Hard Light Productions Forums
Modding, Mission Design, and Coding => FS2 Open Tools => Topic started by: Fury on March 19, 2013, 11:18:49 am
-
Additionally, there is a critical point about the recent Java security vulnerabilities that isn't being emphasized: they apply to Java applets rather than Java applications. Java applets are what run in your browser, and they tend not to be popular these days because everyone prefers alternatives such as Flash -- which is one of the reasons Oracle was caught off-guard. Java applications are what run on your desktop. The FSO Installer is a Java application. If you disable all your Java browser plugins, you'll be fully protected from all the security exploits, and you'll still be able to run the Installer.
People are stupid, they don't know the difference between applets and applications. They don't know how to protect themselves once they have Java installed. And having JRE as a requirement to run the installer would just serve as additional support headache.
I would strongly recommend compiling native Windows, linux and OS X executables from your Java codebase with help from GCJ. That way you can maintain single codebase (in java) for the launcher and still provide native executables without extra support overhead of requiring JRE or unintentionally and potentially exposing people to Java exploits, through browser or otherwise. Chief already has experience in multi-platform compiling, adapting that for this project and GCJ should provide the best results in long term. IMO anyway.
-
People are stupid, they don't know the difference between applets and applications. They don't know how to protect themselves once they have Java installed. And having JRE as a requirement to run the installer would just serve as additional support headache.
People are highly likely to have Java installed already. And it's not like Java is some obscure prerequisite.
I would strongly recommend compiling native Windows, linux and OS X executables from your Java codebase with help from GCJ. That way you can maintain single codebase (in java) for the launcher and still provide native executables without extra support overhead of requiring JRE or unintentionally and potentially exposing people to Java exploits, through browser or otherwise. Chief already has experience in multi-platform compiling, adapting that for this project and GCJ should provide the best results in long term. IMO anyway.
This will be worth investigating.
-
Ability to formulate sentences this early should not be done without the proper stimulants.. Like coffee.
Or java, perhaps? :nervous:
-
http://www.youtube.com/watch?v=1n7oq9pCwn0
-
People are stupid, they don't know the difference between applets and applications. They don't know how to protect themselves once they have Java installed. And having JRE as a requirement to run the installer would just serve as additional support headache.
People are highly likely to have Java installed already. And it's not like Java is some obscure prerequisite.
This. Has the Java prereq been a serious problem in the past?
I would strongly recommend compiling native Windows, linux and OS X executables from your Java codebase with help from GCJ. That way you can maintain single codebase (in java) for the launcher and still provide native executables without extra support overhead of requiring JRE or unintentionally and potentially exposing people to Java exploits, through browser or otherwise. Chief already has experience in multi-platform compiling, adapting that for this project and GCJ should provide the best results in long term. IMO anyway.
This will be worth investigating.
GCJ hasn't been updated in years, (http://gcc.gnu.org/java/) nor is it likely to be complete enough to be able to compile the installer. (http://gcc.gnu.org/java/status.html) I wouldn't count on it.
Also, don't you think it's a wee bit presumptuous to be crowned "Installer Dude" when you haven't produced a beta yet? :P
EDIT: Re: Java and browser security, some browsers (such as Firefox (http://support.mozilla.org/en-US/kb/use-java-plugin-to-view-interactive-content)) now disable the Java plug-in by default as a security precaution. So security concerns may not be quite as serious as they appear.
-
No, it would be presumptuous to be crowned "Installer Dude" if I weren't working on the Installer. :p
I'm not aware of anybody having an issue with the fact that the Installer -- even Turey's old one -- was written in Java, until this thread.
-
Seriously?
Since last summer many news outlets (including papers and tv) have recommended uninstalling Java completely, not just updating it. This escalated this year with even US Department of Homeland Security going as far as to recommend uninstalling, instead of updating. Past year we have seen many 0-day exploits against Java, and I highly doubt these are going to stop anytime soon. Independent third party validations have concluded Java as insecure mess.
Apple, Google and Mozilla all issue updates to their software to blacklist old versions of Java. That still leaves roughly half of PC users unprotected against outdated Java versions. Namely those using IE as their browser, as Microsoft does not blacklist old Java versions. Blacklisting does not always protect against 0-day exploits either. In addition, Oracle has at times failed to fix security issues even if an update was supposed to fix them.
I would have imagined you to have reservations about using Java after all these months of Java security issues being in news, not just in internet but also in papers and tv. I am honestly quite amazed this is not the case. People who have Java installed must be record low as of now, thanks to all that news drumming.
Bottom line? It is in bad taste to require people to have 3rd party software installed that potentially puts them at risk for your own convenience. Even if great number of people already have Java installed, there is no reason to contribute towards that number. It is completely irrelevant whether old installer also required Java or not, we're not living in 2006 anymore. The date is 2013.
