Game launcher installs Root CA certificate on your machine (2024)

The work being OSS and done free of charge doesn't excuse them from putting their users at unnecessary risk, especially when it is done so with only a one line mention in their github README and no mention on their website, which doesn't point towards the README at all

It should not, but they still don't owe it to you or anyone to change anything.

You're not paying them. There's no transaction. They're not even giving the software specifically to you, rather they're saying "this is free for anyone to pick up" - with no warranty of any kind.

When you pick up some free furniture from the roadside, it's on you to determine whether it meets your safety standards. If the free table you picked up has some defect, you most certainly don't ring someone's doorbell and demand rectification.

No. Ethics in engineering exists. They have a moral responsibility to not install a root cert on unsuspecting users' machines.

I can build a bridge free of charge, optional to use, that doesn't mean it's not my responsibility to ensure its safety.

Nah, distributing rootkits under false pretenses is a dick move.

That's not even a little controversaial. You put a thing on the web that says "Just a harmless XYZ" and it roots TLS forever?

Malware. Black and white.

This assumes that all users are informed enough to make such decisions.

You cannot expect the average player of an online game to have the technical knowledge necessary to discern whether a piece of software is safe to use or not. Even if you could, you'd also be expecting them to take the time to do a proper analysis of such software, which I do not think is a reasonable premise.

What's more, this is open-source software we're talking about and you can actually relatively easily perform meaningful security checks; imagine if this were not the case.

If I gave away free brownies that happened to be poison, but I really didn't mean to, I still probably should be held liable in some way.

If I was giving away free brownies, and someone kindly informed me that they were poison, and I continued to give them away, I belong in prison.

Edit: it seems like there's been no activity in the repo since before the issue was filed, so it's hard to say if the author can be considered to have been informed.

There has been a new GitHub release in April of this year, however, it seems to have been made by a member of the community along with the commit it includes, instead of the original creator.

Edit: There seems to be activity on the author's account which points to the conclusion that they are aware of the issue and are making (still at least somewhat questionable) changes for a new (unreleased?) version of the launcher to address the problem.

https://github.com/Zacam/SBRW.Launcher.Net/commit/f09d911fca...

As far as I am aware the launcher repo I linked in the original post is still the main launcher players use for the game, meaning people are still getting the certificate permanently installed.