| Time |
Nick |
Message |
| 00:14 |
|
aoper joined #minetest-dev |
| 00:34 |
|
Weedy_lappy joined #minetest-dev |
| 00:41 |
aoper |
I want to add a mouse sensitivity slider to the pause menu. Should I add a new button/menu or add it to the volume change and rename it to settings? |
| 00:41 |
PilzAdam |
https://github.com/minetest/minetest/pull/546 |
| 00:46 |
aoper |
has that been abandoned? |
| 00:46 |
PilzAdam |
dunno |
| 01:16 |
|
Weedy joined #minetest-dev |
| 01:28 |
|
Weedy_lappy joined #minetest-dev |
| 02:37 |
|
Fury joined #minetest-dev |
| 03:00 |
|
Mallot1 joined #minetest-dev |
| 03:13 |
|
ffoxin joined #minetest-dev |
| 03:28 |
|
salamanderrake joined #minetest-dev |
| 04:08 |
|
darkrose_ joined #minetest-dev |
| 04:11 |
|
around` joined #minetest-dev |
| 04:32 |
|
Mallot1 joined #minetest-dev |
| 04:38 |
|
nyuszika7h joined #minetest-dev |
| 04:42 |
|
neko259 joined #minetest-dev |
| 06:35 |
|
Taoki[laptop] joined #minetest-dev |
| 06:51 |
|
Anchakor joined #minetest-dev |
| 07:12 |
|
Anchakor_ joined #minetest-dev |
| 07:16 |
|
Calinou joined #minetest-dev |
| 07:19 |
|
jojoa1997 joined #minetest-dev |
| 08:07 |
|
darkrose joined #minetest-dev |
| 08:07 |
|
darkrose joined #minetest-dev |
| 08:44 |
|
proller joined #minetest-dev |
| 08:58 |
|
Calinou joined #minetest-dev |
| 09:14 |
|
serengeor joined #minetest-dev |
| 09:30 |
|
Zeg9 joined #minetest-dev |
| 10:22 |
proller |
bots timeouts before "joins game. List of players:" |
| 10:22 |
proller |
and i cant see ips |
| 10:23 |
proller |
need to show ip at "Moving c to static spawnpoint at (" or "ht times out. List of players:" |
| 10:25 |
|
PilzAdam joined #minetest-dev |
| 11:02 |
|
PilzAdam joined #minetest-dev |
| 11:18 |
|
john_minetest joined #minetest-dev |
| 11:19 |
|
nalkri joined #minetest-dev |
| 11:24 |
|
smoke_fumus joined #minetest-dev |
| 11:27 |
|
Calinou joined #minetest-dev |
| 11:46 |
|
PilzAdam joined #minetest-dev |
| 12:21 |
|
nalkri` joined #minetest-dev |
| 12:21 |
|
Zeg9 joined #minetest-dev |
| 12:25 |
|
Yepoleb joined #minetest-dev |
| 12:27 |
|
Zeg9 joined #minetest-dev |
| 12:47 |
|
john_minetest left #minetest-dev |
| 13:25 |
|
Calinou joined #minetest-dev |
| 13:25 |
|
rotor112 joined #minetest-dev |
| 13:26 |
|
rotor112 left #minetest-dev |
| 13:26 |
|
proller joined #minetest-dev |
| 13:30 |
|
PilzAdam joined #minetest-dev |
| 13:34 |
|
Taoki[mobile] joined #minetest-dev |
| 13:51 |
|
BlockMen joined #minetest-dev |
| 13:54 |
|
proller joined #minetest-dev |
| 14:12 |
|
proller joined #minetest-dev |
| 14:26 |
|
Fury joined #minetest-dev |
| 14:29 |
|
BrandonReese joined #minetest-dev |
| 14:58 |
|
Jordach joined #minetest-dev |
| 15:01 |
|
salamanderrake joined #minetest-dev |
| 15:04 |
|
Anchakor joined #minetest-dev |
| 15:05 |
|
rubenwardy joined #minetest-dev |
| 15:06 |
|
Calinou joined #minetest-dev |
| 15:14 |
|
jojoa1997 joined #minetest-dev |
| 15:15 |
|
Anchakor joined #minetest-dev |
| 15:31 |
|
OWNSyouAll_DESKT joined #minetest-dev |
| 15:55 |
|
BlockMen left #minetest-dev |
| 16:06 |
|
sapier joined #minetest-dev |
| 16:07 |
|
hmmmm joined #minetest-dev |
| 16:08 |
sapier |
could someone plz merge https://github.com/minetest/minetest/pull/825 I'm asking this for how many days now? Yes I know I fixed bugs on this pull requests but those were minor ones. |
| 16:09 |
|
Taoki[laptop] joined #minetest-dev |
| 16:11 |
* proller |
+1 |
| 16:12 |
PilzAdam |
sapier, done |
| 16:14 |
sapier |
thx |
| 16:14 |
PilzAdam |
Ill disable the gamemanager, though |
