Package Management for Gaming Software Development

Video games are not just computer programs, they are audio-visual artistic works. It’s a collaborative effort between software engineers, animators, scriptwriters, graphic designers, photographers and sound engineers.

Working with these collaborators and assets leads to a different software pipeline than the average software project. They also have the added complication of making cross-platform games - custom optimizations for a particular platform can have the unwelcome side effect of increasing build times and complicating the build process. But when it comes down to it, it’s still a software pipeline that needs a package repository to store its artifacts.

On top of storing their artifacts, gaming developers need a package management tool that helps secure their software supply chain. Protecting and understanding the threats from the software supply chain aren’t new concepts in gaming development by any means. For years, Anti-cheat game developers have been developing ways to protect their supply chain with signed firmware to combat mods, anti-debugging software to defer piracy and hackers, and runtime integrity checks to combat cheaters.

A somewhat new avenue of attack from the supply chain is 3rd party dependencies. Gaming developers should be able to assess and manage their dependencies easily. Like other software pipelines, trust in dependencies is integral to the security of their software. Some gaming software, such as anti-cheat software, can often run at a very high privilege level - the consequences of adding a dependency with a vulnerability could be catastrophic.

Gaming developers need their package management solution to:

Store all their artifacts and have native support for the formats that are popular in gaming development such as Unity, NuGet, Lua, Maven, raw files for binaries, Docker, Helm and packages for mobile platforms like Cocoapods and Kotlin.
Be easy to automate against with APIs, CLIs, Webhooks, Integrations with other DevOps tools and good documentation
Support hosting large files like 3D models, visual or audio assets.
Help them manage the licenses of the dependencies they use.
Help them visualize, control and secure their supply chain including their 3rd party dependancies.
Allow them to work with distributed teams.

Gaming Development Pipelines

A gaming development pipeline builds a video game from concept to completion. These pipelines have to cope with cross-platform builds, audiovisual assets, licensing, different revisions, and creative changes. They also need to contend with a distributed workforce and the security of their software supply chain. Needless to say, Gaming development has quite a complex and time-consuming software pipeline.

Cross-Platform Game Development

Cross-Platform game development allows you to code once and release to all platforms, whether mobile, console, PC, AR, or cloud gaming platforms. The big gaming platforms include Steam, PlayStation, Xbox, Nintendo, PC, Mac, iOS, and Android.

Cross-platform game development can be made more accessible with gaming engines and SDKs. The big gaming engines are Unreal and Unity (see the table below for more examples and information).

Although gaming engines reduce the amount of code that needs to be reimplemented, games often need to add custom changes for things like input control, or they may want to improve the performance on specific platforms. Custom changes to optimize the game’s performance tend to have a negative impact on the build time. For example, two hours of lead time for building a game is normal in game development.

Gaming Engine	Owner	Language	Format/ package manager	License	Example Games
Unreal Engine	Epic Games	C++, blueprint visual scripting	Unreal Engine Package	Free (royalty on gross revenue)	Fortnite
Unity	Unity Technologies	C#	Unity Package Manager	Licensing fees apply to organizations of revenue more than $100,000	Pokemon Go, Call of Duty Mobile
Amazon Lumberyard	Amazon Based on CryEngine with AWS support	C++, Lua	Lumberyard gem format for C++ packages	Amazon Lumberyard is free; You pay standard AWS fees for the AWS services they choose to use.	Star Citizen
CryENGINE	Crytek	C++/ C# Flow Graph visual scripting language		No license fees but monthly Membership fees to Marketplace	Crysis 2, The Climb
Godot		C# gdscript	AssetLib	Free to use and OS via MIT license	Resolution

What Gaming Developers Need from their Package Management Tool

The gaming engine and the platform it is running on are the main determinants of what package format your package manager needs to support.

Gaming developers need a package repository to host the packages they produce and consume as dependencies. Their package repository needs to support package formats such as NuGet, Unity, Lua, Maven, Conan, raw files for binaries, Docker, Helm and packages for mobile platforms like Cocoapods and Kotlin.

