Online feature acts like malware [BIG-BUG] [PLAYER]

Started by Nepster, August 23, 2016, 05:11:27 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Nepster

Today I played some contest levels and suddenly wondered why NeoLemmix can display IchoTolot's Dune style levels, when I never ever downloaded this style. It turned out, that some update to NeoLemmix turned the Online features in the options menu on again (which I had turned off previously).
I can accept that I messed up with updating NeoLemmix and resetting my options to the default at some point, but I cannot accept
1) That NeoLemmix just downloads stuff from the internet and opens these files, while not informing me of anything. Malware does this, but no honest computer program! :devil::devil:
2) That NeoLemmix does not ask me whether to download the missing style file. I expect some message box like
   "This level needs the style file WhateverTheStyleIsCalled.dat. Download this from www,neolemmix.com/old/styles and save it to filepath/styles/NeoLemmix?"
(or something like this) and two options "OK" and "Cancel".
3) That NeoLemmix does not save the style file in the correct directory, i.e. in  base_directory/styles/NeoLemmix instead of the wrong  base_directory/styles.

ccexplore

Quote from: Nepster on August 23, 2016, 05:11:27 PM1) That NeoLemmix just downloads stuff from the internet and opens these files, while not informing me of anything. Malware does this, but no honest computer program! :devil::devil:

That's not really true.  By that definition, Windows Update and Google Play (or insert your favorite software marketplace here) are malware too.  That said, both do have settings to disable automatic download and installation of system/app updates.  Plus I guess technically, I think both do inform you discreetly (eg. balloon notifications in the system tray on the taskbar for Windows Update, Android notifications for Google Play app updates).

mobius

it sounds like a bug; upon updating, an option such as that shouldn't change automatically. Even if this is a harmless program, it's best to be on the safe side.

Quote from: ccexplore on August 23, 2016, 08:59:20 PM
Quote from: Nepster on August 23, 2016, 05:11:27 PM1) That NeoLemmix just downloads stuff from the internet and opens these files, while not informing me of anything. Malware does this, but no honest computer program! :devil::devil:

That's not really true.  By that definition, Windows Update and Google Play (or insert your favorite software marketplace here) are malware too. That said, both do have settings to disable automatic download and installation of system/app updates.  Plus I guess technically, I think both do inform you discreetly (eg. balloon notifications in the system tray on the taskbar for Windows Update, Android notifications for Google Play app updates).

"Windows Update and Google Play are malware." I agree whole-heatedly :P :D
everything by me: https://www.lemmingsforums.net/index.php?topic=5982.msg96035#msg96035

"Not knowing how near the truth is, we seek it far away."
-Hakuin Ekaku

"I have seen a heap of trouble in my life, and most of it has never come to pass" - Mark Twain


Nepster

Quote from: ccexplore on August 23, 2016, 08:59:20 PM
By that definition, Windows Update and Google Play (or insert your favorite software marketplace here) are malware too.
Yes, I consider Windows (and other software with the sole exception of anti-virus programs) malware-ish in that regard ;). Whenever I get a new computer, my very first action is always to change these setting to "Ask for user permission before updating".
But for almost all other software I use, at least the default option is "automatically check for updates, inform the user and beg for permission to install them" (and do this in a very annoying manner >:( ). Anthing that has the audacity to default to "automatic installing updates" (and is not absolutely essential) gets uninstalled pretty fast :).

namida

Quote1) That NeoLemmix just downloads stuff from the internet and opens these files, while not informing me of anything. Malware does this, but no honest computer program! :devil::devil:
2) That NeoLemmix does not ask me whether to download the missing style file. I expect some message box like
   "This level needs the style file WhateverTheStyleIsCalled.dat. Download this from www,neolemmix.com/old/styles and save it to filepath/styles/NeoLemmix?"
(or something like this) and two options "OK" and "Cancel".
3) That NeoLemmix does not save the style file in the correct directory, i.e. in  base_directory/styles/NeoLemmix instead of the wrong  base_directory/styles.