| 16:15 |
sapier |
you can do whatever you want ;-) |
| 16:18 |
proller |
sapier, 8) |
| 16:18 |
sapier |
what did I do wrong this time?? |
| 16:18 |
proller |
need to [ip]:port if non default port AND ip ipv6 |
| 16:19 |
sapier |
ipv6 is a new feature request ;-) |
| 16:19 |
proller |
its woks, but bit wrong shown |
| 16:19 |
proller |
look in server list |
| 16:19 |
proller |
:1234 - port |
| 16:20 |
proller |
but its too small bug |
| 16:20 |
sapier |
does it work for ipv4? |
| 16:20 |
celeron55_ |
>lua isn't designed to create a sandbox |
| 16:20 |
proller |
for ipv4 ok |
| 16:20 |
celeron55_ |
lua pretty much *is* designed to create a sandbox |
| 16:20 |
proller |
a.b.c.d:port |
| 16:20 |
celeron55_ |
you can just steal the original global environment from code and that's it |
| 16:21 |
proller |
but not correct for ipv6 a:b:c:..:d:port -> [a:b:c:..:d]:port |
| 16:21 |
celeron55_ |
and then know what you can expose to code and what not |
| 16:21 |
sapier |
ok lets be more precise the way we use it for server lua api it's not fixable to be really safe |
| 16:21 |
celeron55_ |
yes, that is a fact; the way it is used for server is not a sandbox |
| 16:21 |
sapier |
at least as long as dropping compatibility isn't an option |
| 16:22 |
sapier |
as security is really important for client side lua I don't want to rush this just to get solution as bad (considering security only) as server side |
| 16:23 |
PilzAdam |
https://github.com/minetest/minetest/issues/814 updated |
| 16:24 |
sapier |
PilAdam I guess it's time to create individual issues |
| 16:25 |
PilzAdam |
the list is too long for that |
| 16:26 |
sapier |
some of them are already fixed (as far as I know) others will remain unfixed almost forever |
| 16:26 |
PilzAdam |
what is fixed? |
| 16:27 |
sapier |
"Mods in the modlist should be sorted alphabetically" should be fixed did I miss something? |
| 16:27 |
PilzAdam |
well, its not sorted for me |
| 16:27 |
sapier |
wait ... worlds are sorted |
| 16:28 |
celeron55_ |
>No mouswheel support in lists |
| 16:28 |
celeron55_ |
isn't that a focus problem |
| 16:29 |
sapier |
yes it is ... you can decide mouse wheel or escape key |
| 16:29 |
celeron55_ |
lol |
| 16:30 |
sapier |
once focus is reset to formspec menu I can catch the escape key ... but mouswheel doesn't work |
| 16:30 |
sapier |
if I don't reset focus mousewheel works ... but I can't catch the escape key :-) ... at least I didn't find a way to do by now :-) |
| 16:30 |
PilzAdam |
how did it work before Lua menu? |
| 16:31 |
sapier |
different event mechanism |
| 16:32 |
sapier |
if I remember correctly this was done by derived classes ... but my memorys may be false |
| 16:32 |
sapier |
https://github.com/minetest/minetest/pull/640 what about this one it's sitting around for ages? |
| 16:35 |
celeron55_ |
so does this mean localization was basically removed altogether from minetest? |
| 16:35 |
sapier |
not exactly |
| 16:35 |
PilzAdam |
only updatepo.sh doesnt work anymore |
| 16:35 |
sapier |
localization has been moved to formspecs |
| 16:36 |
sapier |
so now even formspec menus can be localized ... at cost of updatepo.sh script |
| 16:37 |
celeron55_ |
but they aren't? |
| 16:38 |
sapier |
atm old localizations match about 90% so most is |
| 16:39 |
celeron55_ |
uuum |
| 16:39 |
celeron55_ |
so how is the localization template expected to be updated now? |
| 16:39 |
sapier |
two different aproaches have been discussed by now |
| 16:40 |
|
jojoa1997 joined #minetest-dev |
| 16:41 |
