Certain users of my projects TTT and Steel may have noticed that the third-party auto-updater used by both of them recently broke. Ordinarily, this updater works by checking CurseForge for any updated releases, and if any are found, downloading them and replacing their own JARs with the newly downloaded files. However, a relatively recent change to the ServerMods API caused the updater to malfunction, downloading invalid artifacts and effectively deleting its respective plugin.
So what happened?
The ServerMods API is a REST service provided by Curse which essentially returns all available versions of a given BukkitDev project, including a download URL for each associated artifact. A recent change to Curse's CDN caused the provided URL (located on the domain
servermods.cursecdn.com) to return a 302 redirect to a separate domain (
addons-origin.cursecdn.com). Because the updater used by my projects did not support following redirects, the 302 error page was downloaded in place of a binary, rendering the plugin essentially useless. Worse yet, because the plugin is completely removed via this process, any users affected by this glitch will be required to manually update to the versions providing the appropriate patches.
Of course, none of this took effect until I pushed a new update for each of my projects on August 28th, as you can easily see below.
Is the problem fixed?
Sort of. I've pushed updates for both projects (TTT v0.10.3 and Steel v1.2.11) which include modified versions of the auto-updater system to properly handle the newly introduced redirect. Unfortunately, as I mentioned above, affects users will need to manually update to the latest releases in order for the plugins to work again.
I've also submitted my modifications to the updater system as a pull request to the main repository. I'm not sure if Gravity is even still around, but my goal is to get my fix merged into
master to prevent such an impact in the future.
Additionally, I'll be submitting a ticket to Curse shortly describing this issue. The auto-updater affected by this change is by far the most widely used in the Bukkit community, so the impact throughout the community is certainly not negligible. I anticipate (or hope, at least) that they will update the ServerMods API to return a direct URL to the download as a measure to prevent any users from encountering this problem in the future.
Why did the fix take so long?
Truthfully, I didn't notice. I haven't paid much attention to MCStats since I released the new updates to the projects, and only the other night did I see that the server count for both had significantly dropped. Of course, I've messed up the auto-updater system myself before and recognized the pattern, so it didn't take too long to figure out the root cause once I realized something was wrong.
What should I do? (for end-users)
If you use either TTT or Steel, manually update to the newest versions ASAP. If you use any other plugins which include an auto-updater, notify the author of this issue and maybe point them to this blog post so they can take appropriate measures against it.
What should I do? (for developers)
If you use Gravity's auto-updater, currently the only way to avoid impact by this issue is to refrain from pushing plugin updates to BukkitDev until the problem has been resolved on Curse's end (assuming they take action). The nature of the problem means there is no effective way to ship updated code to users, including anything which might resolve the problem.
Curse changed some backend stuff. This broke my projects' auto-updater system (also used by many, many other projects) and made them delete themselves. I've fixed the problem but anyone impacted needs to manually update to the newest version. I'm also contacting Curse to see if they can do anything about it.
The ticket I submitted to Curse regarding this seems to have vanished. Not sure if this is just a bug on Curse's end or if it was actively deleted, but I've submitted another nonetheless.