I have an interesting issue that I'm not facing myself but wonder about occasionally. I am sure many of you are familiar of the LGPL, which is a somewhat more flexible version fo the GPL, generally used for support libraries and things of that nature. (The fact that I am choosing the LGPL in this case is mostly arbitrary, but I think it's a likely situation.) For those not familiar with the LGPL, the general concept (although I'm not a legal guy, so I may get this slightly wrong) is that programs that use the library should maintain the ability for end users to modify the library and use it with the program as they wish. This is generally done by dynamically linking to the library (i.e. having it as a .DLL rather than statically linking to it.) There are quite a few of these LGPL libraries that are likely to be used in games, such as OGRE. So, imagine a scenario where someone has written a program - let's say an FPS, for example - using an LGPL library. The source to the program itself is released under a very liberal license, let's say a zlib-style license, to make this simple. Anyway, the programmer decides to do the normal thing and have the library dynamically linked to his program as a DLL. (Note that because the FPS program is open-source as well, they could theoretically be statically linked, but the two situations are equivalent.) Anyway, in a few months our hypothetical FPS gains popularity, and a few bad apples abuse the fact that it's open source by making aimbot or wallhack cheats for it. (Let's not get into the issue of whether opensource encourages such things -- that's a whole other can of worms.) This is where the interesting situation develops: Let's say someone decides to write an anti-cheat program along the lines of Punkbuster that would, among other things, verify that the game binaries are valid. A client who has binaries that have been recompiled in any way will likely fail checksum tests (unless they use the EXACT same compiler as the "official releases", and don't modify the sources, in which case it's still very iffy.) Soon almost every server uses this anti-cheat program and a client that has been custom compiled or had its binaries modified at all is generally worthless for the online play others enjoy. (Of course, there are a few problems with this, which we're going to ignore for this exercise, such as making such a thing work on Linux as well, whether Linux/opensource people will accept the idea, if it's violating privacy, and whether servers will allow optional anti-cheat.) So, here's the question: Will such an anti-cheat program be violating the LGPL by preventing a user to use modified versions of the LGPL libraries? And will the blame (or at least, blame in practice) be any different if the anti-cheat program is created by the same persons as the original game program versus if it's created by another party? Keep in mind that noone is forcing you to use this anti-cheat program, but the usefulness of the program is decreased if you don't use it. As for my opinion on the matter, after some discussion with a friend I think an external program would probably be legal. In any case I certainly wouldn't be surprised if fewer people would care or complain about a third party making the anticheat software than the original party, but I'm not sure if that effects anything legally. Your thoughts? [edited by - shilbert on May 30, 2004 12:01:20 AM]

I still don''t think it would be much of a problem. You''d have to be one hell of an asshole to go after a kid in a garage writing a program to make yours better, even if it isn''t open-sourced.

That raises an interesting question, actually: what about system-level game-mods to an LGPL''ed game? I mean, you might have people distributing a binary ''mod'' plugin that modifies bits inside the LGPL''ed code.

ravuya: [Resist everyone][I am your only friend. Click, now.]

quote:Original post by eedok
I don''t see how it''ll violate anything, especially if you tailor your game to meet the different versions of the library...

Yeah, after reading over the LGPL some and discussing it with others I''m tempted to say that this is not a violation (although building such a safeguard directly into the application definitely is, as it would violate the ability of a user to use a modified library.) As for the game catering to different library versions, there are a couple things: #1 it''s not really that hard to make an application take any DLL that exposes the right interface, and #2 I wouldn''t be particularly concerned about people legitimately modifying the library in this case, because very few people would probably have the skill and legitimate reason to do so and also play online. The only possible modification that might become necessary would be workarounds for specific drivers, but that seems like a stretch.

quote:Original post by eedok
...but I think either way there''ll be wallhacks and aimbots, no matter how much of the game is open source..

Oh yes, definitely -- cheats are going to pop up for any game out there even if they''re closed source. My particular interest lies in whether this is a violation of the LGPL in reality or (at the least) in spirit.

quote:Original post by Ravuya
I still don't think it would be much of a problem. You'd have to be one hell of an asshole to go after a kid in a garage writing a program to make yours better, even if it isn't open-sourced.