sapier |
1) create a dummy .h file containing all texts (manually maintaining this one) |
| 16:41 |
sapier |
2) add support to formspec for writing localization templates at runtime |
| 16:41 |
sapier |
3) [NEW suggestion] add lua side i18n support e.g. by geti18n("sometest") |
| 16:42 |
sapier |
none of the options is perfect |
| 16:47 |
celeron55_ |
a workable solution could be to add a dummy function in lua to mark strings (geti18n("sometest") style) and implement a parser for those to be run in updatepo.sh |
| 16:47 |
celeron55_ |
i wonder if there would be something that would work reasonably for server-side mods too |
| 16:49 |
celeron55_ |
probably not anything easy |
| 16:49 |
sapier |
I guess the dummy fct could work quite well |
| 16:50 |
PilzAdam |
you dont really a need a dummy function for that, just -- gettext("Foo") would work with the current updatepo.sh if you point it to the builtin lua files |
| 16:51 |
|
jin_xi joined #minetest-dev |
| 16:52 |
celeron55_ |
guess so |
| 16:53 |
celeron55_ |
but... you can't really feed full formspecs to gettext |
| 16:54 |
celeron55_ |
so it can be used only when put precisely in certain fields in formspecs |
| 16:54 |
celeron55_ |
hacky to say the least 8) |
| 16:54 |
sapier |
as we need to add the gettext() around any text to be shown I'd suggest to do this within lua code ... we don't need to do it twice if there's use for that fct |
| 16:55 |
celeron55_ |
umm... what does that mean? |
| 16:55 |
sapier |
e.g. if serverbased i18n requires this fct to do something the dummy could just be implemented |
| 16:56 |
sapier |
if we put everything to a separate file we additionally have to keep it in sync to lua texts |
| 16:56 |
celeron55_ |
by the way, how'd it work if the gettext() function itself in lua was an actual API function, only in main menu code, that'd call gettext |
| 16:57 |
celeron55_ |
on server it'd do something else |
| 16:57 |
celeron55_ |
i think that would make things quite smooth |
| 16:57 |
PilzAdam |
I like that idea |
| 16:57 |
sapier |
I'm not sure what would happen but it's worth a try |
| 16:58 |
sapier |
we'd still need a parser for lua files |
| 16:58 |
celeron55_ |
no we don't, gettext should be able to do that |
| 16:59 |
|
sapier1 joined #minetest-dev |
| 16:59 |
sapier1 |
but how are the po files created? |
| 16:59 |
celeron55_ |
at least PilzAdam guessed so |
| 16:59 |
celeron55_ |
gettext scans C++ files and collects what strings are inside gettext() calls |
| 16:59 |
celeron55_ |
the guess is that it will work reasonably well with lua files too |
| 16:59 |
sapier1 |
yes but the strings aren't within c++ if we call gettext within lua |
| 17:00 |
celeron55_ |
it's for the updatepo phase |
| 17:00 |
celeron55_ |
all that i said recently |
| 17:00 |
sapier1 |
ok just run updatepo on lua files? |
| 17:00 |
celeron55_ |
yes 8) |
| 17:00 |
celeron55_ |
let's hope it'll work |
| 17:01 |
sapier1 |
I'll do some experiments |
| 17:01 |
celeron55_ |
if it doesn't, then some kind of a custom parser is needed |
| 17:01 |
sapier1 |
later now i have to do something else :-) |
| 17:03 |
|
neko259 joined #minetest-dev |
| 17:16 |
|
Mallot1 joined #minetest-dev |
| 17:27 |
|
Calinou joined #minetest-dev |
| 17:27 |
PilzAdam |
sapier1, I know what caused the modmanager error, the forum uses https now |
| 17:28 |
PilzAdam |
but I get tons of 19:28:10: ERROR[main]: readModStoreModDetails: not a single version specified! |
| 17:29 |
|
jojoa1997 joined #minetest-dev |
| 18:10 |
proller |
