Open Source

[Healer2022]

Hello.

Some questions:

1. Is DFU open source? Yes. But aren't the libraries of Unity closed source?

2. I've downloaded some mods and found that some have the source code on github and others don't.
Can we make a list of pure open source mods?

3. Some mods contain dll. Even after extracting, I still cannot easily know what the code inside does.
Mods that are not open source and include .dll are definitely a no-go for me. Can I reverse
engineer them, so that I know that they don't harm my system? (I know I can, but are there any
tools?)

4. Is it possible to build in DFU a sandbox for mods?

5. Can someone create a full modded version with only open source and stable mods? Does that make
sense? Maybe we could vote which to include.

6. Including DFU into Debian?

Regards

Healer

[BadLuckBurt]

Hello.

Some questions:

1. Is DFU open source? Yes. But aren't the libraries of Unity closed source?

2. I've downloaded some mods and found that some have the source code on github and others don't.
Can we make a list of pure open source mods?

3. Some mods contain dll. Even after extracting, I still cannot easily know what the code inside does.
Mods that are not open source and include .dll are definitely a no-go for me. Can I reverse
engineer them, so that I know that they don't harm my system? (I know I can, but are there any
tools?)

4. Is it possible to build in DFU a sandbox for mods?

5. Can someone create a full modded version with only open source and stable mods? Does that make
sense? Maybe we could vote which to include.

6. Including DFU into Debian?

Regards

Healer

I can partially answer some although I have a different perspective on this than you have.

1. Unity is closed source but the source code is still available on Github https://github.com/Unity-Technologies/UnityCsReference. You're just not allowed to do anything with it but use it for reference so you can see what it does internally.

2. You can if you want to. Some mods just deal with model / texture replacements and don't have any scripts.

3. I don't know if there are tools for the reverse engineering, there probably are. The DLLs became necessary to be able to use things like enums in the C# code since the compiler used for mods couldn't handle them properly.

4. It's probably possible but a bit overkill imo. If you don't trust it, don't use it I guess.

5. Anyone can if they want to but I'm not sure what that would accomplish, maintaining a list of open-source mods would let people decide for themselves which mods they want to use.

6. No clue.

[Healer2022]

Hello.

Thanks for your answer. It helped me.

5. It is annoying to download dozens of mods, check them if they are FOSS. Maybe the first time it's fun. But download every upgrade on its own. Would be cool to have a huge certified FOSS tarball with all stable FOSS mods, sha checksums, signed with gpg, those you don't like, you can deactivate. Done.

6. Would be cool. apt-get install dfu dfu-mods-foss Done. Would reach a huge audience.

Regards.

Healer

[Tkia]

...
5. It is annoying to download dozens of mods, check them if they are FOSS. Maybe the first time it's fun. But download every upgrade on its own. Would be cool to have a huge certified FOSS tarball with all stable FOSS mods, sha checksums, signed with gpg, those you don't like, you can deactivate. Done.
...

So you admit it's an annoying task but are expecting someone else to come along and volunteer their time (and it would be a LOT of time) to do it for you? Would be cool if somebody would volunteer to go to work for me and just send my salary home. Can't see it happening though.

And I honestly don't really see the benefit of all that work as I don't think most people care about that level of detail. Personally I prefer to choose for myself and take full responsibility for my downloads and installs, rather than rely on someone else's opinion, so I'd avoid any such bloated tarball like the plague.

[Jay_H]

...
5. It is annoying to download dozens of mods, check them if they are FOSS. Maybe the first time it's fun. But download every upgrade on its own. Would be cool to have a huge certified FOSS tarball with all stable FOSS mods, sha checksums, signed with gpg, those you don't like, you can deactivate. Done.
...

So you admit it's an annoying task but are expecting someone else to come along and volunteer their time (and it would be a LOT of time) to do it for you? Would be cool if somebody would volunteer to go to work for me and just send my salary home. Can't see it happening though.

Is there a reason you're being this argumentative? The user idly said "It would be cool if" and let it go. No one's being harassed or obligated here.

[Healer2022]

Hello.