1. The option should be off by default. I'll have to look into what may have overriden or ignored the setting.
2. No. This would get annoying. I'm open to adding a third "Ask every time" option, but not to forcing such a thing on the user, especially considering that in the future this feature may be downloading lots of single pieces rather than one (occasionally more than one) graphic set.
3. <base_dir>/styles is the correct directory for the player. I can see a seperate issue here - that there's an inconsistency between what the player uses and what the editor uses - but as far as the player is concerned, <base_dir>/styles is correct.
My projects
2D Lemmings: NeoLemmix (engine) | Lemmings Plus Series (level packs) | Doomsday Lemmings (level pack)
3D Lemmings: Loap (engine) | L3DEdit (level / graphics editor) | L3DUtils (replay / etc utility) | Lemmings Plus 3D (level pack)
Non-Lemmings: Commander Keen: Galaxy Reimagined (a Commander Keen fangame)

Nepster

Quote from: namida on August 23, 2016, 09:40:49 PM
2. No. This would get annoying. I'm open to adding a third "Ask every time" option, but not to forcing such a thing on the user, especially considering that in the future this feature may be downloading lots of single pieces rather than one (occasionally more than one) graphic set.
There are ways around this, if we do both:
a) only ask once per level to download all required pieces, even if they come from different graphic sets.
b) if a style directory doesn't exist at all, then download the whole directory instead of only the the pieces that got used in the level.

ccexplore

I would strongly argue that most users who chose to turn on such an online feature is expecting and desiring automatic updates, and that if they don't want the feature, they would've just left it off.  I'm not oppose to some sort of "ask every time" but I would definitely be curious how much it'd be used compare to the other options.  (And to be honest, for that type of user, the desired experience is arguably not a dumb "ask every time", but much more likely a button to manually initiate a check, then be presented a list of available updates, and have an ability to select which specific updates to download [and likely an ability to hide certain updates from the list that the user knows will likely be ignored permanently].  It is clearly more work to build, so definitely makes sense to get an idea first of how many people would even need it.)

Simon

You need resource packages xxx, yyy, zzz, and 2 others. Download from NL.com?
Download, Always download, No, Never.

Plus a 3-way option in the global config, always, never, ask, defaulting to ask. This is the obvious method if you can't agree whether auto-downloads are good or evil. But this is the honest approach, appropriate for possible auto-downloads.

Show meaningful errors for the ascetics who click Never. Instead of (No/Never -> You lack the resource), can you find a design that omits at least one dialog of these two?

You need resources!
Download, Always download, Don't play level.

With a more powerful level browser, you can remove even that popup, and integrate the downloading with the browser. You can select and play levels, or download the resources for a level. No popup, the browser offers a download when you highlight a level. Maybe you need a save-your-butt dialog when I bypass the browser, and play a level directly by drag-level-file-on-binary. :-]

The goal should be to write an entire application free of dialog boxes. -- Jeff Atwood >_>

Forced software updates are malware. Forced Windows updates, go stand in the corner with the 1,249 packages that I should update from super-outdated to the shiny new normally-outdated. I should switch from Debian to Arch.

-- Simon

mobius

I don't really think any change needs to be made other than fixing this bug where the option got changed by itself.
everything by me: https://www.lemmingsforums.net/index.php?topic=5982.msg96035#msg96035

"Not knowing how near the truth is, we seek it far away."
-Hakuin Ekaku

"I have seen a heap of trouble in my life, and most of it has never come to pass" - Mark Twain


ccexplore

Quote from: Simon on August 25, 2016, 08:03:30 PMForced software updates are malware. Forced Windows updates, go stand in the corner with the 1,249 packages that I should update from super-outdated to the shiny new normally-outdated. I should switch from Debian to Arch.

It is only forced starting on Windows 10 and only on consumer editions I think.  Anyway, it is interesting to keep in mind that when the "software" is in the form of a web application somehow this suddenly is no longer an issue.  I guess because it's not physically on your machine?