I don't know if this changes anything, but I'm done discussing the subject either way.
-
Riiiiight. Because news and TV are sooooooo trustworthy, especially when it comes to technology stuff. Same for the government.
-
Well, SANS is one of the highly respected security organisations in the world - you can read the following (without being a member) for their take on it:
https://www.sans.org/webcasts/uninstall-java-realistic-recommendation-no-insanity-yes-96192
https://isc.sans.edu/diary/When+Disabling+IE6+%28or+Java,+or+whatever%29+is+not+an+Option.../14947
-
Riiiiight. Because news and TV are sooooooo trustworthy, especially when it comes to technology stuff. Same for the government.
I'm sorry, but that's stupid. Governments and news outlets were only repeating what experts (real experts that is, white hat and black hat infosec people alike) were saying for years. Java plugins for browsers are a giant security risk, that's a fact.
-
Unless someone writes (and releases!) a Python-based cross-platform installer, nothing constructive is gonna come out of bashing Java here...
-
Okay, I said I would drop the subject but I find FSF's reply worth responding to.
Python. Definitely leaps and bounds better choice than Java. Not only it is more secure than Java, there are working tools to compile executables that do not require Python to be installed on computer.
- Windows: http://www.py2exe.org/
- Linux: http://wiki.python.org/moin/Freeze
- OS X: http://svn.pythonmac.org/py2app/py2app/trunk/doc/index.html
Now, this might be easy and lazy way out of Java and results may not be top quality, but there is Java to Python converter tool. https://github.com/natural/java2python
-
I don't care one way or the other what the installer is written in, only that we have a working installer. THANKS GOOBER! :D
-
Okay, I said I would drop the subject but I find FSF's reply worth responding to.
Python. Definitely leaps and bounds better choice than Java. Not only it is more secure than Java, there are working tools to compile executables that do not require Python to be installed on computer.
- Windows: http://www.py2exe.org/
- Linux: http://wiki.python.org/moin/Freeze
- OS X: http://svn.pythonmac.org/py2app/py2app/trunk/doc/index.html
Now, this might be easy and lazy way out of Java and results may not be top quality, but there is Java to Python converter tool. https://github.com/natural/java2python
I think I might start working on that. Sounds loads easier than the Blender/POF stuff I was working on. Out of curiosity, though, why exactly to we need an installer? Is it supposed to handle the retail installation also? (Could it, by verifying that the person has a GoG FS2 installer, then providing the files on its own--without getting us in trouble?) If not, would this whole installer issue be better resolved by an easier-to-use file hosting site tailored specifically for our use?
-
I don't believe it's to provide retail files (IMO if it could get us in trouble if we tried it). AFAIK the installer is just to give a simple interface for installing mods. i.e. automate the process and there's less chance of users making mistakes.
-
I don't care one way or the other what the installer is written in, only that we have a working installer. THANKS GOOBER! :D
We do? Where.
-
Python. Definitely leaps and bounds better choice than Java. Not only it is more secure than Java, there are working tools to compile executables that do not require Python to be installed on computer.
- Windows: http://www.py2exe.org/
- Linux: http://wiki.python.org/moin/Freeze
- OS X: http://svn.pythonmac.org/py2app/py2app/trunk/doc/index.html
Not only that, but Python comes preinstalled on OSX and most major Linux distros; so generating a native binary is only really needed for Windows.
The big question would be: Python 2.x or Python 3? ;)
-
Not for the attention span-challenged...
Seriously?
Since last summer many news outlets (including papers and tv) have recommended uninstalling Java completely, not just updating it. This escalated this year with even US Department of Homeland Security going as far as to recommend uninstalling, instead of updating.
I can't find anything from the DHS saying that Java should be installed completely, just disabled in the browser (http://www.us-cert.gov/ncas/alerts/TA13-064A). Even if they did say it, assertions backed by references would be cool, since I really shouldn't have to go digging.
I'll admit that IE not providing adequate security is more of a concern, although that's really up to Microsoft to fix. If nothing else, we could tell people to disable Java in the browser (http://www.java.com/en/download/help/disable_browser.xml). Yes, many wouldn't read or follow it, but it's better than nothing. I'd be interested in trying not mentioning the Java dependency at all when it's released and finding out how many people actually don't have Java installed.
Well, SANS is one of the highly respected security organisations in the world - you can read the following (without being a member) for their take on it:
https://www.sans.org/webcasts/uninstall-java-realistic-recommendation-no-insanity-yes-96192
https://isc.sans.edu/diary/When+Disabling+IE6+%28or+Java,+or+whatever%29+is+not+an+Option.../14947
Hm, interesting. Good to see people being pragmatic. Although I doubt disabling the Java plug-in would cause much pain for people, especially given how often it's automatically done.