I don't have the time and knowledge to put together a stable, secure modded DFU. Many users are in the same situation.

Now instead of letting the users do the hard job. Let's say we have 5000 users and it takes 5 hours to create that
stable, secure modded DFU. That are 25.000 hours of work!

Now if we let do that work by the mod creators that will result in approximately 250 hours if we have 50 mods!

250 hours vs. 25000 hours!

That's how Debian works.

The first step we could create a simple list in this forum, that list is update every some months and includes
all stable, compatible with each other, FOSS and secure mods with links to nexus pages.

Now in order to be accepted into this list every mod owner needs to fulfill certain requirements like:

- Contact email address and maybe homepage or for instance github, sf.net
- full source code included in the mod
- instruction step by step to recreate with that source code the exact binary mod that is included too obviously
- a README
- a changelog
- an FOSS license (MIT, GPL, ...)
- sha checksums and gpg signatures
and other useful info

Now someone checks this and then puts the mod onto the list. Once the user is trusted this test may be skipped.

So we have saved thousands of hours of work for the users.

Regards

Healer

[BadLuckBurt]

I fail to see why you're trying to pin this as something modders should do as if they have more time than you and any knowledge you lack can be learned. Modding is a hobby for me, I only mod for myself but I'm happy to make my mods available to the public who might enjoy them too but I am not about to go jump through some more hoops to satisfy someone else's need for confirmation. My source code is freely available on github and as long as you know how to build a .dfmod, you can build mine without a hitch when you pull a repo. I'm in no way obligated to provide a step-by-step, I've worked in IT for 15+ years having to deal with 'idiot-proofing' enough to know that I'm done with it. That is why I left IT and can finally enjoy coding again because I am free to do whatever I want. That does not include generating checksums, GPG signatures or any of that jazz, it is SEVERE overkill and kinda ridiculous to expect that from modders.

Also, where do those 5000 users come from? Where does the 5 hours come from? You're not really making a case by grabbing numbers out of thin air. You are the first person who has asked for something like this and if anything, I'd say this is something for the Debian community to address and not the DFU community. I'm pretty sure most modders here are on Windows, not all of them but definitely the majority so I wouldn't expect a whole lot of enthusiasm.

And Debian works by the grace of it's contributors willing to invest time, effort and providing the skillset they have, not because of what you said.

Feel free to open a thread to gather mods for this idea, I don't know if it'll gain much traction but count me out regardless.

[XJDHDR]

1. Is DFU open source? Yes. But aren't the libraries of Unity closed source?

Yes, Unity itself is mostly closed source. BadLuckBurt linked to the source code for the C# scripting API. The C++ engine code is not open source, though game devs can pay them to see and use the source for themselves only. Is this a problem?

2. I've downloaded some mods and found that some have the source code on github and others don't.
Can we make a list of pure open source mods?

I'm not aware of such a list but there's nothing stopping anyone from creating one.

3. Some mods contain dll. Even after extracting, I still cannot easily know what the code inside does.
Mods that are not open source and include .dll are definitely a no-go for me. Can I reverse
engineer them, so that I know that they don't harm my system? (I know I can, but are there any
tools?)

It depends. JetBrains has a utility called dotPeek that can disassemble a C# DLL. There is also a button in DFU's mod manager window (Extract Text) that can do so as well. The latter method doesn't work with mods that have precompiled their scripts and I don't know if dotPeek will either. There might be a tool that can do this but I have no idea where.

4. Is it possible to build in DFU a sandbox for mods?

Interkarma has stated that the lack of sandboxing is by design. It's definitely possible to create a sandboxed modding API but it would likely require a lot of work that none of the programmers here are interested in.

5. Can someone create a full modded version with only open source and stable mods? Does that make
sense? Maybe we could vote which to include.

DFU's users are free to install (or not install) whichever mods they like. I'm guessing that what you're actually asking for is someone to create a list of such mods, which people are free to do as well.

6. Including DFU into Debian?

Interkarma has stated that the only supported method of installing DFU is by downloading it from it's GitHub page, and following the given installation instructions. It's highly unlikely he is interested in including it in any Linux distro's repo (along with the work required to maintain it if and once included).