sapier1, ! bug in public serverlist |
| 18:10 |
proller |
it always show :port but nust show only if showing address and port != 3000 |
| 18:10 |
proller |
!= 30000 |
| 18:11 |
proller |
and favorites too |
| 18:14 |
|
nalkri` joined #minetest-dev |
| 18:21 |
|
ffoxin joined #minetest-dev |
| 19:01 |
|
proller joined #minetest-dev |
| 19:05 |
|
jin_xi joined #minetest-dev |
| 19:43 |
sapier1 |
Pilzadam if it uses https I guess fixing is as simple as changeing settings can you confirm this? |
| 19:45 |
sapier1 |
"[main]: readModStoreModDetails: not a single version" is not a mainmenu error but a modlist issue ... it's absolutely useless to transfere data about mods without dowload link ... |
| 20:14 |
PilzAdam |
sapier1, yes, changing settings works |
| 20:14 |
sapier1 |
ok I already added a pull request |
| 20:27 |
PilzAdam |
sapier1, you forgot to change minetest.conf.example too |
| 20:27 |
sapier1 |
argh :-) |
| 20:27 |
PilzAdam |
already pushed a proper commit |
| 20:28 |
|
jojoa1997 joined #minetest-dev |
| 20:28 |
PilzAdam |
ummm.. why does it show name:port in the favorite list? its not supposed to show the port if the IP is not shown |
| 20:29 |
sapier1 |
no one told that to me |
| 20:29 |
PilzAdam |
Im sure you could figure that out yourself |
| 20:29 |
sapier1 |
proller requested port to be shown once it's different to default |
| 20:30 |
PilzAdam |
"VanessaE's Server:30000" just looks silly |
| 20:30 |
sapier1 |
have a look at my second pull request ;-) |
| 20:31 |
proller |
sapier1, and only if address shown |
| 20:31 |
sapier1 |
next time be more precise ! |
| 20:32 |
PilzAdam |
proller, why do you want that port 30000 is hidden? |
| 20:32 |
PilzAdam |
that doesnt make sense to m e |
| 20:33 |
proller |
why to show default port? its long and have no info |
| 20:33 |
PilzAdam |
what does "default port" even mean? |
| 20:34 |
proller |
<proller> it always show :port but must show only if showing address and port != 30000 |
| 20:34 |
proller |
default = 30000 |
| 20:34 |
proller |
look at http://servers.minetest.net/ |
| 20:34 |
PilzAdam |
ok, then lets say IP 85.157.45.234 is the "default IP" and lets hide it then |
| 20:34 |
proller |
good without :30000 on evera address |
| 20:35 |
proller |
PilzAdam, default ip is 127.0.0.1 |
| 20:35 |
sapier1 |
so no hiding of port 30000= |
| 20:35 |
sapier1 |
? |
| 20:36 |
PilzAdam |
new users might be confused why some adresses have a port and others not |
| 20:36 |
proller |
HIDE |
| 20:36 |
proller |
sapier1, it was before your changes |
| 20:36 |
PilzAdam |
there is nothing in the GUI that tells you "30000 is the default port" |
| 20:36 |
proller |
PilzAdam, are you seriously? |
| 20:36 |
PilzAdam |
yes |
| 20:37 |
proller |
you always confusing when look at http://url without :80 ? |
| 20:37 |
sapier1 |
ok atm it's 1:1 ... anyone interested in deciding? |
| 20:37 |
PilzAdam |
its standard that port 80 is http |
| 20:37 |
PilzAdam |
while its not standard that Minetest server run on 30000 |
| 20:37 |
proller |
30000 is standard for minetest |
| 20:37 |
PilzAdam |
ehm |
| 20:37 |
proller |
look at your default conf |
| 20:38 |
PilzAdam |
default != standard |
| 20:38 |
proller |
== for this game |
| 20:39 |
proller |
most of servers run at 30000 => its standatd |
| 20:39 |
PilzAdam |
also the default port is "" (line 27 in defaultsettings.cpp) |
| 20:40 |
proller |
look at code, 30000 is hardcoded default |
| 20:40 |
PilzAdam |
if people are new and look at the list they expect IP:port, how would they know that 30000 is hidden? |
