U
/u/dubsector
Guest
Hey all, came back to Minecraft after about two years away and wanted to run mcMMO on my servers. Noticed there's no easy place to grab a current build without compiling it yourself, so I spent the past week building an automated pipeline to solve that.
What it does:
Why the security stuff? Downloading random plugin JARs is one of the biggest attack vectors for server admins. I wanted every build to be verifiable and you can confirm the JAR was built by this specific pipeline and wasn't tampered with after the fact:
To be clear: this verifies the build came from this pipeline, not from the mcMMO-Dev team. These are unofficial automated builds from the public GPL source. I'm not affiliated with mcMMO-Dev and this isn't endorsed by them. The attestation just proves the JAR you downloaded is identical to what the pipeline produced. Always recommend to check workflows, verify builds, and make your own call.
Repo: https://github.com/dubsector/mcmmo-builds
submitted by /u/dubsector
[link] [comments]
Continue reading...
What it does:
- Pulls the latest mcMMO source from upstream every day and builds it automatically
- Smoke tests the JAR against both Paper and Folia to make sure the server actually starts before publishing
- Signs every build with cosign via Sigstore and attaches SLSA build provenance attestation
- Publishes to a clean download page: https://dubsector.github.io/mcmmo-builds
Why the security stuff? Downloading random plugin JARs is one of the biggest attack vectors for server admins. I wanted every build to be verifiable and you can confirm the JAR was built by this specific pipeline and wasn't tampered with after the fact:
gh attestation verify mcMMO-<version>+<sha>.jar --repo dubsector/mcmmo-builds To be clear: this verifies the build came from this pipeline, not from the mcMMO-Dev team. These are unofficial automated builds from the public GPL source. I'm not affiliated with mcMMO-Dev and this isn't endorsed by them. The attestation just proves the JAR you downloaded is identical to what the pipeline produced. Always recommend to check workflows, verify builds, and make your own call.
Repo: https://github.com/dubsector/mcmmo-builds
submitted by /u/dubsector
[link] [comments]
Continue reading...