Extended FAQ zh TW
其他常見問題包含了您可能較不常遇到的問題及它們的解答。 如果您的問題非常常見,請參閱常見問題。
ASF由Archi 在2015年10月建立。 如果您想知道,我跟您一樣,是一個Steam使用者。 除了玩遊戲,我也喜歡將我的專長與決心付諸實踐,正如您所看到的。 這裡沒有大公司的參與,沒有什麼開發團隊,也沒有$100萬美元的預算來提供支援⸺只有我自己,在維護這個專案。
然而,ASF是個開源專案,我無法向您表示您在這裡看到的一切都是出自我手。 我們還有一些其他的ASF專案,幾乎完全是由其他的開發人員所開發。 即使是ASF核心專案,也有許多貢獻者幫助我實現這一切。 最重要的是,還有一些支援ASF開發的第三方服務,特別是GitHub、JetBrains與Crowdin。 當然您也不能忘記所有幫助ASF實作的出色程式庫與工具,例如我們用作IDE的Rider(我們也喜歡ReSharper的附加功能),特別是SteamKit2,沒有它,ASF就不會存在。 如果沒有Github、Patreon和各種贊助者支援我在這裡所做的一切,ASF也不會有今天的成就。
感謝大家協助ASF開發! 你們是最棒的!
建立ASF的主要目標是成為Linux全自動的Steam掛機工具,且不需要任何外部相依程式(例如Steam用戶端)。 實際上,這仍然是它的主要目標及專注的重點,因為我對ASF的理念從那時起就從未改變,我仍然能以與2015年完全相同的方式來使用它。 當然,從那時起的確發生了許多變化,我很高興看到ASF取得了如此大的進展,這主要歸功於它的使用者們,因為如果只是為了我自己的使用,我甚至永遠不會編寫出現在一半的功能。
值得一提的是,ASF從未與其他相似的程式競爭,特別是Idle Master,因為ASF從未被設計成桌面/使用者應用程式,時至今日。 若您分析上述的ASF主要目標,您就會發現Idle Master與此截然相反。 雖然在今天您絕對可以找到與ASF相似的程式,但對我來說,當時沒有足夠好到能用的(現在仍然沒有),所以我依照自己想要的方式建立了自己的軟體。 隨著時間的推移,用戶使用者遷移至ASF上主要是因為它的健壯性、穩定性及安全性,還有我多年來所開發的所有功能。 如今,ASF是最棒的。
您不需任何代價,我是為自己建立了ASF,並分享給社群的其他人,希望它能對其他人來說有用。 在1991年發生過相同的事情,Linus Torvalds將他的**第一個Linux核心**分享給全世界。 這裡沒有隱藏惡意程式、資料探勘、加密挖礦或其他任何能為我帶來金錢利益的行為。 ASF專案完全是由像您這樣的自願使用者給予的非強制性的捐款所支援。 您可以像我一樣自由地使用ASF,如果您喜歡它,您隨時可以請我喝杯咖啡,來表達您對我所做的事情的感激之情。
我還將ASF當作現代C#專案的完美範例,該專案始終追求完美與最佳範例,不論是技術、專案管理還是程式碼本身。 這是我對「做對的事情」的定義,所以如果你有機會從我的專案中學到一些有用的東西,那只會讓我更開心。
從統計上來說,不管有多悲哀,在ASF啟動後不久,一定至少會有一個人死於車禍。 不同之處在於,一般人不會因為這種情形指責ASF,但出於某些原因,有些人卻會因為他們的Steam帳號出現了相同問題,而指責是ASF造成的。 當然,我們可以理解其中的原因,畢竟ASF是在Steam平台下運作,所以人們自然會因為他們Steam財產上發生的任何事情而指責ASF,而不管沒有證據表明,他們執行的軟體與此情形有任何關聯。
ASF, as stated in FAQ as well as question above, is free of malware, spyware, data mining and any other potentially unwanted activity, especially submission of your sensitive Steam details or taking over your digital property. If something like this has happened to you, we can only say that we're sorry for your loss and recommend you to contact Steam support which hopefully will assist you in the recovery process - because we're not responsible for what happened to you in any way and our conscience is clear. If you believe otherwise, that's your decision, it's pointless to elaborate further, if the above resources providing objective and verifiable ways to confirm our statement didn't convince you, then it's not like anything we write here will anyway.
