I agree. But I can't very well talk about this on Curse since they rely on advertisement and this idea might indirectly hurt them if it worked as intended. WoW is a big business and I prefer free sites that have no such restrictions. Maybe I'll look around to other sites but I thought I'd start here. After all, you do have good developers and I don't know if differences to other communities are really all that big.
What I still don't understand is how you cannot find this useful. I didn't want to bring this up at first because of its obvious security issues:
For some specially signed modules, you can lower security restrictions, allowing them to be executed immediately after clicking yes on a dialog box instead of having to install them. These modules are very small and only temporary in nature.
Example 1:
Lets assume that every WoW user had my base addon installed. When somebody asked in the chat where quest XYZ in Nagrand can be completed, you wouldn't have to tell them the coordinates. Having a ping-sender addon installed, you would simply right click on your map and choose "send location to user". The user gets the coordinates along with a tiny portion of signed code that displays a ping on their map.
Having the base addon installed means you are able to process any data of any addon that will ever be made in the future because that data will come with its own handler which the base addon can run.
Example 2:
Let's take another example that should be closer to your community: Omen. I know it's been mentioned before but you probably only considered distribution of updates. I'm asking why does everyone have to have Omen installed in the first place? Wouldn't it be enough to have one user download the latest version and send a small stub to everyone else in the raid that is able to display bars and data in a window? That single user could calculate threat values and send them to everybody else which would drastically reduce the number of packets that have to be sent. It would also save memory (and maybe even CPU time on the whole) because only one user has to have the threat library installed on their system. Granted, you can also do that using a client/master approach where all other users need to have at least a small client installed.
Don't you think developers will be glad if they don't have to wait a couple of months until people finally notice how useful their addon is. With my idea, all it takes is just one guy in a raid or even only one guy on an entire server who has the addon to make it immediately work for everyone else he comes in contact with! There's no better promotion for your addon than others seeing it in action. With Omen, there's just nothing to see unless you have it.
Example 3:
I'm an enchanter and want to advertise my wares. If a user is interested, why can't I just send them a graphical window that will pop up on their screen and display all I have to offer including prices and such? Yes, it also works via the chat but not as well. The client has it all, boxes and whatever, they're just not available to another user.
What I propose is an universal Turing machine, a dynamic scripting engine on each client, akin to scripting for webbrowsers. I agree that there are many security issues with this even when only accepting signed modules. Security experts recommend completely disabling scripting in webbrowsers because it's inherently a bad idea. But nobody ever said it wasn't useful. So fine, tell me that my idea is dangerous and we'll discuss it. But don't tell me you don't see any use for it. That's just driving me nuts! ;D
That would be like visiting the IBM site and they ask you to download ibm.exe first or the site can't be displayed. After all, if the user wants to use the IBM website for a longer period of time then they won't mind installing the EXE, right?
Maybe it has to do with the mindset. I feel like explaining to a couple of old HTML guys why they need Web 2.0. Maybe they don't. You can do everything with static pages and everything else is overkill. Who needs all that stuff in an online game? Maybe you don't. But don't tell me you can't see how this might be useful.
PS: I am grateful for all the comments so far. I will not keep on trying to convince you if there are no more comments. So if anyone is tired of my stubborn refusal to give up this project, just stop answering. I can't force anyone to accept my idea but I will try as long as I think it's not entirely pointless :D
1) TomTom, it does exactly what you said, doesn't rely on a user needing your master sending addon installed and people can trust it
2) Thats not even close to how Threat meters work, and is horribly simplifying what would be needed
3) This is the only example that really makes sense, but you're still asking for a random stranger you found in trade chat to be able to popup a GUI on your page
Configuration sharing is far simpler, I did this in about a day http://shadowed-wow.googlecode.com/svn/trunk/Bazaar/Bazaar.lua and it doesn't even need to rely on loadstring hackery.
I'm just going to pitch in and say that I think that loadstring()'ing arbitrary addons is a horrible, horrible idea. The security implications are mindblowing, and the things you'd gain in exchange for the cost you'd incur just simply isn't worth it. Addons are already free and easy to find, install, and update.
