- Jul 1, 2017
- 71
- 178
Ren'Py uses the python pickle module to serialize/deserialize its data and it's well known that this module is insecure. There's a giant warning about it in the official documentation.It is something that is newly getting some more attention, that vid coming out just over 6 months ago, and the change in renpy where it warns you when loading a save is from last May. And be honest, did you know ren'py saves are basically software? I sure as heck didn't, and I guess 99% of people on thread didn't either.
You must be registered to see the links
So yes, I did know, but you're correct that most game devs probably don't. It's an implementation detail of the engine.
My point was that this isn't new information to "hackers" and yet nobody seems to have taken advantage it so far.
Fair enough. I wasn't criticizing your post bringing awareness to it. It's still a fallacy though in my opinion.IDK about you, but I don't wanna put security of user level access to my computer down to "it's probably gonna be fine, no-one's been targeted yet that I know of so it's unlikely they ever will".
2 quick points:
1. You make the "stranger danger" argument, which is good advice in general. It's however not obvious to me why I should trust a complete stranger with an F95 account called "pussylicker69" more or less than a complete stranger with a Patreon account called "PussyLicker69 Games". The former can hide malware in a save file, the latter can hide malware in the game itself. You can of course convince yourself that the stranger with the Patreon account is somehow more trustworthy, but that's faith not security.
Everyone here is running unverified code from complete strangers since the moment they signed up. No two ways about it.
2. Cost vs. benefit: Sure, someone could manipulate a save file and then post it here, in the hopes that a few people will actually download and use it. Or... they could cook up a few shitty DAZ renders and post a v0.1 incest harem game where an insufferable mc returns home to his family after studying abroad. It will be called "My returning home to the Milftown" Something along those lines, only with even worse grammar. Now all of a sudden, hundreds/thousands of people will happily run the malware. And if the game pops up a splash screen saying "This game is 10x hotter if you run it as Administrator" some people will do that too.
It's just not worth it trying to mess with save files when there are much better ways to achieve the same thing.
No. The bottom line is, if you care about security run any and all Ren'Py games in a Virtual Machine and never on your real machine. Anything else is merely a false sense of security.Bottom line though is "Don't ever use a ren'py save you did not create yourself. Ever."
Last edited: