Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Cacodemon

Zdaemon security issue and possible GPL violation

Recommended Posts

Just a comment on the GPL angle: there were two releases of the Doom source, and only the second was under the GPL. It is therefore possible for a Doom port to be non-GPL.

That's not to say that there aren't issues with conflicting licenses for Zdoom and its offspring.

Share this post


Link to post

Closing the source increases the hacking and cheating incentive by giving a reason to crack, and since the source is closed, only the development team can deal with the issues, which means many people are left in the dark of what is even happening.

Closing the source, and other similar steps taken by the development team, like forcing contact with them through a heavily moderated chat channel that doesn't accept normal IRC clients (making logging impossible), and a forum where you have to be manually authorized to post cause distrust and miscommunication.

As for the GPL, that's a quite convulted matter; CSDoom was forced into the GPL after Carmack emailed the developer Fly when he inserted GPLed Quakeworld code, although ZDoom's code isn't compatible with the GPL. Eventually NightFang removed the Quakeworld code in ZDaemon 1.0, and kept it under the GPL, which was dropped later. While the GPL was conflicting with some of the code it had been applied to ZDaemon as a whole, including its new network code.

Don't know that much about Skulltag in this respect, but while I kind of remember it borrowing code from ZDaemon at some earlier point, it's not too clear from the documentation what happened, nor is there any mention of the source from what I can see. Though maybe its hosted somewhere...

It's a really bad thing that the more popualr C/S engines are based on ZDoom, because of its source code. If I'm not mistaken the main reason the source was GPLed is for online projects, where community interaction is such that some sort of transparency is required to generate trust. ZDoom (or the '97 license) for single player is one thing, but for MultiPlayer it really spells trouble.

Share this post


Link to post

It's funny, this proves they're actually getting the worst of both worlds, they're getting the lack of transparency, trust and readily avalable people to auit and fix the code that comes with closed source and they're getting easy exploits via open source code.

Share this post


Link to post

The exploit finder's issue is more the fact that their source is not open, not necessarily the fact that they aren't gpl (which are two different concepts). CSDoom was never under the gpl. Carmack asked Fly to keep the source open for the interests of growth and learning.

A similar thread about said issue was started and immediately removed. ZDaemon dev team has claimed to have fixed this issue but will not release a minor update or anything. Instead of letting the victims know and take necessary precautions they prefer to keep it all quiet and not let anyone know, despite it being prominently posted on a popular german tech news site. The justification of "if we keep it off our forums maybe no one will know" is weak.

The only option is a new option...

O

Share this post


Link to post

Ooooh, cloak and dagger programming! Seriously, I don't think *any* port has business being closed source now. I don't care that there's an older version of the source under a useless and stupid educational use license that doesn't require redistribution -- it is the principle of the thing in my eyes.

By closing the source, they not only open themselves up to problems like these and invite mistrust, but to me they also say "our code is too good for you," as if though they have accomplished incredible things WITHOUT having stood upon the shoulders of giants.

Share this post


Link to post
Mancubus II said:

Instead of letting the victims know and take necessary precautions they prefer to keep it all quiet and not let anyone know, despite it being prominently posted on a popular german tech news site.


This is exactly the kind of lack of transparency that I'm talking about. Anyone who wants to exploit ZDaemon alerady has the necissary information at their fingertips, and pretending like exploits don't exist doesn't change that. Wanting the community to hush up about it is simply dishonest.

Mancubus II said:

The only option is a new option...


Ho man I wish. Beleive me, if there are another option, I, and tons of other people would be all over it. With all the people pissed off at ZDaemon, you'd think that at least one or two of them would be decent programmers. But...we continue to get lip service from ZDaemon with how hard it is to build and maintain. Which we all know is half bullshit, and half their fault because of their nanny state of a community.

If only...

Share this post


Link to post

deathz0r said:
What's most interesting about this is the ZAD by Kilgore and excelblue in this thread at the ZDaemon forums.