Windows (10) is hardly the only offender in any case.  As far as I know, Google Play Services (and possibly also the Play Store itself) updates itself silently with no way for the user to control that aspect in any way, since it doesn't even show up as an app.  If Windows Update is malware, at least it is usually patching up a security issue, which is more than can be said for the dozens of apparent actual harmful malware that a lot of (admittedly not the most technical) users apparently installed all on their own without realizing (in most cases not even automatically, they just got tricked to do so manually).

Anyway, all that is rather irrelevant to NeoLemmix, the "always" and "never" options already exist.  This is more about the third option for the people who don't want to commit to either of the other two.  Not to mention it's a little unbalanced anyway to be comparing level data and resources against executable code affecting core system functionalities.

Simon

Quote from: ccexplore on August 25, 2016, 11:32:47 PM
It is only forced starting on Windows 10 and only on consumer editions I think.  Anyway, it is interesting to keep in mind that when the "software" is in the form of a web application somehow this suddenly is no longer an issue.  I guess because it's not physically on your machine?

I can stop using the web service. At worst, I have cookies left over.

I can stop using software that downloads and installs on its own. But that may have updated random libraries and broke compat with manually-installed old software that I rely on.

My only example is from reading internet news -- first Win10 demanded its own installation, then it BSODed on people's e-readers that worked perfectly in older Windowses. I'm sure the average experience is better than that.

I manually-install the bleeding edge of a few selected programs, and let everything else get old. Until it hurts after 5 years.

QuoteGoogle Play Services (and possibly also the Play Store itself) updates itself silently with no way for the user to control that aspect in any way, since it doesn't even show up as an app.

I don't use this either. >_> Nor Steam, nor any of these DRM package managers.

QuoteIf Windows Update is malware, at least it is usually patching up a security issue, which is more than can be said for the dozens of apparent actual harmful malware

Yeah, the patches from Windows Update are more helpful than what malware hides in other programs' installers.

I have no problems if you can disable the updates in a straightforward way. If, for weird reasons, you don't want to patch your system, and happily risk becoming a malware vector, so be it. I felt the biggest problem in the mandatory Windows-10-updates.

QuoteNot to mention it's a little unbalanced anyway to be comparing level data and resources against executable code affecting core system functionalities.

It may overwrite my precious data or changes with old versions from the internet. If software updates break libraries, I can downgrade the libs, but I can't revert overwriting creative work.

I accept that this risk shouldn't be high. Creative projects belong under version control, and get backed up. Or the tool might have a purely-offline bug that eats my data, so I'm not 100 % safe either way.

-- Simon

namida

QuoteAs far as I know, Google Play Services (and possibly also the Play Store itself) updates itself silently with no way for the user to control that aspect in any way, since it doesn't even show up as an app.

I don't think this is correct, assuming you're meaning on Android.

QuoteIt may overwrite my precious data or changes with old versions from the internet. If software updates break libraries, I can downgrade the libs, but I can't revert overwriting creative work.

It's worth noting that current NL code - even in the experimental - will never overwrite a graphic set (currently, graphic sets are the only things it can download). It will only download a copy of ones you don't have at all.

There is a case that may seem somewhat overwrite-ish - suppose we're dealing with a graphic set called "stuff.dat". NL's website has version 1.0 of "stuff.dat", but you've created version 1.1 of it. You create an NXP which contains this V1.1, but you do not have any copy of it (neither 1.0 nor 1.1) in your "styles" folder. You then play a LVL file which uses this graphic set. NeoLemmix downloads "stuff.dat" from the NL website, which of course would be version 1.0. You then play the NXP. Even though the NXP contains stuff.dat V1.1, NeoLemmix would use V1.0 because the contents of the "styles" folder takes priority over the contents of the NXP. However, while it might be hard to recognize the source of the error, no data is actually lost.
My projects
2D Lemmings: NeoLemmix (engine) | Lemmings Plus Series (level packs) | Doomsday Lemmings (level pack)
3D Lemmings: Loap (engine) | L3DEdit (level / graphics editor) | L3DUtils (replay / etc utility) | Lemmings Plus 3D (level pack)
Non-Lemmings: Commander Keen: Galaxy Reimagined (a Commander Keen fangame)

ccexplore

Quote from: Simon on August 26, 2016, 02:05:08 AMMy only example is from reading internet news -- first Win10 demanded its own installation, then it BSODed on people's e-readers that worked perfectly in older Windowses. I'm sure the average experience is better than that.