What this basically boils down to is "Give me root on your box so I can fix Problem X for you." It's the WoW equivalent of running a VNC server. You don't give VNC access to anyone you don't absolutely trust, and I think that to expect the WoW community to exercise the correct level of caution and security prowess is naieve at best.
The problem is that you can hook and modify addon code very easily at runtime, and if you were to expose any level of functionality powerful enough to be useful, it would be enough to ensure that the base addon's signature checking, trust validation, and other security measures could be bypassed by loadstring()'d code. It's very difficult to protect UI code without a harsh setfenv, but if your setfenv is too restrictive then the whole concept becomes pointless anyhow. It just takes one, and then you effectively have a backdoor in your WoW install for anyone with the desire to execute whatever they want on your machine.
I said it in IRC, but it was a bad idea when Kenco toyed with the idea for KTM, and I think it's a bad idea now.
I'm an enchanter and want to advertise my wares. If a user is interested, why can't I just send them a graphical window that will pop up on their screen and display all I have to offer including prices and such? Yes, it also works via the chat but not as well. The client has it all, boxes and whatever, they're just not available to another user.
Toss out winning over devs that this is a good thing.
Focus on one single aspect, the users. What you are proposing here is at it's core a social addon. Social addons have a very VERY hard time because they have to win over a LOT of users to be of any use. You can ask any raid leader out there how "easy" it is to get users to install addons they "require". You've presented two big use cases... raid leaders forcing things upon members and "bored" players sharing minigames. The first case is gonna be even harder to win over users than simply getting them to install addons that have clear advantage to them. Giving someone else control over my UI? Fuck that. The second case is also going to be a really hard sell as well. If the users are *that* bored than they must install a minigame, well alt-tab, install, and a 10sec relog ain't very painful. And the receiving user is more than likely going to have to do this with your comm addon to receive the "module" from their friend anyway.
When you look at the history of "social" addons about all you'll see is failure. Sure, some of them were very nicely written and provided really useful features. But when you're on a realm with hundreds (thousands?) of other users and only 10 use the addon? That usually makes the addon useless unless it doesn't require interacting with other users' addons... but then it's not a social addon is it? The other social addons that have had slightly better success are guild-oriented ones. But even those rarely hit a large user base, because people don't like addons "forced" on them by guild leaders, and only install them if they see a real advantage to the user, not the guild/raid.
You've seen how hard it is to convince devs that this idea is a good one. Users that don't understand addons and live in constant fear of being keylogged? Right... good luck there.
And you keep saying that we're trying to "squash" your idea? Hell no, we're trying to point out to you all the issues with it and the fact that there's really very little to be gained. You can make the addon, we sure as hell can't stop you... but if it fails miserably don't bitch at us when we say "told ya so".
Quote from Arrowmaster »
Welcome to WotLK.
For both #2 and #3. As for #1, the user would either need TomTom installed already, your addon installed already, or I find the advice "go check wowhead.com" solves the problem and all future questions from the user.
Let's take another example that should be closer to your community: Omen. I know it's been mentioned before but you probably only considered distribution of updates. I'm asking why does everyone have to have Omen installed in the first place? Wouldn't it be enough to have one user download the latest version and send a small stub to everyone else in the raid that is able to display bars and data in a window? That single user could calculate threat values and send them to everybody else which would drastically reduce the number of packets that have to be sent. It would also save memory (and maybe even CPU time on the whole) because only one user has to have the threat library installed on their system. Granted, you can also do that using a client/master approach where all other users need to have at least a small client installed.
Don't you think developers will be glad if they don't have to wait a couple of months until people finally notice how useful their addon is. With my idea, all it takes is just one guy in a raid or even only one guy on an entire server who has the addon to make it immediately work for everyone else he comes in contact with! There's no better promotion for your addon than others seeing it in action. With Omen, there's just nothing to see unless you have it.
Example 3:
I'm an enchanter and want to advertise my wares. If a user is interested, why can't I just send them a graphical window that will pop up on their screen and display all I have to offer including prices and such? Yes, it also works via the chat but not as well. The client has it all, boxes and whatever, they're just not available to another user.
