DO NOT UPDATE THE FLATPAK

[orowith2os]

PolyMC seems to have been compromised, as of commit PolyMC/PolyMC@ccf2825

Do NOT update this flatpak until the issue has been resolved, and upstream can be sure that it's safe.

[orowith2os]

The developers seem to have made a fork here, this flatpak should be updated when needed to use this: https://github.com/PlaceholderMC/PlaceholderMC

[d-513]

Once we get the metaserver running under our controls, I will update this to the PlaceholderMC version

[tim77]

https://twitter.com/gamingonlinux/status/1582103691762405378

[AndrejSh3]

Until then, would it be possible to replace the flatpak manifest with a blank window that's warning users to disconnect their account from polymc? Might be a great way to reach a lot of users who might be unaware of the situation.

[OpenBagTwo]

warning users to disconnect their account from polymc?

I've seen reports on both Twitter and reddit that PolyMC's MSA access has been revoked. IIRC @Scrumplex said he controlled the MSA auths, so my guess is he deleted it?

In any case, sounds like the "disconnect your account" part is unnecessary. I'd love for a PrismLauncher dev to weigh in, but it sounds like the only risk at this point comes from fetching data from the PolyMC meta server, and I'm not sure what safeguards are already in place to prevent malicious behavior there (e.g. hard-coded checksums to ensure that the LWJGL version you're downloading is actually LWJGL?)

[Scrumplex]

I deleted the MSA application, yes. Authentication was done purely between the client and Microsoft servers, so existing accounts should be safe.

[greanthai420]

Stop spamming and spreading misinformation.
Poly is not compromised. Everybody can take a look at the source.

You're just spreading the misinformation because hatred clouds your judgement.

May Allah guide you.

[admiralnelson]

The repo is fine, there's no malicious code there.

[iamcult]

The problem is not that there is currently malicious code in the repo, the problem is that the keyholder to the repository has gone rogue, and you would probably not do well to continue trusting the repo at all. To quote a comment on the original commit thread (PolyMC/PolyMC@ccf2825#commitcomment-87074543):

One of the contributors locked out the other ones because they wanted to add a bog standard code of conduct for contributors to sign before submitting code like most open source projects do, and he said he hates "queer ideology" which I think is twitter speak for gay people.

[LennyMcLennington]

I don't know why you people think I would do something highly illegal or have any motivation to do so, let alone on a project where all the code and meta data are publicly auditable. This repo should not be changed to use your fork, you should request a new one to be made.

[Scrumplex]

@LennyMcLennington Can you fix your Translations repo? I get regular emails of failing actions, because I was the last committer.

[svin24]

I have to respectfully disagree with the decision to hard move users to a new package or specifically stop updating this package.
Yes i know the application takeover was weird and certainly unprofessional but i do not think that in the end of the day its flathub's job to dictate if users get to use a specific package from a specific dev.

Obviously i do not mind if the other people in the team decide to hard fork the project and make another flatpak for PrismMC.

I am also not a Flathub/Flatpak dev but this is just my opinion that i hope repo owners consider.

A few extra points:

• Yes there was a takeover of the application but so far there has been no real indication that it will provide malware or hack the users. That assumption is made without proof. Now am I not in the project chatgroup nor do i care to be.
• Ultimately this does not matter to Flathub. Flathub hosts packages whose original devs many find repulsive(mozilla/brave for example) or actively do things many in the opensource community find bad(microsoft/google and its packages), or environmental groups may find bad(all the crypto wallet apps), singling out a package for what i can best describe community drama is at best unprofessional and at worst against a misapplication of rules.
• Projects have drama behind them, this is true and universal. Heck everyone in the linux community knows this since it seems like we can't even go a week without some kind of mess happening.

To the current and single PolyMC dev @LennyMcLennington:

This entire situation could have been handled better.
You could have just left the project and started a hard fork of some kind with different rules for moderation or you could have just argued for different rules for moderation with your team.
It frankly aches me to see this kind of unprofessionalism and pretty twitter-tier slap fighting happen.

I am aware that PolyMC has a newsreader feature. I think it would be best to inform your userbase that at least a project split has happened.

