just quit this nonsense and go help work on SpongePowered.
     
  17. That would mean that you just need to flame and troll a bit, in order to have all people leave the pitch and use something else. While i am positive towards Sponge, there is also other alternatives, and i myself even prefer to use Bukkit, because i don't intend to throw away a couple of ten thousands of line of code (i do intend to throw away lots, but not right now and not at the "grace" of flaming).
     
  18. Offline

    xDeeKay

    AdamQpzm
    1. What point is there in Curse accepting help from retired staff? If they really wanted to help, they wouldn't have stepped down, no? Seems very silly that someone would resign only to offer their help once again.
    2. Curse own and fund this site. It was within their interest that they kept it maintained. What did you personally want to see? 0 staff members with no control and no moderation?
    3. Curse were the first people to step up and take the job, whether or not anyone asked for them, they're here because they chose to help. There's less than half of them compared to what there was before the mass resignations. So you can forget your surgeon analogy, because Curse are the only people holding what's left of this community together, and criticizing that because of a few slip ups is just a dick move.

    Curse aren't our surgeons that we asked for, they're our surgeons we need.
     
  19. xDeeKay To add on to the above:

    1. Then why are people acting as though people didn't offer to help in order to have a smooth transition? What of those who retired mainly because they didn't have the time to put into it, or didn't want to put that much time in? I assure you that advising someone how best to handle certain things takes a lot less time than actually handling those things yourself.

    2. I wanted to see the picture that EvilSeph painted when announcing the state of the project - the site to be maintained until such a time it was no longer necessary.

    3. They're here because they want to help? Do you have proof of that? To me it seems more like they're here because they have an active interest in the forums getting visitors - have you ever noticed the ads on here (assuming no curse premium or adblocker)? Who do you think that money goes to?
     
    lol768 likes this.
  20. Offline

    james137137

    Well some of that money goes to us plugin developers
     
  21. Offline

    TheMrGong

    Download link? I want to decompile and see if it was really obvious.
     
    ChipDev likes this.
  22. TheMrGong The link has, obviously, been removed. See the linked reddit post.
     
  23. Offline

    poptqrt

  24. Offline

    kkaazzuuyyaa

    Well, These few pages are just mostly arguments... Who's doing better, etc.
    Honestly, What I see is some Retired Staff/Community arguing with Curse/Community. Why can't you call just have a small online meeting, and settle differences and arguments? (Or something similar) Honestly, watching everyone argue is NOT helping anyone. Also, to the people that add to the argument. You are not helping! And at least half of the people adding to the argument don't know exactly what its about, and argue based on opinion.

    What I see is 3 sides. One neutural, like some of the Retired staff and community members. Another that consists of some of the Retired staff, and community members. Another that consists of Curse and community members.

    This '3 sided war' is NOT helping anyone. It's also resulting in the decline of Bukkit.

    Well, that's my opinion, ignore it if you want.
     
  25. Offline

    Kaelten

    I think this is largely behind us kazuya. The community is changing, but still going very strong. Let's let this go to rest. :)
     
    eyamaz, coldandtired and timtower like this.
Thread Status:
Not open for further replies.

Share This Page