The Powder Toy

LuaSocket builtin

  • mniip     3rd May 2013 Developer 5 Permalink
    [note: i'm really bad at writing stuff, so this post might end up ugly, crowded and confusing, please bear with me]
    I've created a pull request on github, here it is: https://github.com/FacialTurd/The-Powder-Toy/pull/131
    What this thing basically does is, it adds luasocket (a module which lets you do networking stuff from lua) right into TPT, means when you download TPT, it will have luasocket inside.
    I'm posting this because @jacob1 has raised a very important question: security.
    The problem is, if TPT is distributed with it inside, some thoughtless user might download and run a malware lua script, which can use luasocket to download some virus and run it, or which can use luasocket to upload your powder.pref.
    However, including luasocket would simpify installation of awesome network applications such as TPTMP (indev), xsTPTIRC, autoupdate of cracker's manager.
    Another argument for it, is that just like before, moderators will hide links to malware, also users should proofread what they're going to run.
    So i'm asking your opinion on this. If you seriously like it and vote for it, maybe this will change some dev's minds and this will be in. If the community rejects the idea, well, that's sad ;_;
  • xetalim     3rd May 2013 Member 0 Permalink

    <removed>

    (perhaps get it in development assistance or so)

  • snail     3rd May 2013 Member 0 Permalink

    @mniip (View Post)

     I like the idea.

  • jenn4     3rd May 2013 Member 0 Permalink
    Well, the security issue is almost just as bad right now; you could make a script which gets your powder.pref, either writes it into the save cps/ops data, or just directly writes it on the save as text, saves it with some name so the hacker can find these saves easily, and steal the accounts. (Don't try to do this! It most probably brakes the rules! [Stealing my idea that, is.])

    I think this should be installed. Getting Luasocket work with TPT might be a pain, sometimes.
  • mniip     3rd May 2013 Developer 0 Permalink
    @jenn4 (View Post)
    Yeah, that's one more argument
  • boxmein     3rd May 2013 Former Staff 0 Permalink
    At the very least, I'd have the Lua interpreter intercept all network calls and prompt the user to allow the script network access
    (also showing the URL that was accessed), and stacking up accessed URLs to the bottom left log, or something.
    The user -needs- to see what's going on with his TPT.

    Best would be to tell the user to read the script as well before installing it.

    Also random idea, what about "ptscript: " URLs that link to script installing prompts - with the scripts section getting ready?
  • mniip     3rd May 2013 Developer 0 Permalink
    @boxmein (View Post)
    i might make a script that handles that
You need to login before you can post replies