SuperRepo has launched a new page for Developers to claim their addons.This allows them to bind their addons to a specific source and overrule SuperRepo’s algorithms.
Why? The algorithms seemed to pick the perfect addons!
The last few months some developers received threats from people who wanted to ‘steal’ their addon by using the same addon ID and a higher version number. As Kodi only checks the addon ID and version number and automatically picks the highest version it can get, it is not protected against such ‘rip’ and is easily fooled. But there is one last hurdle to be taken for the attacker: the distribution of the evil addon to unknowing users.
Now, there are 3 ways to spread such evil addon.
Send a few thousand emails with a link to the addon.
Takes a lot of time and the impact is low. Your attempt is probably recognized in time and you are banned from the internet.
Setup a perfectly fine repository and then turn evil
First create a nice repository and make sure it gets installed by thousands of users (by including popular addons). Then turn the table and add the evil addon version to your repository, tricking Kodi in overwriting all other good versions. This approach takes a lot of time, impact depends on the size of the user base of your ‘perfectly fine’ repo. Probably a few thousand sour clients.
Find a trick to inject your evil addon in an repository used by millions.
By far the easiest way. Just find a trick so your addon is picked as ‘best version’ and it will be distributed to all connected clients. Low effort, high impact!
As you probably already know SuperRepo is the largest collection of addons from various sources. It has millions of users and a few thousand Gigabytes (aka: Terabytes) of addons is downloaded each day! Thats makes it a no brainer for attackers. We have seen a lot of attacks and tricks in the past and we have prepared the BuildBot for every trick we could think of.
Is using SuperRepo dangereous?
Just like using any other repository, using SuperRepo includes a small factor of danger. So…what are the options?
Install 10 small repositories (and trust 10 maintainers)
If you have 10 repositories installed to get all the addons you like, you need to trust 10 repository maintainers to not turn evil. In the past we have seen quite a few perfectly fine repository maintainers (or their ex-partners) switching to the evil side, pushing malicious addons (of other developers). Aside: Manually finding the right repository instead of the wrong one for an addon, might be harder than you think. Many addons are duplicated in repositories, but never updated.
Using a repository of a well known team (and hope they stay together)
Team splits generally lead to a burst in addon wars. Quite a few Kodi users might remember the overnight crashes of their Kodi’s due to an addon war between Xfinity and XBMC Hub. Not SuperRepo users though, as it acted like a firewall, ignoring the malicious versions. This approach might seem the finest, but it only takes one team member to turn evil to wreck the whole trust chain 🙁
Just use SuperRepo (and trust me and my BuildBot)
The BuildBot of SuperRepo contains the ‘knowledge’ and ‘experience’ of many years living in the Kodi addon eco-system. The BuildsBot algorithms probably outweight your capability to keep up with all attacks and Kodi addons news 😉
I, Bart Otten, am the only team member to trust. I don’t use a nickname, you can find my house if you want to. I could turn evil years ago. I could have accepted offers from ‘the competition’ as they offered good money. Truth is: I created SuperRepo to make stuff easier for Kodi users and I only trust myself not to make it a money generating machine (if they pay me money to buy SR, they somehow have to earn it back by…using you?) . So from my point of view, there is no team to be more trustworthy ;). PS. Servers still have to be paid so I do like to receive donations as sign of support
In the last 6 months, the BuildBot had an addon update error-rate of less than 1 in 10 thousand. In terms of distribution: less than 0,0000001% of the downloads was ‘not 100% correct’ and the major part of that was not related to ‘evil addons’ but rather ‘wrong versions’ which stays a hard part for a bot as it is for humans too.
Algorithms: smart code in a black box
The algorithms to prevent abuse are the reason why the BuildBot is closed source. SuperRepo’s algoritms are,just like Google’s algorithms, a well guarded secret. If other people know how they work, they will find new tricks and ways to abuse the system.
Using algorithms to determine which source is the right one, has the big advantage that no action from developers is required at all. Those guys (and galls?) already have their hands full at writing code and user support, so forcing them to fill in forms at SuperRepo was deliberately never the plan. SuperRepo should just do the right thing without disturbing developers. Something we can prove to have done alright (even better than ‘competitors’, but we notice them friendly instead of writing click-bait news articles). But as they are secret, developers can never be 100% sure the right source is used for their addon.
Addon claims to the rescue!
Addon Claims add another layer of security to SuperRepo’s distribution chain. It allows developers to claim an addon and force the repository which should be used as the source for SuperRepo’s BuildBot. Here are a few highlights.
100% developer based
The system is designed 100% developer based. This enables you as developer to switch between groups and repositories without the former group or repository being able to ‘rip’ your addon (we have seen this behavior in the past, called ‘addon wars’). We do not log ip’s or anything alike, there is no need for someone else to claim them for you. Feel free to contact me if somebody is saying otherwise.
Chain the claim
As soon as another developer wants to claim an addon which is already claimed, the claim holder will receive an email with the question to release his claim and accept the new one. Only if this is formally done, the claim of the new developer will be accepted by SuperRepo.
Sunrise period
Today, we’ll start the sunrise period. During this period, claims will not effect the BuildBot. This is to prevent abuse of the system by people claiming the wrong addons, fix bugs if their are any and receive developers feedback. SuperRepo can and will act as mediator (and judge) in case there are multiple claims for the same addon. Do not hesitate to contact SuperRepo if one of your addons are claimed by someone else but you.
Shoutout to HIGHWAY99 and smokdpi for their help in testing this new feature and for their feedback. Couldn’t have done it without them!
Conclusion
The addon eco-system of Kodi, and SuperRepo for that matter, is based on a very thin line of trust.
If you are a developer, Addon Claims enables you to trust the outcome of SuperRepo (even) more. Do yourself and SuperRepo a favour and claim your addons right now
If you are a user of SuperRepo, you and million of other users have put your faith in my hands. You trust me to do all I can to keep you and your Kodi safe using the smartest BuildBot for Kodi Addon Repositories there is. Trust me on that 😉 You can help me doing this by donating some money.
Kind regards,
Bart Otten