Fetching nuget packages from feeds #3
Comments
|
Defining feeds is already a thing, but updating would have to be implemented 😅 |
|
Yeah... A few big issue I feel like we might bump into:
|
Currently I have it setup so there's different categories for feeds. They'd have to be checked in order was my first idea, although that's kinda funky still I think. The main possibility for issues would be (2).
Visual Studio and such do it by storing mappings for which package was loaded from where. This would essentially be like selecting the release channel between pre-release and stable in your example. Perhaps a UI could show which feeds offer a particular package and then allow picking which one to use. When installing through the loader, the source has to be picked. For manually added packages, the user would have to be asked to select one or none to update from.
Sadly that isn't a thing in C#/.net - the only thing that comes to mind right now would be splitting some things out into an extra package, so that everything that depends on that would be classified as a game pack. (Though it would of course still ultimately be accessible through reflection and such, as any modder would be aware.)
The loading the package metadata step and loading assemblies step are already separated at least, so it won't require any significant changes in that regard, I hope 🤔 The dependency checking could use some additional version checking though. Currently it just checks names. |
True, was just trying to figure out the best way to get the message across to modders that they wouldn't really be supposed to mess with the nuget handling related code from mods, and at least reflections would stand out more prominently when reviewing/vetting mods.... I guess that the nuget management methods could be in an extra namespace that is documented clearly to not be for mods, and could have a stacktrace check of the calling assembly if want to enforce that on at least a basic level... |
|
There used to be something called Code Access Security, but that's apparently deprecated since .NET 4 - I found this, but it uses AppDomains, which are a pain to deal with and would probably make modding rather impossible. In general, the whole ability to just patch anything willy nilly makes it basically impossible to create any significant security, imo. Splitting things out into an extra package that marks something as needing to be a game pack is probably the easiest approach, and any funny reflection or patching to invoke that would make something not pass vetting. This could also apply to configs and such, so that random mods don't go around changing other's configs. 🤔 |
|
Found two more things, that would suggest only part of CAS is dead? https://learn.microsoft.com/en-us/archive/blogs/shawnfa/is-cas-dead-in-net-4 However the documentation for the attributes states that is deprecated and isn't supported anymore (at least for .net core) https://www.codeproject.com/Articles/329666/Things-I-learned-while-implementing-my-first-Level |
|
I'd say we don't need to make it impossible to access MonkeyLoader internals, as mods have code execution already anyways, and could just change whatever files MonkeyLoader uses for storing data (insert new game pack file for example). What I do think would be good is just make it clear that they shouldn't, not that they couldn't 😄 |
|
I mean, that could be prohibited with the security stuff too, but... Pain and I'm not sure if it's still supported? Either way, the best approach would then probably be to move the internals to a separate package so it's extremely obvious when something references that 🤔 |
It'd make using and updating the game packs a lot simpler if MonkeyLoader was able to have a set of trusted feeds defined and then be able to automatically update the nuget packages from it.
The text was updated successfully, but these errors were encountered: