If you want extended mod support, you kinda need it though. Stuff like Minecraft and Rimworld come to mind.
Rimworld has very good official mod support that lets you do quite a lot with completely safe XML configuration files. But as soon as you want to deviate a bit from what the vanilla game allows, you’d have to code that and embed it as a DLL in your mod.
Almost all gameplay or UI mods are DLL mods or depend on one. Quick survey : I have about 250 DLLs from my active mod list.
I literally have a Rimworld mod that calls an external python script as a feature.
It’s a special case, of course said script is not part of the mod package, it has to be installed manually. What it does is allowing generating portraits for characters externally.
I even rewrote the script to use local generation, but the one provided as an example calls an online API.
They certainly don’t review code, but on those there must be at least a scan for the most obvious malicious stuff. I am not sure it’d detect something hidden like in the article though. After all even on the guy’s PC it was only detected once it tried to actually download stuff.
The good thing about workshop is visibility, if someone notices something shady it’ll be known fast. Not perfect, but probably better than getting your mods from random sites nobody knows.
Every mod that adds functionality can do everything the User can do, except when its sandboxed (for example factorio, TES without script extender). Its really a huge attack vector.
Mods that contain code always feel sketchy to me. How much can I trust whoever made this dll or such?
If you want extended mod support, you kinda need it though. Stuff like Minecraft and Rimworld come to mind.
Rimworld has very good official mod support that lets you do quite a lot with completely safe XML configuration files. But as soon as you want to deviate a bit from what the vanilla game allows, you’d have to code that and embed it as a DLL in your mod.
Almost all gameplay or UI mods are DLL mods or depend on one. Quick survey : I have about 250 DLLs from my active mod list.
I know, and I hate it. I think the only way to fix this would be to support some limited scripting language, but that also sucks for other reasons.
Open source would also help with trust.
I literally have a Rimworld mod that calls an external python script as a feature.
It’s a special case, of course said script is not part of the mod package, it has to be installed manually. What it does is allowing generating portraits for characters externally.
I even rewrote the script to use local generation, but the one provided as an example calls an online API.
That’s why I prefer to get mods from trusted sources, like Nexusmods or the Steam Workshop.
Does it really help? Not a concern troll, just curious. Do they check code like Play Store’s verified?
They certainly don’t review code, but on those there must be at least a scan for the most obvious malicious stuff. I am not sure it’d detect something hidden like in the article though. After all even on the guy’s PC it was only detected once it tried to actually download stuff.
The good thing about workshop is visibility, if someone notices something shady it’ll be known fast. Not perfect, but probably better than getting your mods from random sites nobody knows.
Every mod that adds functionality can do everything the User can do, except when its sandboxed (for example factorio, TES without script extender). Its really a huge attack vector.