Many users are in the same situation.

Now instead of letting the users do the hard job. Let's say we have 5000 users and it takes 5 hours to create that
stable, secure modded DFU. That are 25.000 hours of work!

Now if we let do that work by the mod creators that will result in approximately 250 hours if we have 50 mods!

250 hours vs. 25000 hours!

I concur with BadLuckBurt. Where are you getting your numbers from?

The first step we could create a simple list in this forum, that list is update every some months and includes
all stable, compatible with each other, FOSS and secure mods with links to nexus pages.

The question is: Who do you envision as doing this work? I've come to the conclusion that it's not productive to ask people to do work that you can't or don't want to do yourself.

Now in order to be accepted into this list every mod owner needs to fulfill certain requirements like:

Similar to Burt, I primarily create mods and content for myself as a hobby, and share it online because I think that maybe there are people out there who also want to use my work in their games. I am not interested in meeting requirements that hinder this aspect of my creative process.

- Contact email address and maybe homepage or for instance github, sf.net

This is a hard no from me. I know enough about how the internet works to know that if I publicly share my email address, crawlers and malicious people are going to sign it up for a flood of spam. If my mod's users want to contact me, they can send me a PM on this forum, Nexus Mod's forum or a variety of other places. I don't see how adding my email address to that laundry list will help anyone.

- instruction step by step to recreate with that source code the exact binary mod that is included too obviously

Another no from me. My docs are designed for people who want to use the compiled binaries. For people who want to build my mods from source, I assume a certain level of competence with creating those sorts of binaries. Anyone who has that competence won't have trouble re-creating my binaries.

- an FOSS license (MIT, GPL, ...)

Depends what you mean by "FOSS". As an example, this is the license I use for my Impressions Resolution Customiser utilities. It is a modified version of the BSD 4-clause license. Is this FOSS? I would say so but I'm pretty sure that the FSF (Free Software Fanatics) would say no, balking at the "no piracy" clause and labelling this as an unwarranted restriction on "user freedoms".

- sha checksums and gpg signatures

What exactly does this accomplish? I already know that what my mods' users are downloading from Nexus Mods are identical to the files I uploaded there.


Just to help put things into perspective, here are the unique download numbers for the latest version of my mod, Unofficial Block, Location and Model Fixes, since I uploaded it 5 months ago:
Windows: 1.4k
Linux: 80
OSX: 12

So effectively, your requests, which appear to be focused on Debian users in particular, would be for around 6% of my mod's users, at most. I think that what most users actually want is to just play the game.

[Magicono43]

As Burt and XJDHDR said, from what it sounds like this would add alot of extra work on the modders part. For me at least, the most tedious and at least initially time-consuming thing about making a mod public is the actual documentation/process of putting it out there and such (this might just be me, as I hold a probably higher than average standard for my mod-pages and their documentation and images.) So if I had to add another step onto the process for whenever I upload a new mod or even just update one, I think I would be even less motivated to upload/update my mods, as the documentation and maintenance task is extremely tedious for me as is, so adding more would just make that even worse.

[Healer2022]

Okay, I understand.

I just want to play Daggerfall, too.

In order to satisfy my need of security a simple list would be sufficient.

There are mods that:

1. Do not contain code.
2. Contain code without .dll. You can dump it and see it. More or less open source.
3. Contain code with .dll and the source code is released (github, ...). Open source. Dll could contain malicious code, but if the user is well known, it's okay.
4. Contain code with .dll and no source code available. NO-GO for me.

1. is GREEN, flag DATA (data only)
2. is YELLOW, you have to check it, flag SCRIPTS (only scripts)
3. is YELLOW, you have to check it, flag OPENLIB (library, but source code available)
4. RED, only way is sandboxing (virtual machine on Linux) or reverse engineering, flag CLOSELIB

So the list would look like this:

STATUS_COLOR, FLAG, MOD_NAME, MOD_URL (USUALLY NEXUS), SOURCECODE_URL (CAN BE NULL)

What is your opinion?