[admiralnelson]

I’m sorry, I think plain accusation will get us nowhere. I don’t think his intent will install malware like you said. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows From: ***@***.***> Sent: 18 October 2022 17:42 To: ***@***.***> Cc: ***@***.***>; ***@***.***> Subject: Re: [flathub/org.polymc.PolyMC] DO NOT UPDATE THE FLATPAK (Issue #35) The problem is not that there is currently malicious code in the repo, the problem is that the keyholder to the repository has gone rogue, and you would probably not do well to continue trusting the repo at all. To quote a comment on the original commit thread ***@***.***#commitcomment-87074543<PolyMC/PolyMC@ccf2825#commitcomment-87074543>): One of the contributors locked out the other ones because they wanted to add a bog standard code of conduct for contributors to sign before submitting code like most open source projects do, and he said he hates "queer ideology" which I think is twitter speak for gay people. — Reply to this email directly, view it on GitHub<#35 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AFZP7GP4O74EM73NE3I3KKDWDZ5JNANCNFSM6AAAAAARHMOMPY>. You are receiving this because you commented.Message ID: ***@***.***>

[Scrumplex]

I have to respectfully disagree with the decision to hard move users to a new package or specifically stop updating this package.

Point is: @LennyMcLennington is not maintaining this Flatpak. He barely maintains PolyMC itself.
We certainly won't maintain this Flatpak any further and decommission it as per Flathub guidelines

[svin24]

I have to respectfully disagree with the decision to hard move users to a new package or specifically stop updating this package.

Point is: @LennyMcLennington is not maintaining this Flatpak. He barely maintains PolyMC itself. We certainly won't maintain this Flatpak any further and decomission it as per Flathub guidelines

then i would recommend marking it as EOL and adding a notice if no one is willing to pick it up.(And if lenny can't find devs to help him maintain polyMC).
i would argue letting the users moving to prismMC as they wish.

[KaspianDev]

Imo this flatpak should be left untouched.
The project is not dead as far as I'm concerned, original author is still interested in continuing it.
Also there's no hijacking and safety checks should be the same as for any other project, maintainer should make sure no bad code is in the flatpak.

[Scrumplex]

@KaspianDev why should the maintainer of this Flatpak continue maintaining this package, if they have already moved on to a new launcher.

If someone else wants to maintain it, sure go ahead. But we will decommission this package

[KaspianDev]

I'd let Lenny decide if he wants to update it or not, otherwise you could decommission it.
Ofc it's not in your (or whoever the packager is) interest now to maintain this, i truly understand.

PS: Do you know where I can find new poly fork discord server? I've heard you get attacks idk if it's possible to join rn lmk.

Edit: I also don't think this should transfer to the new poly, making new flatpak and abandoning this would be more fair.

[Scrumplex]

PS: Do you know where I can find new poly fork discord server? I've heard you get attacks idk if it's possible to join rn lmk.

https://discord.gg/prismlauncher

[Heath123]

I have to respectfully disagree with the decision to hard move users to a new package or specifically stop updating this package. Yes i know the application takeover was weird and certainly unprofessional but i do not think that in the end of the day its flathub's job to dictate if users get to use a specific package from a specific dev.

Obviously i do not mind if the other people in the team decide to hard fork the project and make another flatpak for PrismMC.

I am also not a Flathub/Flatpak dev but this is just my opinion that i hope repo owners consider.

A few extra points:

* Yes there was a takeover of the application but so far there has been no real indication that it will provide malware or hack the users. That assumption is made without proof. Now am I not in the project chatgroup nor do i care to be.

* Ultimately this does not matter to Flathub. Flathub hosts packages whose original devs many find repulsive(mozilla/brave for example) or actively do things many in the opensource community find bad(microsoft/google and its packages), or environmental groups may find bad(all the crypto wallet apps), singling out a package for what i can best describe community drama is at best unprofessional and at worst against a misapplication of rules.

* Projects have drama behind them, this is true and universal. Heck everyone in the linux community knows this since it seems like we can't even go a week without some kind of mess happening.

To the current and single PolyMC dev @LennyMcLennington:

This entire situation could have been handled better. You could have just left the project and started a hard fork of some kind with different rules for moderation or you could have just argued for different rules for moderation with your team. It frankly aches me to see this kind of unprofessionalism and pretty twitter-tier slap fighting happen.

I am aware that PolyMC has a newsreader feature. I think it would be best to inform your userbase that at least a project split has happened.

In my opinion we should treat PrizmMC as the original project, forced to rename, and "PolyMC" (which is not really PolyMC any more) as the fork. PrizmMC is made by the original PolyMC team (minus one person who didn't contribute much anyway) with the same goals, and is the true PolyMC, and "PolyMC" is now a rouge and hostile fork that happens to have control over the original repo and Discord server, and has taken over the name.

[svin24]

In my opinion we should treat PrizmMC as the original project, forced to rename, and "PolyMC" (which is not really PolyMC any more) as the fork. PrizmMC is made by the original PolyMC team (minus one person who didn't contribute much anyway) with the same goals, and is the true PolyMC, and "PolyMC" is now a rouge and hostile fork that happens to have control over the original repo and Discord server, and has taken over the name.