Your examples 2 and 3 are very bad. Let me explain:
A) The default UI in WotLK now comes with a threat meter, with threat values supplied directly from Blizzard servers. No longer will Omen be needed.
B) Even if the above is not the case, Omen is required to be installed on every single person's wow, because there are a lot of spells and effects that are only detectable on your own wow that nobody else can detect. This comes down to the fact that the combat log is incomplete, does not show refreshing of debuffs (for eg, refreshing polymorph or sunder armor doesn't show up in combat log but still causes threat), you couldn't scan talents of other players (until 2.3.0), and many many other issues involving race conditions. Have you seen the combat log report reflected damage from spell reflect (warrior skill) before the actual spell reflect spell is shown in the combat log? I have. Detecting many spells require using SPELL_CAST_SUCESS (the actual event, not the combat log one). As one of the people maintaining Omen/Threat-2.0, I can assure you that the issues are far more complex than you dreamed.
To put it down simply, every person needs to have the threat library installed as there are many spells, equipment and talent specific stuff that only the player himself knows that is not detectable by anyone else (did I mention player pets?). If it were possible with just 1 master 24 clients, wouldn't you think we would have done it that way already? (p.s. DiamondThreatMeter tries to do this, one person calculating 25 people's threat. It is no way near accurate at all.)
Your example 3 is even worse and shows that you have not paid attention to WotLK development. In WotLK, you can now link your profession directly as a tradeskill link... it will just be a clickable yellow link that looks like [Enchanting] and anyone else clicking it would open up a tradeskill window that shows what that person can make/craft/enchant. Right in the default UI.
Example 1 is the only one that is credible. But fails at the original assumption of "Lets assume that every WoW user had my base addon installed." On my server Blackrock-US, there are only 3 addons that a majority players have installed on a universal basis (I'm only considering addons that perform inter-user addon communication here):
1. Omen threat meter (even random non raiders from pugs have this)
2. Preform AV Enabler (this used to be Stinkyqueue)
3. Bigwigs or Deadly Boss Mods (there's about 25 Illidan killing guilds on my server, 18 of which have killed Brutallus)
Even Craftlist2 is becoming a very popular one, over half the trade channel /2 advertisements now include some variation of "whisper me !gem !craft !enchant for xyz wares" because it is just so much easier not to have to search through a long list to link the materials.
Remember, players install addons for their own convenience/advantages. The advantages offered by DEM is minimal at best and more than offset by the myriad disadvantages of security issues. As I pointed out earlier, RDX tried this (a smaller scale version of DEM that aimed only at code snippets targeted at boss mods) and it wasn't very popular.
It is obvious that I tried to find an example to illustrate an idea. Of course I outrageously oversimplified how Omen is supposed to work. Not to mention what happens if the person having the threat meter master addon gets disconnected and everyone's display freezes. Try finding a good example. Basically all I'm saying is that almost any addon that uses SendAddonMessage may benefit from my idea. In some cases you really do need a full install of an addon on everyone's client so those would be cases where it's less useful.
But it's great that you told us something about how Omen works and where the problems are. :D You can learn something new every day. And the WoW API is really quite large. I think that's one advantage of a community of developers, there aren't many problems that haven't been discussed already.
@Xinhuan: I'm sorry that I haven't been paying attention to WotLK development. I guess between playing the game, raiding, developing addons and real life obligations I just didn't find time to educate myself enough about what's to come in a few months. Maybe if I stopped brushing my teeth I could spend those 5 minutes on more important things :D
With regards to the tradeskill thing. I find the same problem with my own addon GuildCraft, something that does have benefit to the user. But, like all social addons it only works well if everyone has it installed. Heck i've added to it the ability to scan the linked trade skills and scrap that so that everyone dosn't have to have it installed just to function properly.
Anything complicated enough to use SAM is to complicated to be loadstring()'ed under most circumstances.
If you need help with coding DEM (in terms of coding techniques, problems to workaround, looking for security loopholes), feel free to ask though. Most of us (including me) will be willing to help.
