Video games are not just computer programs, they are audio-visual artistic works. It’s a collaborative effort between software engineers, animators, scriptwriters, graphic designers, photographers and sound engineers.

Working with these collaborators and assets leads to a different software pipeline than the average software project. They also have the added complication of making cross-platform games - custom optimizations for a particular platform can have the unwelcome side effect of increasing build times and complicating the build process. But when it comes down to it, it’s still a software pipeline that needs a package repository to store its artifacts.

On top of storing their artifacts, gaming developers need a package management tool that helps secure their software supply chain. Protecting and understanding the threats from the software supply chain aren’t new concepts in gaming development by any means. For years, Anti-cheat game developers have been developing ways to protect their supply chain with signed firmware to combat mods, anti-debugging software to defer piracy and hackers, and runtime integrity checks to combat cheaters.

A somewhat new avenue of attack from the supply chain is 3rd party dependencies. Gaming developers should be able to assess and manage their dependencies easily. Like other software pipelines, trust in dependencies is integral to the security of their software. Some gaming software, such as anti-cheat software, can often run at a very high privilege level - the consequences of adding a dependency with a vulnerability could be catastrophic.

Gaming developers need their package management solution to:

Gaming Development Pipelines

A gaming development pipeline builds a video game from concept to completion. These pipelines have to cope with cross-platform builds, audiovisual assets, licensing, different revisions, and creative changes. They also need to contend with a distributed workforce and the security of their software supply chain. Needless to say, Gaming development has quite a complex and time-consuming software pipeline.

Cross-Platform Game Development

Cross-Platform game development allows you to code once and release to all platforms, whether mobile, console, PC, AR, or cloud gaming platforms. The big gaming platforms include Steam, PlayStation, Xbox, Nintendo, PC, Mac, iOS, and Android.

Cross-platform game development can be made more accessible with gaming engines and SDKs. The big gaming engines are Unreal and Unity (see the table below for more examples and information).

Although gaming engines reduce the amount of code that needs to be reimplemented, games often need to add custom changes for things like input control, or they may want to improve the performance on specific platforms. Custom changes to optimize the game’s performance tend to have a negative impact on the build time. For example, two hours of lead time for building a game is normal in game development.

Gaming Engine

Owner

Language

Format/ package manager

License

Example Games

Unreal Engine

Epic Games

C++, blueprint visual scripting

Unreal Engine Package

Free (royalty on gross revenue)

Fortnite

Unity

Unity Technologies

C#

Unity Package Manager

Licensing fees apply to organizations of revenue more than $100,000

Pokemon Go, Call of Duty Mobile

Amazon Lumberyard

Amazon

Based on CryEngine with AWS support

C++, Lua

Lumberyard gem format for C++ packages

Amazon Lumberyard is free; You pay standard AWS fees for the AWS services they choose to use.

Star Citizen

CryENGINE

Crytek

C++/ C#Flow Graph visual scripting language

No license fees but monthly Membership fees to Marketplace

Crysis 2, The Climb

Godot

C#gdscript

AssetLib

Free to use and OS via MIT license

Resolution

What Gaming Developers Need from their Package Management Tool

The gaming engine and the platform it is running on are the main determinants of what package format your package manager needs to support.

Gaming developers need a package repository to host the packages they produce and consume as dependencies. Their package repository needs to support package formats such as NuGet, Unity, Lua, Maven, Conan, raw files for binaries, Docker, Helm and packages for mobile platforms like Cocoapods and Kotlin.

With support for 28 different package formats and counting, Cloudsmith strives to support all package formats for gaming and beyond.

Packaging Large File Formats

One thing that differentiates game development from other types of software development is the interaction with 3D models, visual assets and audio assets - these tend to be big hefty files.

GIT limits the size of files you can track in regular Git repositories and encourages you to use Git-lfs and replace the binary files with a text-based pointer to where the actual file is hosted. Plastic SCM is another way to version and store large raw assets.

Cloudsmith suggests another solution, you host your files on Cloudsmith as a raw file format, and you can refer to it in your codebase. Bring all your assets into Cloudsmith, where you can visualize, manage and control the access to the assets.

Gaming Licenses

Licensing is insanely important in gaming. One case from 2014 between Epic Games and Silicon Knights resulted in a $9.2million award to Epic Games and an order to destroy all unsold copies of Silicon Knight’s games using Unreal Engine 3. It inevitably led to the dismantling of Silicon Knights.

Gaming publishers use middleware software and gaming engines to build their games. They use these dependencies to model textures, create characters, physics engines, or anything to make building a game faster and more reliable. These dependencies are then distributed with licenses that describe how you can use the software.

It’s essential for Gaming developers and publishers to know and review your license agreements and abide by the terms. But your package management solution can help you with this.

Cloudsmith’s License Compliance provides you with an overall view of the state of licenses for the repository as a whole. It gives you at-a-glance statistics on what licenses you are currently using and allows you to edit/change the license associated with a package held within the platform.