| 20:41 |
PilzAdam |
you mean this code: https://github.com/minetest/minetest/blob/master/src/defaultsettings.cpp#L27 ? |
| 20:41 |
proller |
people can click on list item and find port at port window |
| 20:41 |
PilzAdam |
they cant click on the list in the web interface |
| 20:41 |
sapier1 |
if there's no clear decision I'm gonna implement the version requireing less code ;-P |
| 20:41 |
proller |
main.cpp 1048 <------>u16 port = 30000; |
| 20:41 |
PilzAdam |
sapier1, that is always show the port |
| 20:41 |
proller |
sapier1, hide when 30000 |
| 20:42 |
proller |
it was before, and you broke it ;) |
| 20:42 |
sapier1 |
I didn't break anything I just added modstore ;-P |
| 20:43 |
proller |
no, it was in c++ serverslist |
| 20:43 |
PilzAdam |
hiding arbritrary port is nonsense, it just confuses "outsiders" |
| 20:43 |
proller |
showing default port is stupid |
| 20:43 |
PilzAdam |
and they will most likely not look at main.cpp:1048 to see whats the default port |
| 20:43 |
sapier1 |
is really noone else here to decide? |
| 20:44 |
proller |
list will be ugly with :30000 on every line |
| 20:44 |
PilzAdam |
its correct |
| 20:44 |
sapier1 |
I tend to support pilzadam ... ip's are always ugly |
| 20:45 |
proller |
we have no space in list and want to show 6 no info symbols? |
| 20:45 |
sapier1 |
it's shown on IP's only proller |
| 20:45 |
PilzAdam |
if you have space problems then remove the ping, it has no use at all for the end-user, since its the ping between the serverslist server |
| 20:45 |
proller |
sapier1, and you will always use :port in http after it |
| 20:45 |
proller |
? |
| 20:45 |
sapier1 |
ip's have a maximum size of 15 hars |
| 20:46 |
proller |
ipv6 have 39 |
| 20:46 |
proller |
or even 45 |
| 20:46 |
celeron55_ |
eh what |
| 20:46 |
sapier1 |
ipv6 is not of my business that was added after mainmenu was built so it's up to the one who added it to find some reasonable good way to show it ;-) |
| 20:47 |
sapier1 |
but I don't care celeron55 if do you want portnumbers in favorite list or not? |
| 20:47 |
celeron55_ |
so is this thing you are talking about server addresses or server names? |
| 20:47 |
proller |
:30000 portnumbers! |
| 20:47 |
celeron55_ |
if it's addresses, then include port; if names, then no port |
| 20:47 |
celeron55_ |
it's as simple as that |
| 20:48 |
sapier1 |
ok so decision has been made |
| 20:48 |
celeron55_ |
a server name can include the port if it's relevant |
| 20:48 |
proller |
celeron55_, why to show :30000 default port? |
| 20:48 |
|
Taoki[laptop] joined #minetest-dev |
| 20:50 |
proller |
http://dev.minetest.net:80/ 8( |
| 20:50 |
celeron55_ |
don't be silly |
| 20:52 |
sapier1 |
proller if you want to be correct you have to write http://176.9.122.10:80 |
| 20:53 |
proller |
and with name too |
| 20:53 |
celeron55_ |
there isn't much benefit in going either way, so the way which combines less conditionals and more clarity is better |
| 20:53 |
PilzAdam |
sapier1, so, just do what celeron55_ said |
| 20:54 |
sapier1 |
already done celeron was 2:1 ... more than enough in respect to recent poor participation |
| 20:55 |
thexyz |
PilzAdam: what's the point for "outsider" to know the port server is running on? |
| 20:56 |
celeron55_ |
what's the point for "outsider" to know the address the server is running on? |
| 20:56 |
PilzAdam |
actually thats a good question :-) |
| 20:56 |
thexyz |
celeron55_: to distinguish servers |
| 20:57 |
celeron55_ |
but the original question was about name and port, not address and port |