While I can understand your sentiment, consider the following:
As of now it seems like both projects exist and the polymc namespace is taken by polymc.
I don't know how to explain this but the idea of hard migrating all users of a program doesn't sit well with me.
I don't think we get to choose what they install on their system.

[ghost]

I can maintain this

[KaspianDev]

I can maintain this

Ask lenny about that one i guess?

[orowith2os]

I think it's safe to assume that this package will be EOLed in favor of a PrismLauncher flatpak, and for good reason.

Lenny took over PolyMC and destroyed the trust of everybody using PolyMC, and not he nor any people related to him (that includes you, @binex-dsk) are fit to maintain a package that people will use. Lenny alone isn't even maintaining the PolyMC repo at this point, just doing not even the bare minimum.

I think we can all be in agreement with this. (those that have a say in this, at least)

and to you, @LennyMcLennington: trans rights 🏳️‍⚧️ 🏳️‍⚧️ 🏳️‍⚧️

[Littlemac123]

i think Lenny should be able to keep the flatpak of polyMC, I think hes trustworthy. all he wanted was to remove the code of conduct that the other devs wanted to force in there.

[svin24]

lenny can discuss things with the flathub repo owners
If they dont want to give him control of the package he can set up his own flatpak repo

[noel-schenk]

Members of GitHub/PolyMC/PolyMC are @BowDown098 @HeyaGlitz @LennyMcLennington @Sneedplex

and according to the contribution guide it's absolutely clear:

We would prefer that these applications are controlled by their authors.

If an application that belongs to you is being distributed without your involvement, please get in touch with the Flathub admins, so that we can discuss transfering ownership.

Since the original owner of this repo is no longer using it how flathub prefers it to be done, one of the members mentioned above have to get in touch with the Flathub admins to transfer the ownership.

[HeyaGlitz]

flathub/flathub#3600
It's not like we haven't tried already
Everyone and everything is against us, even if we have no malicious intent. Doubt we'll ever get back into the repositories where the staff members from Prism Launcher have connections, and it seems that they're working together with the repository owners to not add PolyMC back (it was added to the AUR, which shows that we are safe and capable of being added back to other repos).

[xAffan]

PS: Do you know where I can find new poly fork discord server? I've heard you get attacks idk if it's possible to join rn lmk.

https://discord.gg/prismlauncher

Why are you promoting your fork here? This is not a thread to discuss your fork, or your ideology.

[KaspianDev]

https://discord.gg/prismlauncher

Why are you promoting your fork here? This is not a thread to discuss your fork, or your ideology.

PS: Do you know where I can find new poly fork discord server? I've heard you get attacks idk if it's possible to join rn lmk.

https://discord.gg/prismlauncher

JOIN ZE REAL DISCORD >>>> https://discord.gg/WMtwnF5Cbr

[ghost]

Prism is not any better then Poly, and in fact it's much worse. All Prism brings to the table is a very political and sexuality focused community and a somehow very unstable launcher. It's riddled with bugs and has out of this world memory leaks. Take a look on their discord support and Github issue and you have all the proof you need about it's instability. It's embarrassing. Furthermore, all this political and sexuality garbage should have no business near any game or game launcher, especially something that's mainly played by children. I find it unmoral and wrong to push such ideologies in software that has absolutely nothing to do with it. There is no "malicious code" or any sort of thing of that nature, you people are simply spreading misinformation. Lenny didn't go rouge, he was simply tired of you crazy people forcing crazy ideologies in his code. It sad to see the software community fight about stuff that has absolutely nothing to do with software in general.

[CommanderTaboo]

the true link the the official poly mc discord server is >>>> https://discord.gg/WMtwnF5Cbr

[ghost]

Prism is not any better then Poly, and in fact it's much worse. All Prism brings to the table is a very political and sexuality focused community and a somehow very unstable launcher. It's riddled with bugs and has out of this world memory leaks. Take a look on their discord support and Github issue and you have all the proof you need about it's instability. It's embarrassing. Furthermore, all this political and sexuality garbage should have no business near any game or game launcher, especially something that's mainly played by children. I find it immoral and wrong to push such ideologies in software that has absolutely nothing to do with it. There is no "malicious code" or any sort of thing of that nature, you people are simply spreading misinformation. Lenny didn't go rouge, he was simply tired of you crazy people forcing crazy ideologies in his code. It sad to see the software community fight about stuff that has absolutely nothing to do with software in general.