It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Hello,

i am not very familiar with the process of coding a community integration. Does the risk exist, that someone - due to a kind of programmed backdoor - abuses the community integrations for phishing your data?

I was looking for such a thread , but didnt find!
Post edited November 02, 2019 by Blair_180781
No problem at all:

- The 'integration' codes are publicly available (including to us and to GOG devs). If there were a problem by then, they'd be found by now.

- Every time you accept an integration, you have to login to a particular launcher, and then agree to what kind of information said launcher shares (through their APIs). That is common practice to any launcher/platform (for example if and when you share your info with GOG from Steam so - occasionally - you benefit from their GOG Connect kindness.) And that particularly done though GOG's part of the integration code. (as far as I can look through). Every other info GOG gets from the game is also publicly available in online databases (like IGDB).

That said, you're right, it's always a go practice to stay informed about this. For example, a while ago, Epic themselves were found to trying to bypass Steam API to get their 'friend list', by accessing the info directly through a file on you computer, something the user did not allow to. That was harmless of course, but Epic had to change it somehow (either their legal wording or doing that through Steam's official way).

EDIT: Keep in mind I'm not a GOG dev nor part of the teams doing the integrations. Just some helpful (hopefully) beta user.
Post edited November 02, 2019 by GenlyAi
avatar
GenlyAi: - The 'integration' codes are publicly available (including to us and to GOG devs). If there were a problem by then, they'd be found by now.
Open Source is by far not a solid argument for secure software, just because it could be scrutinized. There were enough bugs in widely used OSS that were not found close to their time of introduction like Heartbleed in OpenSSL.

I have the same concerns like Blair_180781 and would like to know if the integrations are checked before made available in the Client.

Also it feels kind of deceptive to speak of "official Integrations" that could be provided by the companies linking to, like Microsoft for Xbox Life, and that the "Community Integrations" are provided officially by GOG themselves using the platform's APIs.

But no, it's third party developers and I haven't found something that indicates GOG actively checking it, but only the Privacy Policy saying "Please know that community integrations may be governed by separate private policies and we are not responsible for their use of your personal and non-personal information" which is weak. They are essential that thing that makes GOG 2.0 stand out and are offered in the client, without indicating this in the client itself.
avatar
GenlyAi: - The 'integration' codes are publicly available (including to us and to GOG devs). If there were a problem by then, they'd be found by now.
avatar
Damnatus: Open Source is by far not a solid argument for secure software, just because it could be scrutinized. There were enough bugs in widely used OSS that were not found close to their time of introduction like Heartbleed in OpenSSL.

I have the same concerns like Blair_180781 and would like to know if the integrations are checked before made available in the Client.

Also it feels kind of deceptive to speak of "official Integrations" that could be provided by the companies linking to, like Microsoft for Xbox Life, and that the "Community Integrations" are provided officially by GOG themselves using the platform's APIs.

But no, it's third party developers and I haven't found something that indicates GOG actively checking it, but only the Privacy Policy saying "Please know that community integrations may be governed by separate private policies and we are not responsible for their use of your personal and non-personal information" which is weak. They are essential that thing that makes GOG 2.0 stand out and are offered in the client, without indicating this in the client itself.
Fair enough! Now that it's an open beta, perhaps all these issues will be more clarified.
avatar
Damnatus: I have the same concerns like Blair_180781 and would like to know if the integrations are checked before made available in the Client.
of course no one checks it, it's maintained by some no-name github users with zero information about them. you're fully entrusting all of your gaming accounts to strangers. if something happens to their codebase (got hacked or something done on purpose by maintainers) you're the first to automatically update your integrations on galaxy boot so it's only your own responsibility to watch these plugins from doing something malicious to your accounts. the same stated in galaxy TOS, you're getting this software as it is and use on your own risk.

consider thinking twice if you're up to such risk. I for myself decided it does not worth it, so I'll pass on this new app.
Post edited December 11, 2019 by djoxyk
^

IMHO GOG should maintain and moderate their own github repo, let people commit to a dev branch and moderate before going to master branch so we only upgrade to trusted versions rechecked by the GOG staff..

Or simply fork them from time to time, rechecking/changing the auto update parts..

There needs to have some kind of trusted moderation and check, it's too spread, one day or another it will fail.

As much as i'd like to believe in community integrations, i cannot trust noname accounts + auto updates...

--

I think the forking method is possibly what FriendsOfGalaxy is doing, but we don't know who is FriendsOfGalaxy.. Maybe it just lacks a bit of communication and all.
I mean it shouldn't be for us to recheck and dig all the code to see if integration X is safe, there needs to have a github certified account that only contains trusted code..

So who is FriendsOfGalaxy? What will they fork? What will be forked and what will not? Are they checking all changes? etc etc this needs to be clear for all the users..
Post edited December 11, 2019 by siegfriedrox