Even though we don't really support the code sharing idea, we are still a community that encourages coding and problem solving.
Thanks. That would be fine already. I think we've highlighted just about every corner of the idea and that's a lot more than I ever expected from this thread. So thanks for bearing with me.
The idea intrigues me. Although it is likely well over my head, I find some merit on all angles of the discussion.
I -can- think of several places where a system like this could be viable, I can think of a whole lot more where.. not so much..
Props to you for going ahead and doing the work you've done so far.
I would think that your DEM would be useful for any data-sharing mods. Would make it easier for mods such as Gatherer, GatherMate, Carto_Herb/Mine/etc to all share their nodes regardless of the addon on either end.
I also think using it to distribute updated modules of bossmod addons would be a useful thing. Also, it could be used to distribute auction pricing info from, say the GMs bank alt, to all the guild members, so they wouldn't all each need to individually scan the AH to see price averages of items.. The list of possibilities extend on and on.
However, I also agree that it's a very dangerous concept, and -EVERY- precaution needs to be taken to ensure no bad code gets into WoW.. It would be detrimental to the entire addon community if Bliz decides to shut down addon message channels because of some bad code spreading itself through it's playerbase. (Not to mention the bandwidth that could, conceivable be used by said spreading)
So.. all in all, I say go for it, but don't expect it to be widely accepted until after it's proven to, not only be reliable, but secure. And remember, -your- code is public as well, and if some ill-intentioned genius happens to find a way around your security measures (which happens on a daily basis) We could all be seriously ------- by this addon.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumWhat I still don't understand is how you cannot find this useful. I didn't want to bring this up at first because of its obvious security issues:
For some specially signed modules, you can lower security restrictions, allowing them to be executed immediately after clicking yes on a dialog box instead of having to install them. These modules are very small and only temporary in nature.
Example 1:
Lets assume that every WoW user had my base addon installed. When somebody asked in the chat where quest XYZ in Nagrand can be completed, you wouldn't have to tell them the coordinates. Having a ping-sender addon installed, you would simply right click on your map and choose "send location to user". The user gets the coordinates along with a tiny portion of signed code that displays a ping on their map.
Having the base addon installed means you are able to process any data of any addon that will ever be made in the future because that data will come with its own handler which the base addon can run.
Example 2:
Let's take another example that should be closer to your community: Omen. I know it's been mentioned before but you probably only considered distribution of updates. I'm asking why does everyone have to have Omen installed in the first place? Wouldn't it be enough to have one user download the latest version and send a small stub to everyone else in the raid that is able to display bars and data in a window? That single user could calculate threat values and send them to everybody else which would drastically reduce the number of packets that have to be sent. It would also save memory (and maybe even CPU time on the whole) because only one user has to have the threat library installed on their system. Granted, you can also do that using a client/master approach where all other users need to have at least a small client installed.
Don't you think developers will be glad if they don't have to wait a couple of months until people finally notice how useful their addon is. With my idea, all it takes is just one guy in a raid or even only one guy on an entire server who has the addon to make it immediately work for everyone else he comes in contact with! There's no better promotion for your addon than others seeing it in action. With Omen, there's just nothing to see unless you have it.
Example 3:
I'm an enchanter and want to advertise my wares. If a user is interested, why can't I just send them a graphical window that will pop up on their screen and display all I have to offer including prices and such? Yes, it also works via the chat but not as well. The client has it all, boxes and whatever, they're just not available to another user.
What I propose is an universal Turing machine, a dynamic scripting engine on each client, akin to scripting for webbrowsers. I agree that there are many security issues with this even when only accepting signed modules. Security experts recommend completely disabling scripting in webbrowsers because it's inherently a bad idea. But nobody ever said it wasn't useful. So fine, tell me that my idea is dangerous and we'll discuss it. But don't tell me you don't see any use for it. That's just driving me nuts! ;D
That would be like visiting the IBM site and they ask you to download ibm.exe first or the site can't be displayed. After all, if the user wants to use the IBM website for a longer period of time then they won't mind installing the EXE, right?