However, the above doesn't mean that your actions done without a common sense with ASF can't contribute to a security issue. For example, you could disregard our security guidelines, expose ASF's IPC interface to the whole internet, and then be surprised that somebody got in and robbed you out of all items. People do it all the time, they think that if there is no domain or any connection to their IP address then nobody will for sure find out their ASF instance. Right as you read it, there are thousands if not more fully-automated bots crawling through the web, including random IP addresses, searching for vulnerabilities to discover, and ASF as a quite popular program is also a target of those. We already had enough of people that got "hacked" through their own stupidity like that, so try to learn from their mistakes and be smarter instead of joining them.
Same goes for security of your PC. Yes, having malware on your PC ruins every single security aspect of ASF, as it can read sensitive details from ASF config files or process memory and even influence the program to do stuff that it wouldn't do otherwise. No, the last crack you've obtained from doubtful source was not a "false positive" as somebody has told you, it's one of the most effective ways to gain control over somebody's PC, the guy will infect himself and he'll even follow the instructions how to, fascinating.
Is using ASF completely safe and free of all risks then? No, we'd be bunch of hypocrites stating so, as every software has its security-oriented problems. Contrary to what a lot of companies are doing, we're trying to be as transparent as possible in our security advisories and as soon as we find out even a hypothetical situation where ASF could contribute in any way to a potentially unwanted from security perspective situation, we announce it immediately. This is what happened with CVE-2021-32794 for example, even though ASF didn't have any security flaw per-se, but rather a bug that could lead to user accidentally creating one.
As of today, there are no known, unpatched security flaws in ASF, and as the program is used by more and more people out of which both white hats as well as black hats analyze its source code, the overall trust factor only increases with time, as the number of security flaws to find out is finite, and ASF as a program that focuses first and foremost on its security, definitely isn't making it easy for finding one. Regardless of our best intentions, we still recommend to stay cool-headed and always be wary of potential security threats, ones coming from ASF usage as well.
As part of our releases on GitHub, we utilize a very similar verification process as the one used by Debian. In every official release starting with ASF V5.1.3.3, in addition to zip files you can find SHA512SUMS and SHA512SUMS.sign files. Download them for verification purposes together with the zip files of your choice.
Firstly, you should use SHA512SUMS file in order to verify that SHA-512 checksum of the selected zip files matches the one we calculated ourselves. On Linux, you can use sha512sum utility for that purpose.
$ sha512sum -c --ignore-missing SHA512SUMS
ASF-linux-x64.zip: OK
On Windows, we can do that from powershell, although you have to manually verify with SHA512SUMS:
PS > Get-Content SHA512SUMS | Select-String -Pattern ASF-linux-x64.zip
f605e573cc5e044dd6fadbc44f6643829d11360a2c6e4915b0c0b8f5227bc2a257568a014d3a2c0612fa73907641d0cea455138d2e5a97186a0b417abad45ed9 ASF-linux-x64.zip
PS > Get-FileHash -Algorithm SHA512 -Path ASF-linux-x64.zip
Algorithm Hash Path
--------- ---- ----
SHA512 F605E573CC5E044DD6FADBC44F6643829D11360A2C6E4915B0C0B8F5227BC2A2575... ASF-linux-x64.zip
This way we ensured that whatever was written to SHA512SUMS matches the resulting files and they weren't tampered with. However, it doesn't prove yet that SHA512SUMS file you checked against really comes from us. For that, we'll use SHA512SUMS.sign file, which holds digital PGP signature proving the authenticity of SHA512SUMS. We can use gpg utility for that purpose, both on Linux and Windows (change gpg command into gpg.exe on Windows).