| 20:58 |
celeron55_ |
name and port doesn't make any sense |
| 20:58 |
proller |
name and port - its bug, address and :30000 - its imperfection |
| 20:58 |
thexyz |
oh |
| 20:59 |
thexyz |
yes, lol |
| 20:59 |
sapier1 |
I wonder why discussion always starts after I "fixed" it ... no matter how long I wait to fix it |
| 21:00 |
thexyz |
showing names without addresses isn't a good idea either |
| 21:01 |
PilzAdam |
thexyz, in the list in the client only the name is shown (due to limited space), but you can see the adress by clicking on it once |
| 21:01 |
proller |
address shown in lower input |
| 21:01 |
sapier1 |
you always will see address and port below ... at least if you don't happen to run into doubleclick bug |
| 21:02 |
thexyz |
I mean, it's insecure |
| 21:02 |
thexyz |
I can fake a name and steal passwords |
| 21:03 |
PilzAdam |
only the hashes |
| 21:03 |
thexyz |
but I guess there's no much we can do about it |
| 21:03 |
thexyz |
PilzAdam: well, yeah |
| 21:03 |
sapier1 |
if you really want to be safe we'd need to implement certificate check for servers |
| 21:03 |
PilzAdam |
then, after 30 days of bruteforcing you get the password from a random user to a Minetest server |
| 21:03 |
PilzAdam |
thats totally worth it! |
| 21:04 |
thexyz |
well yeah |
| 21:04 |
thexyz |
or you can just use it to login to the server |
| 21:04 |
thexyz |
and kill everybody |
| 21:04 |
sapier1 |
considering most ppl dualuse passwords it might be usefull ... but I guess there are much more common attack vectors than minetest atm |
| 21:04 |
thexyz |
true, that's another problem |
| 21:05 |
sapier1 |
I think thexyz is right |
| 21:05 |
sapier1 |
what about showing name entrys in different color? |
| 21:05 |
PilzAdam |
can you use the same hash all the time? |
| 21:06 |
thexyz |
PilzAdam: hm? |
| 21:06 |
PilzAdam |
nvm |
| 21:06 |
celeron55_ |
well hashing is currently just player name + password; it's very vulnerable to mimicking a server |
| 21:06 |
sapier1 |
does someone want to add a simple challange response mechanism? |
| 21:06 |
celeron55_ |
altough if you just run a good GPU password cracking software on the name+password pairs, you're going to find out practically all of them in no time anyway |
| 21:07 |
Exio4 |
what shaXXX was used? |
| 21:07 |
Exio4 |
256? |
| 21:07 |
celeron55_ |
Exio4: doesn't matter |
| 21:07 |
Exio4 |
yeah, i know |
| 21:07 |
Exio4 |
i just wonder what one, but don't want to look at the code ;P |
| 21:07 |
celeron55_ |
if there was a challenge+response thing, then at least the attacker would need to listen to the communication when it happens |
| 21:07 |
celeron55_ |
on a server not his own |
| 21:07 |
celeron55_ |
actually |
| 21:08 |
celeron55_ |
wait, wha |
| 21:08 |
thexyz |
why not salt everything? |
| 21:08 |
celeron55_ |
a challenge+response doesn't actually do any good in this case |
| 21:09 |
celeron55_ |
if somebody sets up a server that looks like something else and a user logs in there, the challenge can be just set up so that they have easy time breaking the hashes |
| 21:09 |
PilzAdam |
we have to keep in mind that this is a game, not a browser or OS |
| 21:09 |
sapier1 |
sure? e.g. server sends some random code to client |
| 21:09 |
sapier1 |
client adds his pwd hash and hashes again |
| 21:09 |
thexyz |
oh we can't salt it |
| 21:09 |
celeron55_ |
sapier1: an attacking server? |
| 21:09 |
sapier1 |
same thing is done on server |
| 21:09 |
celeron55_ |
for sure 8D |
| 21:09 |
thexyz |
