Hi!
Making an account here just to chime in on this situation, because I agree that both Fractal Softworks (as the operators of this forum) and we (as a community) need to take a clear stance on this.
The key part here will be the *definition* of malware/malicious code. Using the NIST definition:
malicious code
[SP 800-53]
Software or firmware intended to perform an unauthorized
process that will have adverse impact on the confidentiality,
integrity, or availability of an information system. A virus,
worm, Trojan horse, or other code-based entity that infects a
host. Spyware and some forms of adware are also examples of
malicious code.
We get three terms that should be already familiar to many people working in IT: confidentiality, integrity, and availability (or CIA for short. No relation.).
- Confidentiality means, obviously, that your data will not be shared with anyone else without your permission. For Starsector mods, this would mostly affect mods that communicate over the internet for updates, telemetry, multiplayer etc. A simple rule that a mod's description must clearly state what data is shared via network (and what, if any, encryption is employed) would suffice here.
- Integrity is the one that relates to the recent drama - but also the most difficult to differentiate. Deleting and changing data is a basic fact of life in the operation of any computer program. Personally I'd appreciate the following limitations:
- Mods may not affect files outside of Starsector's user data (saves, settings) and their own mod folder. Exceptions, if any, would require a big honking warning on the mod page.
- Mod authors should list all *known* risks for savegame corruption on the mod page. (e.g. removing the mod mid-campaign, experimental features, incompatibilities. Most mods already do this because it is common sense.)
Besides those two, many people are also upset about certain hidden features that affect gameplay in an unexpected way (e.g. the infamous damage multipliers in one version of Tahlan). But differentiating this from "bonus content" might be much harder than the above.
- Availability means not depriving players of their ability to use Starsector or other features of their computer. Crashcode may be counted under this point, with the only valid reason to include it being the previous point of Integrity - that is, if a crashcode serves to prevent save corruption/non-functional mods it is valid to include.
In Summary, my suggestions:
- A mod's description should clearly state if it engages in network activitiy , including what data is shared, with whom, and how it is secured during transmission
- A mod's description should clearly state if it makes any changes to files outside of it's own mod folder and it's own dedicated files in the "saves" folder (mod- or mission-specific settings). I would include campaign saves themselves as requiring a mention - just because it can quickly answer if a mod can be safely removed or not.
- A mod's description should clearly state any risks of file corruption (savegame or otherwise) that the mod author is aware of. Blanket disclaimers should try to be as specific as possible ("untested mod, might affect saves" rather than just "use at your own risk")
- A mod's code should not purposefully cause Starsector or other programs to crash without a valid technical reason (such as missing dependencies or risks of data corruption)
With some optional extras worth discussing:
- A mod's code should not be purposefully obfuscated to prevent understanding of it's function
- A mod's description should describe all features that have a major effect on gameplay, such as rebalancing other factions. (Directly? Indirectly? Indirectly in the main text and directly as a spoiler?)
Author
Topic: Suggestion regarding new changes of rules in light of recent event (Read 3525 times)