Gaming publishers also usually have a EULA (end-user license agreement) that they make you sign before playing the game. Cloudsmith provides the ability for all Raw format files, if enabled, to require an End-User License Agreement (EULA) when a user attempts to download it. You can also add a custom EULA license agreement to your Cloudsmith packages.

Multiformat Repositories and Universal Tagging

Talking to people in gaming, the thing that comes up as a real point of contention in gaming is that every platform is packaged differently- Sony, Nintendo, Microsoft, Steam, Epic- all different. Cross-platform game development means teams need to track and manage binaries for each platform.

Your package management tool needs to help you organize your repositories and track your packages to suit the needs of cross-platform game development.

Multiformat repositories and Universal tagging can help you organize and track your packages in a flexible way which can help ease the pain of cross-platform development just a little.

Common challenges Gaming developers share with other software industries

Gaming development shares the same concerns as other industries in software development. These concerns include the need to have tools that support automation, not wanting to manage on-prem tools and the issues of having a distributed workforce spread around the world.

Automation

Games are hard to produce, have long release cycles, have a huge emphasis on launch dates and just like any other software product are subject to human error. Continuous integration and continuous delivery (CI/CD) is a method to frequently deliver builds by introducing automation into the stages of software development. Gaming software, just like other software pipelines, now commonly include CI/CD processes to improve the build and release systems for games and to release quality code faster.

Your package repository has to be easy to automate against to support this change. Cloudsmith provides APIs, a CLI, web hooks, integrations with CI/CD tools and great documentation to help you to automate your gaming software pipeline.

Cloud-native

Software teams are moving away from slow, brittle on-prem DevOps tools that are unsuited to modern software development and distributed teams.

Organizations don't want to worry about infrastructure, patching, upgrades, replications, or scaling. They would prefer to pay for a SaaS tool that just works without the overhead of maintaining it internally. Your package management tool is one of these DevOps tools that would benefit from being Cloud-native.

Cloudsmith is a Cloud-native package management tool that makes life simpler for your Engineers. Our cloud-native architecture enabled us to develop a smart CDN for software packages, our Package Delivery Network (PDN), to ensure lightning-fast delivery of your binaries any where in the world.

Cloud-native software can empower innovation, help you stay secure, reduce costs, and scale as your business needs change.

Distributed Teams

Distributed teams have always been quite common in Game Development, but Covid has supercharged its adoption even in small Indie gaming studios. We don’t just have distributed teams- we have distributed individuals.

Devs need a package management solution to handle a distributed workforce giving everyone similar low latency access speeds. Tools that don’t do this can lead to reduced collaboration, Developer unhappiness, and lack of confidence in your software process.

Cloudsmith is a Cloud-Native, fully managed package management as a service built on Cloud infrastructure and handles the distribution for you. Our infrastructure is built on top of a Content Delivery Network (CDN) with over 225 global points of presence, ensuring your whole team can assess the assets, packages and binaries for all platforms available 24/7

Securing your Gaming Software Supply Chain

The software supply chain includes your code, 3rd party dependencies, scripts, tests, environmental variables, IDEs, plugins, source code repositories, CI/CD tools, audiovisual assets, and package repositories. The attack surface for the software supply chain is vast.

The gaming industry, from the beginning, has had to contend with attacks on its supply chain to protect against piracy. They’ve had to implement signed firmware to combat mods, anti-debugging software to defer piracy and hackers, and runtime integrity checks to combat cheaters.

A newer avenue of attack that other software pipelines are only recently dealing with is the attack vector from 3rd party dependencies. Like over 90% of software developed today, gaming software uses 3rd party dependencies such as middleware. These dependencies have their own dependencies.

Possible reasons for gaming software attacks include stealing Intellectual property, installing malware on players’ devices to steal players PII, mine crypto, or deploying ransomware.

Examples of Gaming Supply Chain Attacks

Trusting 3rd Party Dependencies

Gaming software developers need an easy way to check where their 3rd party dependencies come from, are they untampered, and whether they should trust it?

Cloudsmith can help Game developers visualize, control, and secure their software artifacts by:

Our platform can help expose, manage, and control all the software, dependencies, and assets used to make up video games, allowing you to easily secure your software supply chain.

A Game Development Package Management Solution

Game development has a tricky pipeline. Gaming developers need package management tools to work with their formats like Unity, Maven, Kotlin, Conan, Docker, or Helm, handle large files and manage licenses.

On top of that, they need tools that are easy to automate against to help them secure their supply chain, that scale as they grow and can work with a distributed team.

From the internal distribution of alphas, betas, and release candidates between teams to distributing games, patches, and updates globally, Cloudsmith is built with your games in mind.

If you’re looking for a simple solution to secure your game development artifacts, you can sign up for a free 14-day trial and set up your first repository in just 60 seconds.

Signup for a free trial