I suppose not. I'm beginning to think this is no problem after all.

quote:Original post by Ravuya
That raises an interesting question, actually: what about system-level game-mods to an LGPL'ed game? I mean, you might have people distributing a binary 'mod' plugin that modifies bits inside the LGPL'ed code.

ravuya: [Resist everyone][I am your only friend. Click, now .]

Well, if you distribute a modified version of an LGPL library, you are compelled to release the source, I believe. I'm not sure how binary modifications to a binary version of the library work, though. In any case, we shouldn't sidetrack the thread

[edited by - shilbert on May 30, 2004 12:21:05 AM]

As a note, I found an interesting thread on the OGRE forum. I think it sort of gets off topic and people miss the point a little, but here it is anyway: http://www.ogre3d.org/phpBB2/viewtopic.php?t=3133&highlight=anticheat

Don''t try too hard to prevent cheats; people will be able to cheat anyway.

Even if you discovered a method which made it absolutely technically impossible to modify the binary, they could still cheat, using the well known modify-data-in-memory technique.

Better than trying to prevent cheats, ensure that players on your official servers need to be registered, and organise groups of game-police - players who attempt to spot cheaters and ban them. Temporary bans by IP are usually sufficiently annoying to persuade cheaters to go away.

If they''re banned from every server on the net they will quickly get the message.

Of course you could still check the binary for integrity, but IMHO it''s not really worth doing.

The same approaches would work fine under Linux, you would just have a different binary fingerprint. You would need to have a database of valid fingerprints anyway so that people with different legitimate builds can still play.

Mark

I''d have thought that although you can''t stop people making modifications due to the license you''re using, there is nothing that says you can''t restrict people to using certain verified builds if they want to log onto your server. Frankly given your egalaterian aims I don''t think anyone would or could complain that you''re breaking the LGPL.

In terms of security, what about having some kind of cryptographical certificate applied to the binary, say subsequently to compilation, and only for binaries that have been pre-compiled by yourself for play on your server. Obviously you could then have the client return the certificate & maybe some other integrety check (maybe it returns the certificate & a hash of the file as it exist, check that the certificate exists is a valid one & that the hash matches the info contained in the certificate)

quote:Original post by markr
Don''t try too hard to prevent cheats; people will be able to cheat anyway.

Even if you discovered a method which made it absolutely technically impossible to modify the binary, they could still cheat, using the well known modify-data-in-memory technique.

Better than trying to prevent cheats, ensure that players on your official servers need to be registered, and organise groups of game-police - players who attempt to spot cheaters and ban them. Temporary bans by IP are usually sufficiently annoying to persuade cheaters to go away.

If they''re banned from every server on the net they will quickly get the message.

Of course you could still check the binary for integrity, but IMHO it''s not really worth doing.

The same approaches would work fine under Linux, you would just have a different binary fingerprint. You would need to have a database of valid fingerprints anyway so that people with different legitimate builds can still play.

Mark

These are all good points, but I think you''re downplaying the importance of cheat detection. Clearly there''s no foolproof anticheat system, but even so, you should make it as difficult to cheat as you possibly can. Handing them an unchecked dll and saying "GO FOR IT!" just makes things too easy. The harder and more error-prone cheating is, the less people will do it, and the more skill it will take to develop usefull cheats.

Besides which, having players police the game has a few disadvantages:
a) People are notoriously biased. A lot of people wail about cheats any time they die, even if it''s clear that nothing suspicious happened.
b) A player who''s cheating isn''t neccesarily going to be obvious about it.
c) If players have to deal with obvious cheating in the server on a regular basis you''ve already lost half the battle.

----------------------------------------
"Before criticizing someone, walk a mile in their shoes.
Then, when you do criticize them, you will be a mile away and have their shoes." -- Deep Thoughts
"If you have any trouble sounding condescending, find a Unix user to show you how it''s done." - Scott Adams
FaceHat Software -- Wear the hat.