With support for 28 different package formats and counting, Cloudsmith strives to support all package formats for gaming and beyond.

Packaging Large File Formats

One thing that differentiates game development from other types of software development is the interaction with 3D models, visual assets and audio assets - these tend to be big hefty files.

GIT limits the size of files you can track in regular Git repositories and encourages you to use Git-lfs and replace the binary files with a text-based pointer to where the actual file is hosted. Plastic SCM is another way to version and store large raw assets.

Cloudsmith suggests another solution, you host your files on Cloudsmith as a raw file format, and you can refer to it in your codebase. Bring all your assets into Cloudsmith, where you can visualize, manage and control the access to the assets.

Gaming Licenses

Licensing is insanely important in gaming. One case from 2014 between Epic Games and Silicon Knights resulted in a $9.2million award to Epic Games and an order to destroy all unsold copies of Silicon Knight’s games using Unreal Engine 3. It inevitably led to the dismantling of Silicon Knights.

Gaming publishers use middleware software and gaming engines to build their games. They use these dependencies to model textures, create characters, physics engines, or anything to make building a game faster and more reliable. These dependencies are then distributed with licenses that describe how you can use the software.

It’s essential for Gaming developers and publishers to know and review your license agreements and abide by the terms. But your package management solution can help you with this.

Cloudsmith’s License Compliance provides you with an overall view of the state of licenses for the repository as a whole. It gives you at-a-glance statistics on what licenses you are currently using and allows you to edit/change the license associated with a package held within the platform.

Gaming publishers also usually have a EULA (end-user license agreement) that they make you sign before playing the game. Cloudsmith provides the ability for all Raw format files, if enabled, to require an End-User License Agreement (EULA) when a user attempts to download it. You can also add a custom EULA license agreement to your Cloudsmith packages.

Multiformat Repositories and Universal Tagging

Talking to people in gaming, the thing that comes up as a real point of contention in gaming is that every platform is packaged differently- Sony, Nintendo, Microsoft, Steam, Epic- all different. Cross-platform game development means teams need to track and manage binaries for each platform.

Your package management tool needs to help you organize your repositories and track your packages to suit the needs of cross-platform game development.

With Multiformat repositories, Cloudsmith allows you to store the same game for all the different formats in the same repository. Organize your packages by environment, platform, package type, or whatever way you see fit- we are not opinionated about how you organize your packages or containers.
Meta-data includes version numbers, formats, architectures, filetype and more. Cloudsmith extracts all the metadata from your packages and makes it available for searching/filtering. Developers often need more than this to group and organize their packages. Cloudsmith’s universal tagging gives you the ability to enrich your packages or containers with custom tags, either during package upload or after the fact. You can tag a package with information about the build process, the results of scans, specific platform information, or tag is as an alpha/beta candidate. With universal package tagging you now have the ability to add your own searchable attributes to your packages, so you can define what is of importance.

Multiformat repositories and Universal tagging can help you organize and track your packages in a flexible way which can help ease the pain of cross-platform development just a little.

Gaming development shares the same concerns as other industries in software development. These concerns include the need to have tools that support automation, not wanting to manage on-prem tools and the issues of having a distributed workforce spread around the world.

Automation

Games are hard to produce, have long release cycles, have a huge emphasis on launch dates and just like any other software product are subject to human error. Continuous integration and continuous delivery (CI/CD) is a method to frequently deliver builds by introducing automation into the stages of software development. Gaming software, just like other software pipelines, now commonly include CI/CD processes to improve the build and release systems for games and to release quality code faster.

Your package repository has to be easy to automate against to support this change. Cloudsmith provides APIs, a CLI, web hooks, integrations with CI/CD tools and great documentation to help you to automate your gaming software pipeline.

Cloud-native

Software teams are moving away from slow, brittle on-prem DevOps tools that are unsuited to modern software development and distributed teams.

Organizations don't want to worry about infrastructure, patching, upgrades, replications, or scaling. They would prefer to pay for a SaaS tool that just works without the overhead of maintaining it internally. Your package management tool is one of these DevOps tools that would benefit from being Cloud-native.

