Time Nick Message 00:41 aoper I want to add a mouse sensitivity slider to the pause menu. Should I add a new button/menu or add it to the volume change and rename it to settings? 00:41 PilzAdam https://github.com/minetest/minetest/pull/546 00:46 aoper has that been abandoned? 00:46 PilzAdam dunno 10:22 proller bots timeouts before "joins game. List of players:" 10:22 proller and i cant see ips 10:23 proller need to show ip at "Moving c to static spawnpoint at (" or "ht times out. List of players:" 16:08 sapier could someone plz merge https://github.com/minetest/minetest/pull/825 I'm asking this for how many days now? Yes I know I fixed bugs on this pull requests but those were minor ones. 16:11 * proller +1 16:12 PilzAdam sapier, done 16:14 sapier thx 16:14 PilzAdam Ill disable the gamemanager, though 16:15 sapier you can do whatever you want ;-) 16:18 proller sapier, 8) 16:18 sapier what did I do wrong this time?? 16:18 proller need to [ip]:port if non default port AND ip ipv6 16:19 sapier ipv6 is a new feature request ;-) 16:19 proller its woks, but bit wrong shown 16:19 proller look in server list 16:19 proller :1234 - port 16:20 proller but its too small bug 16:20 sapier does it work for ipv4? 16:20 celeron55_ >lua isn't designed to create a sandbox 16:20 proller for ipv4 ok 16:20 celeron55_ lua pretty much *is* designed to create a sandbox 16:20 proller a.b.c.d:port 16:20 celeron55_ you can just steal the original global environment from code and that's it 16:21 proller but not correct for ipv6 a:b:c:..:d:port -> [a:b:c:..:d]:port 16:21 celeron55_ and then know what you can expose to code and what not 16:21 sapier ok lets be more precise the way we use it for server lua api it's not fixable to be really safe 16:21 celeron55_ yes, that is a fact; the way it is used for server is not a sandbox 16:21 sapier at least as long as dropping compatibility isn't an option 16:22 sapier as security is really important for client side lua I don't want to rush this just to get solution as bad (considering security only) as server side 16:23 PilzAdam https://github.com/minetest/minetest/issues/814 updated 16:24 sapier PilAdam I guess it's time to create individual issues 16:25 PilzAdam the list is too long for that 16:26 sapier some of them are already fixed (as far as I know) others will remain unfixed almost forever 16:26 PilzAdam what is fixed? 16:27 sapier "Mods in the modlist should be sorted alphabetically" should be fixed did I miss something? 16:27 PilzAdam well, its not sorted for me 16:27 sapier wait ... worlds are sorted 16:28 celeron55_ >No mouswheel support in lists 16:28 celeron55_ isn't that a focus problem 16:29 sapier yes it is ... you can decide mouse wheel or escape key 16:29 celeron55_ lol 16:30 sapier once focus is reset to formspec menu I can catch the escape key ... but mouswheel doesn't work 16:30 sapier if I don't reset focus mousewheel works ... but I can't catch the escape key :-) ... at least I didn't find a way to do by now :-) 16:30 PilzAdam how did it work before Lua menu? 16:31 sapier different event mechanism 16:32 sapier if I remember correctly this was done by derived classes ... but my memorys may be false 16:32 sapier https://github.com/minetest/minetest/pull/640 what about this one it's sitting around for ages? 16:35 celeron55_ so does this mean localization was basically removed altogether from minetest? 16:35 sapier not exactly 16:35 PilzAdam only updatepo.sh doesnt work anymore 16:35 sapier localization has been moved to formspecs 16:36 sapier so now even formspec menus can be localized ... at cost of updatepo.sh script 16:37 celeron55_ but they aren't? 16:38 sapier atm old localizations match about 90% so most is 16:39 celeron55_ uuum 16:39 celeron55_ so how is the localization template expected to be updated now? 16:39 sapier two different aproaches have been discussed by now 16:41 sapier 1) create a dummy .h file containing all texts (manually maintaining this one) 16:41 sapier 2) add support to formspec for writing localization templates at runtime 16:41 sapier 3) [NEW suggestion] add lua side i18n support e.g. by geti18n("sometest") 16:42 sapier none of the options is perfect 16:47 celeron55_ a workable solution could be to add a dummy function in lua to mark strings (geti18n("sometest") style) and implement a parser for those to be run in updatepo.sh 16:47 celeron55_ i wonder if there would be something that would work reasonably for server-side mods too 16:49 celeron55_ probably not anything easy 16:49 sapier I guess the dummy fct could work quite well 16:50 PilzAdam you dont really a need a dummy function for that, just -- gettext("Foo") would work with the current updatepo.sh if you point it to the builtin lua files 16:52 celeron55_ guess so 16:53 celeron55_ but... you can't really feed full formspecs to gettext 16:54 celeron55_ so it can be used only when put precisely in certain fields in formspecs 16:54 celeron55_ hacky to say the least 8) 16:54 sapier as we need to add the gettext() around any text to be shown I'd suggest to do this within lua code ... we don't need to do it twice if there's use for that fct 16:55 celeron55_ umm... what does that mean? 16:55 sapier e.g. if serverbased i18n requires this fct to do something the dummy could just be implemented 16:56 sapier if we put everything to a separate file we additionally have to keep it in sync to lua texts 16:56 celeron55_ by the way, how'd it work if the gettext() function itself in lua was an actual API function, only in main menu code, that'd call gettext 16:57 celeron55_ on server it'd do something else 16:57 celeron55_ i think that would make things quite smooth 16:57 PilzAdam I like that idea 16:57 sapier I'm not sure what would happen but it's worth a try 16:58 sapier we'd still need a parser for lua files 16:58 celeron55_ no we don't, gettext should be able to do that 16:59 sapier1 but how are the po files created? 