Riiiiight. Because news and TV are sooooooo trustworthy, especially when it comes to technology stuff. Same for the government.
I'm sorry, but that's stupid. Governments and news outlets were only repeating what experts (real experts that is, white hat and black hat infosec people alike) were saying for years. Java plugins for browsers are a giant security risk, that's a fact.
Sure, the Java plug-in is a huge security risk, although I'd bet that not many in the mainstream media know the difference between the JRE, which is what the installer uses, and the Java browser plug-in, which uses the JRE but is separate from it.
Now, this might be easy and lazy way out of Java and results may not be top quality, but there is Java to Python converter tool. https://github.com/natural/java2python
I might fiddle with this later, but $10 says that this source-to-source compiler either won't run to completion, won't produce anything resembling working code, or will produce working but unreadable/unmaintainable code. Like any other Java program, the installer doesn't just consist of the program text, but also all of the Java libraries it uses, whether standard (like Swing for the GUI and eventually crypto for computing hashes) or third-party (like 7-Zip functionality).
Also remember that with software, maintaining and updating the software is the really hard part. We'd need the installer to be maintained for years. It's great if people can write it in Python now, but who's going to keep it going and add features when we need them? Is there anyone able and willing to commit to that?
If not, would this whole installer issue be better resolved by an easier-to-use file hosting site tailored specifically for our use?
I don't understand how that would look, please explain.
I don't believe it's to provide retail files (IMO if it could get us in trouble if we tried it). AFAIK the installer is just to give a simple interface for installing mods. i.e. automate the process and there's less chance of users making mistakes.
Yup. Installing mods manually is, quite honestly, a pain, and I'm not sure there's a good way to make it painless. A few months ago, I helped someone manually install FS2 and the MVPs, and we both thought it was a pain. And this was a guy who's plenty tech-savvy (codes for his day job) working one-on-one with the guy who wrote the current install instructions.
I don't care one way or the other what the installer is written in, only that we have a working installer. THANKS GOOBER! :D
We do? Where.
I suppose a more nuanced description would be "we have been told that we should have a working installer Soon (TM)".
Python. Definitely leaps and bounds better choice than Java. Not only it is more secure than Java, there are working tools to compile executables that do not require Python to be installed on computer.
- Windows: http://www.py2exe.org/
- Linux: http://wiki.python.org/moin/Freeze
- OS X: http://svn.pythonmac.org/py2app/py2app/trunk/doc/index.html
Not only that, but Python comes preinstalled on OSX and most major Linux distros; so generating a native binary is only really needed for Windows.
Hm, I'd forgotten that it comes pre-installed on those. I guess depending on just one random piece of third-party software is moderately more feasible then depending on three, even if py2exe hasn't had an official release in over 4 years (http://sourceforge.net/projects/py2exe/files/) (how reassuring!). I hope everyone would agree that asking all players to install Python is a non-starter.
The big question would be: Python 2.x or Python 3? ;)
I'd go with the latest version that's widely available on the versions of OS X we can actually support (i.e., not Tiger, maybe not Leopard), which would likely set the bar low enough for reasonably recent Linux distros. That'd likely rule out Python 3.
The latest version of py2exe supposedly supports Python 2.7, so we'd be stuck with that. Freeze (http://cx-freeze.sourceforge.net/) (at least I think this is the project Fury was talking about, since the wiki page he linked to didn't seem to go anywhere) is supposedly cross-platform and supports more recent versions of Python.
-
If not, would this whole installer issue be better resolved by an easier-to-use file hosting site tailored specifically for our use?
I don't understand how that would look, please explain.
I don't believe it's to provide retail files (IMO if it could get us in trouble if we tried it). AFAIK the installer is just to give a simple interface for installing mods. i.e. automate the process and there's less chance of users making mistakes.
Yup. Installing mods manually is, quite honestly, a pain, and I'm not sure there's a good way to make it painless. A few months ago, I helped someone manually install FS2 and the MVPs, and we both thought it was a pain. And this was a guy who's plenty tech-savvy (codes for his day job) working one-on-one with the guy who wrote the current install instructions.
A single place to look for mods, assets, and executables that's not the forums or some site from the '90s. Tagging and searching would be a plus, and additionally the ability to package multiple things together (e.g. FS2_Open with wxLauncher and MediaVPs, or all BP mods. Just download and extract to your FS2 directory--how hard could that be?). The most difficult part of the installation would be cleaning it up right after you run the GoG installer.
Python. Definitely leaps and bounds better choice than Java. Not only it is more secure than Java, there are working tools to compile executables that do not require Python to be installed on computer.
- Windows: http://www.py2exe.org/
- Linux: http://wiki.python.org/moin/Freeze
- OS X: http://svn.pythonmac.org/py2app/py2app/trunk/doc/index.html
Not only that, but Python comes preinstalled on OSX and most major Linux distros; so generating a native binary is only really needed for Windows.