Cloudsmith is a Cloud-native package management tool that makes life simpler for your Engineers. Our cloud-native architecture enabled us to develop a smart CDN for software packages, our Package Delivery Network (PDN), to ensure lightning-fast delivery of your binaries any where in the world.

Cloud-native software can empower innovation, help you stay secure, reduce costs, and scale as your business needs change.

Distributed Teams

Distributed teams have always been quite common in Game Development, but Covid has supercharged its adoption even in small Indie gaming studios. We don’t just have distributed teams- we have distributed individuals.

Devs need a package management solution to handle a distributed workforce giving everyone similar low latency access speeds. Tools that don’t do this can lead to reduced collaboration, Developer unhappiness, and lack of confidence in your software process.

Cloudsmith is a Cloud-Native, fully managed package management as a service built on Cloud infrastructure and handles the distribution for you. Our infrastructure is built on top of a Content Delivery Network (CDN) with over 225 global points of presence, ensuring your whole team can assess the assets, packages and binaries for all platforms available 24/7

Securing your Gaming Software Supply Chain

The software supply chain includes your code, 3rd party dependencies, scripts, tests, environmental variables, IDEs, plugins, source code repositories, CI/CD tools, audiovisual assets, and package repositories. The attack surface for the software supply chain is vast.

The gaming industry, from the beginning, has had to contend with attacks on its supply chain to protect against piracy. They’ve had to implement signed firmware to combat mods, anti-debugging software to defer piracy and hackers, and runtime integrity checks to combat cheaters.

A newer avenue of attack that other software pipelines are only recently dealing with is the attack vector from 3rd party dependencies. Like over 90% of software developed today, gaming software uses 3rd party dependencies such as middleware. These dependencies have their own dependencies.

Possible reasons for gaming software attacks include stealing Intellectual property, installing malware on players’ devices to steal players PII, mine crypto, or deploying ransomware.

Examples of Gaming Supply Chain Attacks

Dependency hijacking breached the MS Halo dev site.
A report from Wired identified an aggressive group of supply chain hackers that target the tools that Gaming developers use to build games. This attack has similarities with the supply chain attack on Codecov.
SquirrelLang is an interpreted, open-source programming language used by video games and cloud services for customization and plugin development. Researchers have unearthed a vulnerability in Squirrel Sandbox that could potentially allow Remote Code Execution.
A recent zero-day vulnerability, Log4Shell, was found in a commonly used logging framework for Java called Log4j. The Log4Shell exploit gives attackers a simple way to execute code on any vulnerable machine. Minecraft servers were one of the first affected by this vulnerability.

Trusting 3rd Party Dependencies

Gaming software developers need an easy way to check where their 3rd party dependencies come from, are they untampered, and whether they should trust it?

Cloudsmith can help Game developers visualize, control, and secure their software artifacts by:

Using tools with security features and processes by default, such as 2FA, Single Sign-On, and ISO 27001 certification.
Hosting all your gaming artifacts and assets
Signing all artifacts and managing that process. Checking the signatures and checksums of artifacts is an effective defense against supply chain attacks.
Extracting, enriching, and surfacing your artifact’s metadata. This metadata contains essential information about packages, including checksums, dependencies, who built that artifact, and what platform it should be deployed.
The 3rd party dependencies can be cached, scanned, and verified. You can pull in new dependencies during the development stage and vet them before promoting them to production.

Our platform can help expose, manage, and control all the software, dependencies, and assets used to make up video games, allowing you to easily secure your software supply chain.

A Game Development Package Management Solution

Game development has a tricky pipeline. Gaming developers need package management tools to work with their formats like Unity, Maven, Kotlin, Conan, Docker, or Helm, handle large files and manage licenses.

On top of that, they need tools that are easy to automate against to help them secure their supply chain, that scale as they grow and can work with a distributed team.

From the internal distribution of alphas, betas, and release candidates between teams to distributing games, patches, and updates globally, Cloudsmith is built with your games in mind.

If you’re looking for a simple solution to secure your game development artifacts, you can sign up for a free 14-day trial and set up your first repository in just 60 seconds.

Signup for a free trial