how sad |
| 21:09 |
celeron55_ |
sapier1: an attacking server will just send whatever it wants |
| 21:09 |
sapier1 |
atacking server doesn't have the real password hash |
| 21:10 |
celeron55_ |
as i said, cracking any hash that doesn't contain unknown random data is very easy |
| 21:10 |
celeron55_ |
and the server must know all the random data in whatever the client sends to it |
| 21:10 |
celeron55_ |
because otherwise it wouldn't make any sense |
| 21:11 |
sapier1 |
yes but hash does contain random unknown data |
| 21:11 |
sapier1 |
hash (challange + (user_pwd_hash) |
| 21:11 |
celeron55_ |
... |
| 21:11 |
PilzAdam |
why doesnt the server send some random salt to the client at first connection, and both remember the salt for every following connection? |
| 21:11 |
sapier1 |
yes it's still simple |
| 21:11 |
celeron55_ |
sapier1: challenge is from server -> server knows it |
| 21:11 |
celeron55_ |
server is the attacker |
| 21:11 |
celeron55_ |
use your brain for a bit, please |
| 21:11 |
sapier1 |
yes but server does only know a part ... true that'll make it more easy |
| 21:12 |
celeron55_ |
it knows the part that you are adding to the current one |
| 21:12 |
sapier1 |
and hash again after adding |
| 21:13 |
celeron55_ |
PilzAdam: that would work in setting up trust between a server and an existing client, but setting up the storage for those is a bit of work |
| 21:13 |
thexyz |
> you're going to find out practically all of them in no time anyway | i'm not sure if that's true |
| 21:14 |
sapier1 |
and you can't login from another client ever |
| 21:14 |
celeron55_ |
PilzAdam: also, how would it be handled if a same server loses the data, or the client loses the data? |
| 21:14 |
PilzAdam |
celeron55_, the server could just store it in auth.txt, but the client would need an auth.txt with soemthing like "server:salt" |
| 21:14 |
PilzAdam |
oh yea, it would require to use the same client to connect to a server |
| 21:14 |
celeron55_ |
it'd need a dialog telling the user "this could be a spoofing attack" and users would get it often enough for them to always just click "continue anyway" |
| 21:15 |
thexyz |
well have you decided what're we protecting from? |
| 21:15 |
sapier1 |
I strongly suggest using certificates if we really want a strong authentification |
| 21:15 |
celeron55_ |
thexyz: good question 8) |
| 21:15 |
celeron55_ |
sapier1: certificates are useless |
| 21:15 |
celeron55_ |
sapier1: what you mean is some kind of public key cryptography, probably |
| 21:16 |
sapier1 |
that's why any good vpn uses it I know ;-) ... of course establishing trust first time is still an issue |
| 21:16 |
celeron55_ |
but even doing it as securely as, say, SSH does, it still has the same problem as PilzAdam's suggestion |
| 21:16 |
sapier1 |
of course combining it to e.g. ssl encryption will help even more |
| 21:17 |
sapier1 |
yes problem is we'd need a pki ... we'd need it for modstore too |
| 21:17 |
sapier1 |
so maybe this is at least a long term goal |
| 21:17 |
celeron55_ |
i wouldn't want to set up any kind of "minetest certificate authority" |
| 21:18 |
celeron55_ |
it's too central |
| 21:18 |
sapier1 |
of course not a single one but maybe like browser add some sort of keyring |
| 21:19 |
celeron55_ |
........i seriously hope there would be some small and good cross-platform library for this |
| 21:19 |
celeron55_ |
sadly there probably isn't |
| 21:20 |
sapier1 |
the only trustworthy one I know is openssl .. but it's far from small |
| 21:20 |