Maybe it has to do with the mindset. I feel like explaining to a couple of old HTML guys why they need Web 2.0. Maybe they don't. You can do everything with static pages and everything else is overkill. Who needs all that stuff in an online game? Maybe you don't. But don't tell me you can't see how this might be useful.
PS: I am grateful for all the comments so far. I will not keep on trying to convince you if there are no more comments. So if anyone is tired of my stubborn refusal to give up this project, just stop answering. I can't force anyone to accept my idea but I will try as long as I think it's not entirely pointless :D
- Mikma & Shadowed
2) Thats not even close to how Threat meters work, and is horribly simplifying what would be needed
3) This is the only example that really makes sense, but you're still asking for a random stranger you found in trade chat to be able to popup a GUI on your page
Configuration sharing is far simpler, I did this in about a day http://shadowed-wow.googlecode.com/svn/trunk/Bazaar/Bazaar.lua and it doesn't even need to rely on loadstring hackery.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumWhat this basically boils down to is "Give me root on your box so I can fix Problem X for you." It's the WoW equivalent of running a VNC server. You don't give VNC access to anyone you don't absolutely trust, and I think that to expect the WoW community to exercise the correct level of caution and security prowess is naieve at best.
The problem is that you can hook and modify addon code very easily at runtime, and if you were to expose any level of functionality powerful enough to be useful, it would be enough to ensure that the base addon's signature checking, trust validation, and other security measures could be bypassed by loadstring()'d code. It's very difficult to protect UI code without a harsh setfenv, but if your setfenv is too restrictive then the whole concept becomes pointless anyhow. It just takes one, and then you effectively have a backdoor in your WoW install for anyone with the desire to execute whatever they want on your machine.
I said it in IRC, but it was a bad idea when Kenco toyed with the idea for KTM, and I think it's a bad idea now.
Welcome to WotLK.
Toss out winning over devs that this is a good thing.
Focus on one single aspect, the users. What you are proposing here is at it's core a social addon. Social addons have a very VERY hard time because they have to win over a LOT of users to be of any use. You can ask any raid leader out there how "easy" it is to get users to install addons they "require". You've presented two big use cases... raid leaders forcing things upon members and "bored" players sharing minigames. The first case is gonna be even harder to win over users than simply getting them to install addons that have clear advantage to them. Giving someone else control over my UI? Fuck that. The second case is also going to be a really hard sell as well. If the users are *that* bored than they must install a minigame, well alt-tab, install, and a 10sec relog ain't very painful. And the receiving user is more than likely going to have to do this with your comm addon to receive the "module" from their friend anyway.
When you look at the history of "social" addons about all you'll see is failure. Sure, some of them were very nicely written and provided really useful features. But when you're on a realm with hundreds (thousands?) of other users and only 10 use the addon? That usually makes the addon useless unless it doesn't require interacting with other users' addons... but then it's not a social addon is it? The other social addons that have had slightly better success are guild-oriented ones. But even those rarely hit a large user base, because people don't like addons "forced" on them by guild leaders, and only install them if they see a real advantage to the user, not the guild/raid.
You've seen how hard it is to convince devs that this idea is a good one. Users that don't understand addons and live in constant fear of being keylogged? Right... good luck there.
And you keep saying that we're trying to "squash" your idea? Hell no, we're trying to point out to you all the issues with it and the fact that there's really very little to be gained. You can make the addon, we sure as hell can't stop you... but if it fails miserably don't bitch at us when we say "told ya so".
For both #2 and #3. As for #1, the user would either need TomTom installed already, your addon installed already, or I find the advice "go check wowhead.com" solves the problem and all future questions from the user.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumYour examples 2 and 3 are very bad. Let me explain:
A) The default UI in WotLK now comes with a threat meter, with threat values supplied directly from Blizzard servers. No longer will Omen be needed.
