I am terrified by Minecraft mods always being distributed from dodgy download sites and not rarely come with their own Windows EXE installers. And as far as I know there is no sandboxing at all in the game (uhm, no pun intended) so once installed the mod has full access to your computer?
As someone whose kid has pulled me into the world of using mods (though not (yet) making them for Java Edition) I think this PSA is worth sharing of how to use minecraft mods without pain and with minimal risk, in case anyone is getting started, or has gotten started and finds it frustrating:
1. Use MultiMC to manage instances with various mods, since mods are rarely compatible with each other, and since each version of a mod only is compatible with a single specific point release of the game itself.
Never download any EXE files to get a mod, that does sound sketch AF.
2. mods are always packaged for a particular Loader (some package for multiples and some require Forge, Fabric, or NeoForge), and MultiMC can install any of them into a given instance. Aside from different startup screens there seems to be no difference so idk why we need 3 different ones.
3. Curseforge's website and modrinth both seem to be legit places to get mods from. I personally find the installable Curseforge program itself to be bad and spammy, and would never use that, but the site still lets you directly download the jars you need, and lets you check "Dependencies" to find out what other mods you need.
If you're using MuliMC or one of its various forks, you can search for and install mods from modrinth or curseforge right in the launcher. I fine it more convienent than doing it with a browser and dragging them in, but either way works.
Curseforge is OK, Modrinth is a less commercial alternative. The ten first Google hits if you search "Minecraft mods" are probably NOT OK, most Minecraft-related stuff is SEO optimized to hell by sites which are very fishy.
There are actually two versions of the Curseforge client, the "Overwolf" version that is built on that platform (and is quite bad as a result) and a newer standalone version that doesn't use Overwolf, it's much better.
> 3. Curseforge's website and modrinth both seem to be legit places to get mods from. I personally find the installable Curseforge program itself to be bad and spammy, and would never use that, but the site still lets you directly download the jars you need, and lets you check "Dependencies" to find out what other mods you need.
PrismLauncher, a popular MultiMC fork, has direct integration with Curseforge and Modrinth, while being completely ad-free. Best of both worlds.
A few mods are not available because Curseforge allows mod authors the option to force ad monetization by blocking API access, but these are few and far between.
PrismLauncher is excellent, it feels like it found the right level of abstraction. Automates chores without black-boxing what it's doing.
And there's a makedeb for it! https://mpr.makedeb.org/packages/prismlauncher
Yeah mods are just regular Java .jars that can do anything. To circumvent this issue Mojang introduced datapacks but they are super limited in what they can do. They’re basically just Minecraft commands in a file along with some manifest files to change e.g. mob loot drop rates. These Minecraft commands are Turing complete but a huge PITA to work with directly, no concept of local variables or if statements, no network access, etc. Every entity in MC has associated NBT data that is similar to JSON that stores values like position, velocity, inventory, etc. You can change NBT with commands for mobs, but in what can only be described as a religious decision, Minecraft commands are unable to modify player NBT. So for example it is impossible to impart a velocity on a player.
One wonders why Mojang didn’t embed Lua or Python or something and instead hand-rolled an even shittier version of Bash. The only reason MC servers like Hypixel exist is because the community developed an API on top of the vanilla jar that makes plugin development easy. Even with that there is still no way for servers to run client-side code, severely limiting what you can do. They could’ve easily captured all of Roblox’s marketshare but just let that opportunity slip through their fingers. Through this and a series of other boneheaded decisions (huge breaking changes, changes to the base game, lack of optimization), they have seriously fractured their ecosystem:
- PvP is in 1.8 (a version from 2015) or sometimes even 1.7 (from 2013)
- Some technical Minecraft is latest, some is in 1.12 (from 2017)
- Adventure maps are latest version
- Casual players play Bedrock (an entirely different codebase!)
The words “stable API” have never been said in the Mojang offices. So the community made their own for different versions, servers use the Bukkit 1.8 API, client 1.8 mods use Forge, latest mods use Forge or Fabric. The deobfuscated names are of little utility because the old names are so well ingrained, and modders will also probably avoid them for legal reasons.
Bedrock has proper mod support and you can program with Typescript.
Better than datapacks overall but lacks a way to plug into the rendering pipeline or make custom dimensions. Java mods have more capabilities
> I am terrified by Minecraft mods always being distributed from dodgy download sites and not rarely come with their own Windows EXE installers.
That's not their main mean of distribution, most often those sites were just third parties unrelated to the mod authors that repackaged the mod and somehow got a better SEO. But TBF back in the days the UX/UI for installing mods was pretty terrible. Nowadays there are more standardized and moderated distribution websites from which you just download the .jar of the mod.
> And as far as I know there is no sandboxing at all in the game (uhm, no pun intended) so once installed the mod has full access to your computer?
This is totally true though.
This is not the norm these days! There are popular mod loaders like curseforge that pulled from moderated repositories. It’s still not bulletproof, but a far cry from trusting some installer executable
I prefer modrinth as well, both are good but curseforge has done some things which makes us require an api etc. for true automation where modrinth is genuinely nice.
I used to use prism launcher which would just give me a search box and It on the side would have things like modrinth / curseforge etc., Usually I preferred Modrinth but there were some modpacks just on curseforge only but I never really downloaded a shady modpack from some random website aside from these two, In fact sometimes I never opened up a website but just prismlauncher itself lol
+1 for Prism Launcher and Modrinth! I use Prism on my Steam Deck. I would’ve mentioned them both but Curseforge was the only name I could remember
Yup very common to take a popular minecraft mod, insert malware, rehost it, and seo your way into getting downloads.
Yes, much like how most software for PC has been written since the beginning of time?