Mana Spheres Sunsetting

[jesusalva]

Mana Spheres will terminate operations before December 7th, and will be delisted from Google Play.

Thanks to everyone who supported the project!

[Reid]

Oh no, it seemed to be quite active some months ago.
Is there a reason to delist it?

[jesusalva]

Maintenance upkeep, mostly. The software itself could remain running for years, but legal regulations prevent us from doing so.

(And if anyone is wondering about CRA ─ EU's Cyber Resilience Act ─ discussions on Europe which enforce a liability and security policy, then as I said earlier, if it passes, TMW will become unavailable in the whole Europe ─ we'll not make a full sunset, but we will never be able to comply with it ─ see Linux Foundation blog post about some of the existing concerns).

[Reid]

That would be something else to worry about but I don't think we would fit in one of these risky situations as stated here:

However, there are some potential amendments to the CRA, that if passed, might exclude certain open source projects that have a “fully decentralized development model” — i.e., not controlled by a single company or entity.

Even if TMW is legally controlled by the SPI we are still managed by a chaotic meritocracy group based on volunteerism and personal self-harm.

If it is really something that could threaten the life of TMW then I'm pretty sure we will be able to focus some days/weeks into fixing whatever they point out.

[jesusalva]

That would be something else to worry about but I don't think we would fit in one of these risky situations as stated here:

However, there are some potential amendments to the CRA, that if passed, might exclude certain open source projects that have a “fully decentralized development model” — i.e., not controlled by a single company or entity.

Even if TMW is legally controlled by the SPI we are still managed by a chaotic meritocracy group based on volunteerism and personal self-harm.

If it is really something that could threaten the life of TMW then I'm pretty sure we will be able to focus some days/weeks into fixing whatever they point out.

Have fun rewriting the whole authentication mechanism for TmwAthena, Hercules and ManaPlus then. And while at that, you must use TLS over the communications, so have fun rewriting half of the protocol for both (which is actually where everyone the past decade gave up when trying to make a client~ish, the last one with any meager amount of success was ManaMarket). Because, uh, that's now considered a vulnerability under EU, so you must report within 24 hours and deploy a fix to everyone.

...and yes, the CRA demands a permanent approach to this, so a few days/weeks won't get anything done, and a single year won't comply either as there's the reporting rule. (It doesn't threaten TMW live as a whole as we can just move back to the USA and stamp an "Europe free ─ no colonists!" seal on it (which will not be taken seriously but why would we care?), but it does threaten all EU users).

There's also the backlog of all known security vulnerabilities accrued from 2004 to 2024 which you can find in rAthena changelogs, have fun fixing ALL of them because CRA forces you to. (sarcasm? No, because it must be "delivered without any known exploitable vulnerabilities", and we have a whole list of them, messy as it may be).
Also, prepare to rewrite settings in M+ and to rewrite tmwa-admin ─ “delivered with a secure by default configuration” means both are failing rather spectacularly at that.

Also, you'll need to write CI units ─ Evol2 has one, but tmwa doesn't have, and you need to “perform regular tests and security reviews”, so unless you plan in doing it manually... Prepare to have a support staff patching any reported security issue immediately, it must be done without delay. Given we don't have dedicated staff for anything, expect to halt development of features to do security fixes (which might make sense at glance, but as a fellow developer, you must know some vulnerabilities demand a lot of time and... are too difficult to exploit to be worth addressing).

I'm skipping all our clumsy security policy on system administration side ─ GM Logs were unavailable for a couple days because it was improperly configured in a way that theoretically web user could access player data from it... These are not actually covered by CRA, of course, I just wanted to point out that these vulnerabilities also exist and are taking a long~ish amount of time to fix. Remember : CRA says they must be fixed "without delay", but what is a "delay"? It's not like any of us were employed to do anything, I could easily spend a whole week away of TMW because I don't want to work on TMW, would they consider this a delay? If they don't, then this also effectively means that features would be frozen in favor of security vulnerabilities fixes. (From what I saw, CRA misses entirely the point of "severity of the vulnerability", but I admit I didn't bother enough to make an in-depth read so you might know more than me on this).

But Mana Spheres sunset is not related to the CRA, it is several different policies and mostly from Google, such as the requirement of a button to exclude user account. (And now I'm wondering... 4144 probably also received an email that he must add that to ManaPlus on Android, I wonder if he'll do anything. It's not like either server had support for that and either way under our Privacy Policy that would be in violation of GDPR as we do not acknowledge password holders as account owners).

PS. Don't worry, Source of Mana can easily be CRA-compliant, as you're not reinventing the wheel but using Godot, so less surface to worry about and even if it stretches you a bit, it has significantly less risks than TmwAthena (which is a deprecated software since 2016).

[Ledmitz]

I made sure to DL a copy of Mana Spheres. It would be nice to try one day on the phone. After recently reading up on OGA licenses, I assumed this had to do with DRM at first. I really wonder if the bill will pass, as is. Is there a single player/offline mode?

[jesusalva]

I made sure to DL a copy of Mana Spheres. It would be nice to try one day on the phone. After recently reading up on OGA licenses, I assumed this had to do with DRM at first. I really wonder if the bill will pass, as is. Is there a single player/offline mode?

No, but it does support you to use local network to connect (and it runs on PC, although it is... uglier and annoying). The repositories are merely archived, you can still get them if you select "Archived" tab in the Git group.

For sake of helping you, the link for archived Mana Spheres repositories is: https://git.themanaworld.org/groups/spheres/-/archived