celeron55_ |
and far from convenient in a cross-platform situation |
| 21:21 |
sapier1 |
yes windows isn't very well supported |
| 21:22 |
thexyz |
we have keys for minetest forums |
| 21:22 |
celeron55_ |
they're sitting on their high and large UNIX thrones thinking they're better than anything else |
| 21:22 |
sapier1 |
imho only two solutions are usefull adding some randomness to password hash on login and live with it still beeing unsafe ... or add a full blown safe solution |
| 21:23 |
thexyz |
alright, so what're we protecting from? |
| 21:23 |
sapier1 |
userpassword |
| 21:24 |
PilzAdam |
thexyz, our own paranoia ;-) |
| 21:24 |
thexyz |
1) evil server logins to trusted server using provided credentials or 2) trusted server knows user's password |
| 21:24 |
celeron55_ |
thexyz: you pretty much binged up this whole discussion by noting that servers can't be trusted |
| 21:24 |
sapier1 |
considering nsa behaviour none of us was paranoid enough ... not even myself |
| 21:24 |
celeron55_ |
+r |
| 21:24 |
thexyz |
I personally am fine with 2nd |
| 21:25 |
thexyz |
but we can't do 1st without it |
| 21:25 |
proller |
some users use 1 char passwords |
| 21:25 |
celeron55_ |
i generally use very bad passwords in minetest because it's not worth it to use better ones |
| 21:27 |
proller |
most of users too |
| 21:27 |
sapier1 |
so maybe we don't have an issue at all? |
| 21:28 |
proller |
its not paypal 8) |
| 21:28 |
PilzAdam |
<PilzAdam> we have to keep in mind that this is a game, not a browser or OS |
| 21:28 |
celeron55_ |
i think a better use of resources would be to make it possible for moderators to revert any damage done to players |
| 21:29 |
sapier1 |
PilzAdam that's not an excuse but maybe if we'd added some note e.g. on download to warn users ... WE know passwords aren't safe but first time users may not |
| 21:29 |
celeron55_ |
add a tooltip to the menu when typing password |
| 21:30 |
sapier1 |
you're funny ;-) |
| 21:30 |
sapier1 |
no tooltips in formspec atm ;-) |
| 21:30 |
celeron55_ |
well just hardcode any password field to do that 8) |
| 21:31 |
sapier1 |
I guess that's thexy's task he started the discussion :-) |
| 21:31 |
celeron55_ |
i'm ok with that 8) |
| 21:32 |
thexyz |
i just asked you to show server address |
| 21:32 |
sapier1 |
what about my suggestion to at least use different colors for name and ip entrys? |
| 21:32 |
thexyz |
s/show/make it show/ |
| 21:33 |
PilzAdam |
thexyz, the adress is already shown if you click on it once |
| 21:33 |
thexyz |
uh |
| 21:33 |
thexyz |
whatever |
| 21:36 |
|
NakedFury joined #minetest-dev |
| 21:48 |
kahrl |
wait, what was the challenge response discussion about |
| 21:49 |
kahrl |
the server can dictate the challenge? well, that's easy to solve: let the client choose half of the challenge |
| 21:49 |
nalkri |
Or send mutual challenges |
| 21:49 |
kahrl |
nalkri: yeah, basically the same |
| 21:50 |
nalkri |
Just thought I should say it for completeness :) |
| 21:51 |
kahrl |
https://en.wikipedia.org/wiki/Challenge-response_authentication#Simple_Example_mutual_authentication_sequence |
| 21:55 |
kahrl |
though, the problem with any (?) challenge response protocol is that it is incompatible to minetest's system of registering user+password on the first login to a server |
| 22:11 |
|
sapier1 left #minetest-dev |
| 22:22 |
|
jojoa1997 joined #minetest-dev |
| 22:42 |
|
jojoa1997 joined #minetest-dev |
| 22:51 |
|
nalkri` joined #minetest-dev |
| 23:05 |
|
khonkhortisan_ joined #minetest-dev |