B) Even if the above is not the case, Omen is required to be installed on every single person's wow, because there are a lot of spells and effects that are only detectable on your own wow that nobody else can detect. This comes down to the fact that the combat log is incomplete, does not show refreshing of debuffs (for eg, refreshing polymorph or sunder armor doesn't show up in combat log but still causes threat), you couldn't scan talents of other players (until 2.3.0), and many many other issues involving race conditions. Have you seen the combat log report reflected damage from spell reflect (warrior skill) before the actual spell reflect spell is shown in the combat log? I have. Detecting many spells require using SPELL_CAST_SUCESS (the actual event, not the combat log one). As one of the people maintaining Omen/Threat-2.0, I can assure you that the issues are far more complex than you dreamed.
To put it down simply, every person needs to have the threat library installed as there are many spells, equipment and talent specific stuff that only the player himself knows that is not detectable by anyone else (did I mention player pets?). If it were possible with just 1 master 24 clients, wouldn't you think we would have done it that way already? (p.s. DiamondThreatMeter tries to do this, one person calculating 25 people's threat. It is no way near accurate at all.)
Your example 3 is even worse and shows that you have not paid attention to WotLK development. In WotLK, you can now link your profession directly as a tradeskill link... it will just be a clickable yellow link that looks like [Enchanting] and anyone else clicking it would open up a tradeskill window that shows what that person can make/craft/enchant. Right in the default UI.
Example 1 is the only one that is credible. But fails at the original assumption of "Lets assume that every WoW user had my base addon installed." On my server Blackrock-US, there are only 3 addons that a majority players have installed on a universal basis (I'm only considering addons that perform inter-user addon communication here):
1. Omen threat meter (even random non raiders from pugs have this)
2. Preform AV Enabler (this used to be Stinkyqueue)
3. Bigwigs or Deadly Boss Mods (there's about 25 Illidan killing guilds on my server, 18 of which have killed Brutallus)
Even Craftlist2 is becoming a very popular one, over half the trade channel /2 advertisements now include some variation of "whisper me !gem !craft !enchant for xyz wares" because it is just so much easier not to have to search through a long list to link the materials.
Remember, players install addons for their own convenience/advantages. The advantages offered by DEM is minimal at best and more than offset by the myriad disadvantages of security issues. As I pointed out earlier, RDX tried this (a smaller scale version of DEM that aimed only at code snippets targeted at boss mods) and it wasn't very popular.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumBut it's great that you told us something about how Omen works and where the problems are. :D You can learn something new every day. And the WoW API is really quite large. I think that's one advantage of a community of developers, there aren't many problems that haven't been discussed already.
@Xinhuan: I'm sorry that I haven't been paying attention to WotLK development. I guess between playing the game, raiding, developing addons and real life obligations I just didn't find time to educate myself enough about what's to come in a few months. Maybe if I stopped brushing my teeth I could spend those 5 minutes on more important things :D
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumAnything complicated enough to use SAM is to complicated to be loadstring()'ed under most circumstances.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumEven though we don't really support the code sharing idea, we are still a community that encourages coding and problem solving.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumI -can- think of several places where a system like this could be viable, I can think of a whole lot more where.. not so much..
Props to you for going ahead and doing the work you've done so far.
I would think that your DEM would be useful for any data-sharing mods. Would make it easier for mods such as Gatherer, GatherMate, Carto_Herb/Mine/etc to all share their nodes regardless of the addon on either end.
I also think using it to distribute updated modules of bossmod addons would be a useful thing. Also, it could be used to distribute auction pricing info from, say the GMs bank alt, to all the guild members, so they wouldn't all each need to individually scan the AH to see price averages of items.. The list of possibilities extend on and on.
However, I also agree that it's a very dangerous concept, and -EVERY- precaution needs to be taken to ensure no bad code gets into WoW.. It would be detrimental to the entire addon community if Bliz decides to shut down addon message channels because of some bad code spreading itself through it's playerbase. (Not to mention the bandwidth that could, conceivable be used by said spreading)
So.. all in all, I say go for it, but don't expect it to be widely accepted until after it's proven to, not only be reliable, but secure. And remember, -your- code is public as well, and if some ill-intentioned genius happens to find a way around your security measures (which happens on a daily basis) We could all be seriously ------- by this addon.
- Self-Censor v0.1... removing trucker language.. complete.
break19