I'm still not sure I like the thought of trying to re-implement it. While there's a number of problems with it, there's a *lot* of work in there, especially on making it scale.
So I am not sure whether he would want the masterserver code open.
Now that the Clonk league is a bit in decline, we could probably arrange to show the source code to more people though. Hm.
> While there's a number of problems with it, there's a *lot* of work in there, especially on making it scale.
> Well, the general worry is that opening the source will put the running league at greater risk. Security by obscurity and everything - unsatisfying, but it's a factor.
Open source code, on the other hand, would allow more people to find and report or fix security issues. But that would at least require more maintenance work on the old CR league...
Anyway, at least for a first iteration, from a practical point of view, is it really necessary to have the league server code in public?
Couldn't we redesign some of the security by obscurity measures that affect both client and server and deploy the rest of the CR league code, making it available to a handful of trustworthy people maintaining it?
When we feel confident that it is a) secure enough even w/o the obscurity and/or b) the CR league became inactive, we could still think about an open source release?
The authentication/multiple accounts/etc. issue still remains though.
The tricky bit is opening the code, which at this point requires an okay from matthes, which is far from certain. Random idea: If we promised to start running the remains of the CR league as well, matthes would probably be okay with it. Would have the advantage that we wouldn't need to maintain two equivalent league systems, and would maybe allow for some innovation on both sides. Also would allow us to access the CR key DB for falling back to something secure. Still feels like a strange solution though.
>I guess you mean the protection against people mass-uploading bogus references with racial slurs?
Not only that, you can easily gain starter points by creating new league accounts and winning against them.
> Right now the OC master server simply hopes that nobody cares about it enough for that to happen again, but I guess when that time comes we'll have to start shipping binaries with magic bits in it. Until that point we'll do without it, for simplicity.
There are various other options, though. Like the ability to sort and filter the games in the client according to various criteria. By default we could only list games by accounts that have already joined some games, so anyone who wants to flood with bogus games needs to fake playing the game for a while first. Or sort the games list by the hours the host has already played. With some luck, the scriptkiddies will be delighted enough that they can fill the bottom of the list with spam, and ignore that most people don't notice them.
Or even create a separate list with games from accounts that have donated to the pay-for-the-server-costs fund.
A proper solution here would require some passwords at minimum - or key file auth, with keys we can ban and regenerate. Which would in turn have to be spam-proof...
> Which would in turn have to be spam-proof...
Not necessarily. Freshly spammed accounts do not have to have the power to disrupt regular players. Sure, it'd be nice if they also wouldn't disrupt newbies, but those can simply join a few games hosted by regulars and stop being newbies. When and if someone goes to the length of faking lots of games with lots of spammed accounts, we can escalate to the next level of protection.
We will see what seems easiest when the day comes. I still like the security-by-obscurity solution for being the least hassle for players.
How do other (OpenSource) games handle spam at their masterserver? That should not be too uncommon, I guess.
Does anyone know?
(BTW: nice that we are in http://en.wikipedia.org/wiki/List_of_open_source_video_games)
Powered by mwForum 2.29.7 © 1999-2015 Markus Wichitill