I also heard it caused a lot of people's webcams to stop working.  It may or may not be affecting too many people on average, but I'll concede that Win10 is rapidly making itself a poster child of forced updates gone very wrong.

Quote from: namida on August 26, 2016, 05:30:01 AM
QuoteAs far as I know, Google Play Services (and possibly also the Play Store itself) updates itself silently with no way for the user to control that aspect in any way, since it doesn't even show up as an app.

I don't think this is correct, assuming you're meaning on Android.

From the Wikipedia article (emphasis added by me):

QuoteAdoption

Google Play Services is automatically updated through Google Play on devices with the Google Play Store application installed running Android 2.3 or newer. This means Google can do fast, silent rollouts of updates, providing new functionality to old devices without manufactures having to update the Android firmware itself, working around the fragmentation of the platform for which it had become infamous.

It is possible there may be a setting buried somewhere that allows me to opt out of this, but at the very least it's not like other regular app updates.  There is no entry for "Google Play Store" or "Google Play Services" in "my apps & games" to go to for manual control of updates of those things.

I know for a fact that on my phone Google Play Store itself had updated at least once as I recall seeing the icon on the launcher changed to something more aligned with their (then-new) "Material" graphics design.  The UI in the store had tweaked several times as well, though it's quite possible a lot of those changes do not need an app update to be delivered (ie. most of the UX could just be HTML served from their web service or similar).  Google Play Services is harder to track since it is mostly a UI-less background service, though I believe on occasions when I went into App Settings to see details of running apps and background services, I've seen the list of services under Google Play Services grew and changed over time.

Quote from: namida on August 26, 2016, 05:30:01 AMThere is a case that may seem somewhat overwrite-ish <snip>You then play the NXP. Even though the NXP contains stuff.dat V1.1, NeoLemmix would use V1.0 because the contents of the "styles" folder takes priority over the contents of the NXP.

This does seem a little weird.  I can maybe understand the case where the styles folder has V1.1 while NXP has V1.0 and V1.1 superceding V1.0, but the reversed case you brought up here seems especially problematic--it's hard to imagine a good reason to replace something designed using a newer version of a set with an older version.

I have to admit that having these cases pointed out, does make me more aware of the risks of a level being broken due to a bad graphics set update.  It makes sense to consider offering some additional means to help mitigate such risks without having to opt out of all online updates altogether.  (Though I need to point out that merely asking before updating does not feel like enough of a mitigation for this--there is no way for the user to tell beforehand if the update may cause problems or not, especially with levels they may not have yet gotten around to playing.)

Nepster

Given the feedback, I now suggest the following changes:
1) Add an extra option "Download style files only after asking the player" as multiple others already suggested.
2) If the option "Automatic download" is selected, display a short note to the player "NeoLemmix is currently downloading missing style files" when this feature is in action. This note would be displayed until the download is finished, but at least somthing like one second (so that the player may read actually it).
There are two reasons: Currently the screen goes totally black, which may make the player wonder what is happening if they have a slow internet connection and need to download a large style file (like Epic.dat). Moreover if a player has selected this option while actually wanting another one, they get notified with this addition.
3) Add explanations of the various online options in the option menu. The online option menu has lots of space at the bottom, where this would fit nicely.
4) Move all NeoLemmix styles to base_directory/styles, both for the player and the editor. If a player autodownloaded styles using the player, they might want to use them as well in the editor. Currently this requires copying (or at least moving) a specific file from one directory into the correct target directory, which is unnecessarily complicated.
Regarding style files for other lemming clones like SuperLemmini or Cheapo: Either keep their styles in the subfolders they are currently in, or completely drop supporting them in the editor.