I kind of like the link-to-github idea. If I can be said to be the sole owner of my computer(s), and if I still have pure agency over how they function, when presented with a choice I would rather to choose to have these systems run an operating system other than Windows. That often takes the form of "Linux." But maybe even more important than which operating system, as I have aged and learned more about computers I have realized a very,
extremely powerful tool in computing is the human skill to say, "No," to whether the computer does something.
You want me to join you in a multiplayer game by using WINE on my Linux computer?
No.
You think I should run Claude Code on my Linux computer and hope that its access controls prevent it from touching my personal files?
No.
You want me to install a cool new Linux program by typing
sudo curl http://warsmash.net/install.sh | bash and in so doing giving your site's code full access to my computer without me reading said code?
No.
This willingness to say no is probably more powerful than our choice of operating system. There are some people that it may hugely offend, but I have reached a point where I struggle to empathize with people offended by this. Because I do not foresee myself pressuring others to use a particular software.
Unfortunately, once I learned to understand the Power of No, I started realizing that I wasn't the first such person and that other people are way ahead of me. One way that they handle this is through operating system package managers. If you've been burned by a bad actor before learning the Power of No, you start to realize that really the power is in trust. Who you trust to build and compile your software, and then convey binaries to you unaltered, defines whether you need to worry yourself over the Power of No.
Because of that, reducing the scope of who is a trusted software provider for your computer by more heavily exercising the Power of No is a very important security practice. So while there was a point in my life where I would readily download programs from the "Tools" page on the Hive and execute them with an assumption about what those programs are and what they will do, around the time I was asked to be a volunteer tool reviewer for the Hive after a little time I stepped down because my understanding of these topics was growing in parallel. And I actually started thinking that introducing Hive as another required step in the chain of trust of our software distribution practices maybe doesn't make sense. If Retera Model Studio is available from source code on GitHub, or as a windows binary that I compiled and plopped onto the Hive download page, shouldn't most people want the sourcecode version? They know that the Windows binary was created from that version. So if they use the binary from Hive, they have to trust both Hive and also GitHub where they know I pulled down the code to compile from. They also have to trust that my Windows PC which uploaded the compiled code was not infected with any malware that would have self-propagated into the binary before I uploaded to Hive. A chain of trust of 1 site - GitHub - suddenly becomes a chain of trust of 3 steps: first GitHub, then a Retera Windows PC of unknown nature, then Hive's server. If the Retera Windows PC or if the Hive's server are compromised, the people downloading binaries from Hive get infected even if the original source code on the GitHub had no malware.
Because of this, maybe I'm just getting old but it seems like if the Hive Workshop is going to distribute software tools -- hopefully mostly free source / open source tools -- then the Hive should probably have a GitLab instance of their own and be hosting the source code for the tools, rather than offloading that part to GitHub. Or, conversely, Hive should just link to a GitHub releases page. Either of these two create a chain of trust of only 1 endpoint that would be simpler to audit and trust.
This problem is not applicable to Models or Skins or Icons or most of the other resource pages, because it is essentially inconceivable that they would contain malware. Maps have a similar issue on legacy patches and we could imagine a map containing malware, but the World Editor is essentially so extremely poorly designed from a software version control point of view that for historical reasons we can probably assume this problem is not applicable to the Maps section either because we are inclined to live in the past for the purposes of what Map files are and represent.
So, having "pondered aloud" in text form, my chain of reasoning is settled on suggesting that Hive pick one or the other of:
- A GitLab instance hosted on Hive which automatically builds and releases to the Tools section
- A replacement of most open source Tools on the Hive with a link to a GitHub releases page rather than a download link
Only in the case of the former is there an issue in your instance. But can't you already download bundled independently? For example:
This is Retera's Model Studio v0.04 Public Beta. It is not finished! But it is something that works and is better than the Matrix Eater application, and is compatible with Patch 1.32. Retera's Model Studio is the second evolution of the Matrix Eater project. It is a standalone MDL and MDX model...
www.hiveworkshop.com
... at the above link you can download either 4.6b ot 4.6c based on which download button you click.
However, speaking from experience, the Hive Workshop Tools page contains banner advertisements and so it cannot be trusted in our aforementioned "chain of trust." On one occasion in my life, I sent the following link to an in person friend who was less experienced with computers while we were trying to set up a LAN party:
Warsmash is a mostly "clean-room engineered" rewrite of Warcraft III. A combination of LibGDX game engine, and the "mdx-m3-viewer" by Ghostwolf (used in "View in 3D" button on Hive model download section) are used to emulate the Warcraft III experience without running the actual Warcraft III...
www.hiveworkshop.com
The person went to that link, and things spiraled out of control from there. You see, I
always have the "advertisement" blocking technology. Even on my phone, I have "advertisement" blocking technology. But on that person's device, they did not have "advertisement" blocking technology.
These "advertisement" banners that probably exist on Hive Workshop unknown to me are not banners in the historical medieval sense. They are not a public declaration of something for all to see. They are a micro-targeted intelligence weapon. In the case of my LAN party, these systems resolved the browser footprint of my less technical savy friend,
determined that this human was more vulnerable and then changed all of the "advertisement" areas of the page to instead be large buttons labeled
DOWNLOAD that were bigger than the actual download button of the Hive Workshop website itself.
As a consequence, this person downloaded and installed
malware onto their computer instead of the "Warsmash Mod Engine" tool that I had recommended.
I cut off my Hive Heroes subscription for some years after that. I did not resubscribe until I was reminded I had unsubbed when getting lunch with Ralle. Ralle seemed very personable. I think the use of intelligence weapons on his website to attack people identified as vulnerable is happening due to oversight, not malice. But the fact remains that "advertisements" that change based on who is looking at them can't even be reviewed to be safe from this, since the malware ones might only display themselves to people already predetermined to be vulnerable via data mining and micro targeting.
So anyway, if someone was going to re-engineer the Tools page, the solution would most likely be that it should not exist and that everyone should exercise the Power of No in unison against the current Tools page until such time as it is completely free of any information weapons alleging to be "advertisements" (which, again, cannot be verified unless no dynamic per-user "advertisement" content exists at all).
However, deleting the Tools page and leading everyone to GitHub increases the concentration of power into the hands of Microsoft, which is not generally good. Perhaps the monthly funding from my Hive Heroes sub could be used to fund a tiny additional server running GitLab?
