Announcement about PatchIt!

This is kinda hard to announce, but it must be done.

If you wish to release a mod using PatchIt!, or were planning to update your existing mod to 1.1.0, you need to read this.

Do not, repeat, do not use PatchIt! Version 1.1.0 Stable. Instead, use PatchIt! Version 1.0.3.1 Stable.
Now why would I announce such a thing, considering 1.1.0 was a long time coming, and is superior to 1.0.3.1 in every way?

The answer lies in the details of a bug the testers point out, and we’ve called “Traveling Files”. In short (details available in Issue #4), I could (hypothetically) make a malicious LEGORacers.exe, make a Patch, and offer it for download. Anyone who installed my “Patch” would then receive a virus, and would not know about it (unless anti-virus found it). Now, PatchIt! does not have a game launcher (and I don’t plan on adding one unless there is demand for it), so PatchIt! in itself cannot launch the virus. However, once you launch the “game” from a shortcut, boom, you’re hit. And since PatchIt! has no way to detect what files are being added, it can be a carrier for viruses, and has been since 1.0.

But I still have not said why you should not use 1.1.0.

The proposed fix for this serious issue is to use a different archive for the Patch: TAR. As I told the testers, Python was not written by one person. It was created by one, and lots of people wrote it. Some of those devs had ideas others did not, so the modules they wrote may have features other don’t. The tarfile module contains an exclude option, which the ZIP modules do not. I plan on replacing the ZIP archives with TAR archives in 1.1.1, which will update the PiP File Format, but also fix this issue and (possibly) create smaller archives.

But I still have not said why you should not use 1.1.0.

It goes like this: if a sudden explosion of 1.1.0 Patches are created before I can get the new archive in place, I will have to have three installation routines: legacy, modern ZIP, and modern TAR, with only modern TAR being created. I will have to keep all three bug fixed, adds more complexity to PatchIt!, and will usher in the removal of the legacy routine much sooner than I want.

So this is really a “help me, help you” sorta deal. If you can hold off on releasing 1.1.0 Patches before 1.1.1, I can add more features and fixes sooner. If you don’t, it will take longer to do everything I want to do.

A 1.0.3.2 release is on the consideration table, as there are few things I wish I had backported to 1.0.3.1 but didn’t. If you can find something in 1.1.0 that I might be able to backport with relative ease, do suggest it, and I’ll try to do it.

The download link for PatchIt! has been changed back to 1.0.3.1, and 1.1.0 moved to the right corner.

This was a hard announcement to make, but it is needed to better all of us. 🙂

Advertisements

Triangular Reactions

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s