Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: Add Networked Plugin Rules #27

Merged
merged 16 commits into from
Oct 14, 2024
75 changes: 75 additions & 0 deletions docs/plugin-development/restrictions.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,81 @@ start debugging performance issues is through the Plugin Statistics window,
which can be found through Plugins > Open Plugin Stats in the dev menu
(`/xldev`).

## Can my plugin talk to a backend server I run?

Plugins are permitted to communicate with maintainer-run backend services,
though there are certain considerations and requirements that must be met:

- Plugins should take care to send the minimum amount of data necessary to do
their job. Whenever feasible, plugins should hash information about the local
player (such as the player's Content ID or name) on the client side so that a
server-side data breach does not reveal information.
- Plugins may collect additional non-essential information for telemetry,
analytics, or statistical purposes, provided the user is given a chance to
review what data is being collected and for what purpose.
- Users must opt in to additional telemetry collection, but this may be done
as part of a "welcome to this plugin" experience forcing an explicit choice,
or via a global Dalamud setting.
- Additional data collection must be done for the public interest. That is,
the extra information should go back to improvement of the plugin, provide
the public with statistics or dashboards, or otherwise improve or augment
the game and player experience.
- Plugins must use a pseudo-random identifier (or no identifier) for any
analytics data. If an identifier is used, it must not contain or be derived
from any personal information and must be resettable at any time by the user
purely on the client side. Developers are encouraged to design any analytics
systems so that a user cannot be deanonymized even with full access to the
raw datasets.
- Collected data must be topical to the plugin in question. For example, a
plugin providing Party Finder features may not record information about
which face type is the most popular among its users, but _may_ collect
analytics to find which face type is most likely to create Ultimate clear
parties.
- Plugins must take care to not expose a list of other plugin users or allow an
easy way to test whether a specific user is using any plugin. Users may list
themselves in a public directory if they so choose, but this risk should be
identified to the user.
Comment on lines +115 to +118
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is also very sticky - there are some cases where this is unavoidable, but expressing that as a hard and fast rule is difficult. The intent here is to avoid "GM installs plugin and goes on a banning spree", but maybe this isn't a problem?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider that GMs aren't the only people who would want this data. Malicious actors seeking to gain information on players may mass scrape services for accounts (see the recent Discord spy.pet drama).

- Any maintainer-run server for a plugin must use encrypted communication via
HTTPS (or an equivalent), and must have certificates issued from a trusted
certificate authority such as [Let's Encrypt][lets-encrypt]. Plugins must
connect to servers via DNS name to prevent data from going to stray IP
addresses.

The appropriateness of data (both essential and non-essential) being submitted
to backend servers is ultimately subjective, and will be handled on a
case-by-case basis by the Plugin Approval Committee. Factors such as the
developer's intent with the data, the necessity of the data to collect, the
abuse potential of the data collected, and how things are communicated to users
will all affect what any given plugin would be allowed to collect. Developers
planning to submit user data should expect to receive feedback on feature design
and architecture from both PAC and the community as part of the review process.

Plugin developers running backend servers should also consider the following as
part of their plugin's design. The below bullet points are not rules, but are
instead guidelines and recommendations designed to improve the overall plugin
experience.

- Plugins should offer the ability to connect to a user-defined backend server
rather than the maintainer-run server. This allows users more control over
where their data goes, and allows plugins to survive should a developer lose
interest or stop working on a project.
- Backend servers should be available under an Open Source license, with the
code available for inspection by interested users. Servers should also be
relatively simple to deploy, allowing users to run their own servers if they
want.
- Plugins should support dual-stack communication, and the backend server should
be aware of IPv6 addresses and be able to handle them properly, including rate
limits if necessary.
- Plugins using WebSockets or similar should implement connection retry logic to
gracefully handle connection interruptions.
- Plugins and backend servers should implement version checking logic such that
outdated clients are properly handled. Plugins and backend servers should also
consider implementing MOTD or notification systems to inform users of planned
outages, impending upgrades, deprecation notices, maintenance, and similar
status updates.

[lets-encrypt]: https://letsencrypt.org/

## How are plugins reviewed and approved?

[This page documents our plugin submission process](plugin-submission), and the
Expand Down
Loading