Yes, they become pretty Microsoftian.

Mancubus II said:
The exploit finder's issue is more the fact that their source is not open, not necessarily the fact that they aren't gpl (which are two different concepts).

They are so intricately tied that they are almost the same. Under licenses that don't guarantee opnness you're ever at the whim of whoever to see the source, while an open licence is a legal (and thus "social") certification of openness.

The only option is a new option...

That would be a boon; under the GPL or another similarly open license, of course.

Share this post


Link to post
Quasar said:

By closing the source, they not only open themselves up to problems like these and invite mistrust


Extra mistrust for them releasing that trojan a few weeks ago.

Share this post


Link to post

Many interesting stuff to read here. Thanks.

So if they are violating the GPL license (or similar) they are doing this Illegally! The GPL is a license like 8and not like) every other, at least in terms of validity/juristically. So if you perform spreading unlicensed copies of e.g. commercial software you could be sued and so on. Since the GPL is of the same juristical validity as every other license they could be sued for violating the GPL, too.
And I saw only w32 bins, nothing for Tux and the like. And bins only. Also in FAQ I didn't find anything. I mean, one article told it would be an open source thingy, but where is the source?

The forum stuff is also interesting to read. Keep your mouth shut...


( FYI: http://www.gpl-violations.org/ )

Note about cheating in general:
Cheating is a matter of player's psyche. This is valid for computer games as well as for paper & pen RPGs (e.g.). Screwing around in the system won't be of help on long sight.

Regards
Caco

Share this post


Link to post
myk said:

They are so intricately tied that they are almost the same. Under licenses that don't guarantee opnness you're ever at the whim of whoever to see the source, while an open licence is a legal (and thus "social") certification of openness.


Yes but they are still not the same thing. It just happens to be a viral license. You cannot say "open source" means GPL, even if GPL requires open source.

And with the small exception to some of the quake2 source that's in there zdaemon is TECHNICALLY not violating the gpl. It doesn't mean they're using the best approach nor am I defending them, but it's important to note that distinction.

Share this post


Link to post

Mancubus II said:
And with the small exception to some of the quake2 source that's in there

I wasn't aware of this. Does the violation come from ZDoom?

Share this post


Link to post

So what license are the other used code fragments in? Do they allow closing source like the BSD license?

Share this post


Link to post
myk said:

I wasn't aware of this. Does the violation come from ZDoom?


Yes, it does. Zdoom 1.22+ at least (maybe older) uses quake2 code to redo the redscreen/item pickup palette changes and I think some console business as well.

Share this post


Link to post

Csonicgo said:
I thought I'd like to clarify that skulltag used no zdaemon source- it used csdoom.

I smell bullshit... unless it was entirely cleaned of the code and reverted to CSDoom's?

Show me the source, heh.

"Those who forget history are doomed to repeat it."

Share this post


Link to post
Csonicgo said:

I thought I'd like to clarify that skulltag used no zdaemon source- it used csdoom.

You're correct for every version from 0.9 to 0.94.

Share this post


Link to post

ZDaemon is by far the least ethical doom port out there. It wouldnt suprise me if you could add gpl violation to the list.

Share this post


Link to post

Csonicgo said:
Ah, ok, so it's his own code now? that's better :)

He's saying it used CSDoom code (Quakewolrd stuff) till v0.94, and then it was swapped for ZDaemon code (from there taken in Skulltag's particular direction.)

Share this post


Link to post

ZDAEMON is where all the map01 1on1 competition appears to be at. If a better crowd-drawing port comes to the forefront though, I'd dump ZDAEMON in a heartbeat. Bunch of pompous fools run the show there.

Share this post


Link to post
myk said:

He's saying it used CSDoom code (Quakewolrd stuff) till v0.94, and then it was swapped for ZDaemon code (from there taken in Skulltag's particular direction.)

Since then it's all pretty much been purged and almost completely rewritten.

Share this post


Link to post
Guest
This topic is now closed to further replies.
×