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Mon 02 Aug 2021 00:34:18 CEST
gpg: using EDDSA key 224DA6DB47A3935BDCC3BE17A3D181DF2D554CCF
gpg: Can't check signature: No public key
As you can see, the file indeed holds a valid signature, but of unknown origin. You'll need to import ArchiBot's public key that we sign the SHA-512 sums with for full validation.
$ curl https://raw.githubusercontent.com/JustArchi-ArchiBot/JustArchi-ArchiBot/main/ArchiBot_public.asc -o ArchiBot_public.asc
$ gpg --import ArchiBot_public.asc
gpg: /home/archi/.gnupg/trustdb.gpg: trustdb created
gpg: key A3D181DF2D554CCF: public key "ArchiBot <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
Finally, you can verify the SHA512SUMS file again:
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Mon 02 Aug 2021 00:34:18 CEST
gpg: using EDDSA key 224DA6DB47A3935BDCC3BE17A3D181DF2D554CCF
gpg: Good signature from "ArchiBot <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 224D A6DB 47A3 935B DCC3 BE17 A3D1 81DF 2D55 4CCF
This has verified that the SHA512SUMS.sign holds a valid signature of our 224DA6DB47A3935BDCC3BE17A3D181DF2D554CCF key for SHA512SUMS file that you've verified against.
You could be wondering where the last warning comes from. You've successfully imported our key, but didn't decide to trust it just yet. While this is not mandatory, we can cover it as well. Normally this includes verifying through different channel (e.g. phone call, SMS) that the key is valid, then signing the key with your own to trust it. For this example, you can consider this wiki entry as such (very weak) different channel, since the original key comes from ArchiBot's profile. In any case we'll assume that you have enough of confidence as it is.
Firstly, generate private key for yourself, if you don't have one just yet. We'll use --quick-gen-key as a quick example.
$ gpg --batch --passphrase '' --quick-gen-key "$(whoami)"
gpg: /home/archi/.gnupg/trustdb.gpg: trustdb created
gpg: key E4E763905FAD148B marked as ultimately trusted
gpg: directory '/home/archi/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/archi/.gnupg/openpgp-revocs.d/8E5D685F423A584569686675E4E763905FAD148B.rev'
Now you can sign our key with yours in order to trust it:
$ gpg --sign-key 224DA6DB47A3935BDCC3BE17A3D181DF2D554CCF
pub ed25519/A3D181DF2D554CCF
created: 2021-05-22 expires: never usage: SC
trust: unknown validity: unknown
sub cv25519/E527A892E05B2F38
created: 2021-05-22 expires: never usage: E
[ unknown] (1). ArchiBot <[email protected]>
pub ed25519/A3D181DF2D554CCF
created: 2021-05-22 expires: never usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 224D A6DB 47A3 935B DCC3 BE17 A3D1 81DF 2D55 4CCF
ArchiBot <[email protected]>
Are you sure that you want to sign this key with your
key "archi" (E4E763905FAD148B)
Really sign? (y/N) y
And done, after trusting our key, gpg should no longer display the warning when verifying:
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Mon 02 Aug 2021 00:34:18 CEST
gpg: using EDDSA key 224DA6DB47A3935BDCC3BE17A3D181DF2D554CCF
gpg: Good signature from "ArchiBot <[email protected]>" [full]
Notice the [unknown] trust indicator changing into [full] once you signed our key with yours.
Congratulations, you've verified that nobody has tampered with the release you've downloaded! 👍
喵嗚~恭喜您發現了愚人節彩蛋的喵! 若您沒有設定CurrentCulture自訂選項,那麼ASF在4月1日時將會使用LOLcat語言,而非您的系統語言。 若您想要停用這個行為,您可以直接將CurrentCulture設定成您想要使用的語言。 值得一提的是,您可以透過將CurrentCulture的值設定成qps-Ploc,來無條件啟用這個彩蛋。
