123
-=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- (c) WidthPadding Industries 1987 0|37|0 -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=-
Socoder -> On Topic -> Open and secure?

Sat, 25 Feb 2012, 04:01
Afr0
Lately I've been working on a patching system for Project Dollhouse.
The system is awesome and works great, but last night I realized it has a gaping flaw - security.
The thing is, I want Project Dollhouse to remain 100% open source, and I am not willing to make any compromises there.
I want people to be able to run their own servers. But as of right now, there is no stopping people from leaking off each other's bandwidth.
Scenario:

Person A runs his own server, but is too cheap to provide a webserver for patching.
Person B runs his own server, including a webserver that hosts patches.
Person A directs PDPatcher to download patches from person B's server. This can be done either through a recompile or through a *.ini file.

Does anyone have any ideas to prevent this scenario?
My patch scripts can be found here.

Edit: I realize that providing patches, per definision, is a pretty open service that should and could neccessarily be accessed by anyone, but I'd just like some kind of insurance against systematic leaking, if possible...

-=-=-
Afr0 Games

Project Dollhouse on Github - Please fork!
Sat, 25 Feb 2012, 04:22
Afr0
Oh!
I just realized I can instruct people to change 'patch.php' so that instead of accepting a URL of "?Version", it'll accept an entirely different URL.
That would also involve recompiling PDPatcher... I think I'll have to change the license, because the Mozilla License requires you to release any source modifications under the Mozilla License free of charge.

-=-=-
Afr0 Games

Project Dollhouse on Github - Please fork!