Hm, I'd forgotten that it comes pre-installed on those. I guess depending on just one random piece of third-party software is moderately more feasible then depending on three, even if py2exe hasn't had an official release in over 4 years (http://sourceforge.net/projects/py2exe/files/) (how reassuring!). I hope everyone would agree that asking all players to install Python is a non-starter.
The big question would be: Python 2.x or Python 3? ;)
I'd go with the latest version that's widely available on the versions of OS X we can actually support (i.e., not Tiger, maybe not Leopard), which would likely set the bar low enough for reasonably recent Linux distros. That'd likely rule out Python 3.
The latest version of py2exe supposedly supports Python 2.7, so we'd be stuck with that. Freeze (http://cx-freeze.sourceforge.net/) (at least I think this is the project Fury was talking about, since the wiki page he linked to didn't seem to go anywhere) is supposedly cross-platform and supports more recent versions of Python.
PyInstaller (http://www.pyinstaller.org) supports Win, Mac, and Lin, both Python 2.x and 3.x. The real question is: wxPython or Tkinter?
-
Can I say two things.
Firstly any chance of a thread split as the java vs python/other languages discussion seems to be a discussion in itself now.
Secondly, unless someone is going to develop and maintain an alternative multi platform launcher the programming language discussion is a mute discussion as it wont change anything, where as Goober's launcher which is getting along nicely in it's development will make a real difference once it is complete.
-
unless someone is going to develop and maintain an alternative multi platform launcher the programming language discussion is a mute discussion as it wont change anything, where as Goober's launcher which is getting along nicely in it's development will make a real difference once it is complete.
What's wrong with wxLauncher?
(Note to self: Start working on wxPython launcher?)
-
He meant installer.
As for developing an alternate to Goober's installer in something other than Java, it's much easier to port a working installer than it is to write one from scratch. Thus it might be best to wait until after Goober's installer is released and available for long enough to be confident it works.
And yes, headdie is probably right that the non-Java discussion is veering off topic, although if the split includes my post, then I'll have to copy over the parts that weren't Python-related.
-
I dont know why on earth I said launcher when i meant installer :blah:
-
O.
M.
G.
He wrote it in.. JAVA?! OMG OMG OMG OMG OMG
He must start over! YES. He must. Disregard all posts and threads about how we need an installer. Using Java is bad taste! Delete it. Start over! We can wait.
-
Your Java cables are too thick.
-
Seriously?
Yes, seriously. Reread what I said in the post before yours. I'm quite aware of all the Java security advisories, especially considering I program in Java for my day job. I said that I'm unaware of anyone having a problem with the fact that the Installer was written in Java, until this thread.
I would have imagined you to have reservations about using Java after all these months of Java security issues being in news, not just in internet but also in papers and tv. I am honestly quite amazed this is not the case. People who have Java installed must be record low as of now, thanks to all that news drumming.
As I said, I program in Java for my day job, and nobody is more than mildly concerned. We've disabled Java applets in our browsers, of course, but we are continuing to go full speed ahead on all of our programs, collaborative projects, and research efforts. All of which are written in Java.
And... thread split.
-
Fair enough. Would it be too much to ask if when no Java is present on the computer, user would at least be given a choice whether he wants to install Java system-wide or just for the installer? In the latter case, JRE would be downloaded to wherever the installer is and no admin privileges are required to run the installer and no java plugin would be installed to any browser.
Or don't give user a choice and go with the latter option always.
-
What? :wtf:
1) The FSO Installer does not install Java. Java is required to run it in the first place.
2) The FSO Installer doesn't give the user a "choice" in this situation; he makes his own choice as to whether and how he wants to install Java. It's the user's responsibility to disable Java in his browsers.
3) The FSO Installer doesn't require administrative privileges for anything.
-
1) I was hoping it wouldn't be a jar file as Windows doesn't know what to do with them if Java isn't installed. You know many java apps for Win platform are exe files and have JRE included. I don't know if http://launch4j.sourceforge.net can do what I described, but at least it can embed JRE.
3) It does if no Java is installed and doesn't have its own JRE.
-
The download will be provided as simply a jar file. If Java isn't installed, the jar file won't do anything. It will either run, or it won't run, without admin privileges. If your argument is that the FSO Installer requires admin privileges because you need them to install Java, that's as ridiculous as saying that Notepad requires admin privileges because you need them to install Windows.
-
That comparison is way off. But eh, I give up.
-
Actually, I have to point out that even Minecraft wraps the launcher in an exe for Windows and an app for OS X. Linux is the only one that has to run a plain jar file. If we can do that such that it's a small enough file it might improve the user experience.