16:59 celeron55_ at least PilzAdam guessed so 16:59 celeron55_ gettext scans C++ files and collects what strings are inside gettext() calls 16:59 celeron55_ the guess is that it will work reasonably well with lua files too 16:59 sapier1 yes but the strings aren't within c++ if we call gettext within lua 17:00 celeron55_ it's for the updatepo phase 17:00 celeron55_ all that i said recently 17:00 sapier1 ok just run updatepo on lua files? 17:00 celeron55_ yes 8) 17:00 celeron55_ let's hope it'll work 17:01 sapier1 I'll do some experiments 17:01 celeron55_ if it doesn't, then some kind of a custom parser is needed 17:01 sapier1 later now i have to do something else :-) 17:27 PilzAdam sapier1, I know what caused the modmanager error, the forum uses https now 17:28 PilzAdam but I get tons of 19:28:10: ERROR[main]: readModStoreModDetails: not a single version specified! 18:10 proller sapier1, ! bug in public serverlist 18:10 proller it always show :port but nust show only if showing address and port != 3000 18:10 proller != 30000 18:11 proller and favorites too 19:43 sapier1 Pilzadam if it uses https I guess fixing is as simple as changeing settings can you confirm this? 19:45 sapier1 "[main]: readModStoreModDetails: not a single version" is not a mainmenu error but a modlist issue ... it's absolutely useless to transfere data about mods without dowload link ... 20:14 PilzAdam sapier1, yes, changing settings works 20:14 sapier1 ok I already added a pull request 20:27 PilzAdam sapier1, you forgot to change minetest.conf.example too 20:27 sapier1 argh :-) 20:27 PilzAdam already pushed a proper commit 20:28 PilzAdam ummm.. why does it show name:port in the favorite list? its not supposed to show the port if the IP is not shown 20:29 sapier1 no one told that to me 20:29 PilzAdam Im sure you could figure that out yourself 20:29 sapier1 proller requested port to be shown once it's different to default 20:30 PilzAdam "VanessaE's Server:30000" just looks silly 20:30 sapier1 have a look at my second pull request ;-) 20:31 proller sapier1, and only if address shown 20:31 sapier1 next time be more precise ! 20:32 PilzAdam proller, why do you want that port 30000 is hidden? 20:32 PilzAdam that doesnt make sense to m e 20:33 proller why to show default port? its long and have no info 20:33 PilzAdam what does "default port" even mean? 20:34 proller it always show :port but must show only if showing address and port != 30000 20:34 proller default = 30000 20:34 proller look at http://servers.minetest.net/ 20:34 PilzAdam ok, then lets say IP 85.157.45.234 is the "default IP" and lets hide it then 20:34 proller good without :30000 on evera address 20:35 proller PilzAdam, default ip is 127.0.0.1 20:35 sapier1 so no hiding of port 30000= 20:35 sapier1 ? 20:36 PilzAdam new users might be confused why some adresses have a port and others not 20:36 proller HIDE 20:36 proller sapier1, it was before your changes 20:36 PilzAdam there is nothing in the GUI that tells you "30000 is the default port" 20:36 proller PilzAdam, are you seriously? 20:36 PilzAdam yes 20:37 proller you always confusing when look at http://url without :80 ? 20:37 sapier1 ok atm it's 1:1 ... anyone interested in deciding? 20:37 PilzAdam its standard that port 80 is http 20:37 PilzAdam while its not standard that Minetest server run on 30000 20:37 proller 30000 is standard for minetest 20:37 PilzAdam ehm 20:37 proller look at your default conf 20:38 PilzAdam default != standard 20:38 proller == for this game 20:39 proller most of servers run at 30000 => its standatd 20:39 PilzAdam also the default port is "" (line 27 in defaultsettings.cpp) 20:40 proller look at code, 30000 is hardcoded default 20:40 PilzAdam if people are new and look at the list they expect IP:port, how would they know that 30000 is hidden? 20:41 PilzAdam you mean this code: https://github.com/minetest/minetest/blob/master/src/defaultsettings.cpp#L27 ? 20:41 proller people can click on list item and find port at port window 20:41 PilzAdam they cant click on the list in the web interface 20:41 sapier1 if there's no clear decision I'm gonna implement the version requireing less code ;-P 20:41 proller main.cpp 1048 <------>u16 port = 30000; 20:41 PilzAdam sapier1, that is always show the port 20:41 proller sapier1, hide when 30000 20:42 proller it was before, and you broke it ;) 20:42 sapier1 I didn't break anything I just added modstore ;-P 20:43 proller no, it was in c++ serverslist 20:43 PilzAdam hiding arbritrary port is nonsense, it just confuses "outsiders" 20:43 proller showing default port is stupid 20:43 PilzAdam and they will most likely not look at main.cpp:1048 to see whats the default port 20:43 sapier1 is really noone else here to decide? 20:44 proller list will be ugly with :30000 on every line 20:44 PilzAdam its correct 20:44 sapier1 I tend to support pilzadam ... ip's are always ugly 20:45 proller we have no space in list and want to show 6 no info symbols? 20:45 sapier1 it's shown on IP's only proller 20:45 PilzAdam if you have space problems then remove the ping, it has no use at all for the end-user, since its the ping between the serverslist server 20:45 proller sapier1, and you will always use :port in http after it 20:45 proller ? 20:45 sapier1 ip's have a maximum size of 15 hars 20:46 proller ipv6 have 39 20:46 proller or even 45 20:46 celeron55_ eh what 20:46 sapier1 ipv6 is not of my business that was added after mainmenu was built so it's up to the one who added it to find some reasonable good way to show it ;-) 20:47 sapier1 but I don't care celeron55 if do you want portnumbers in favorite list or not? 20:47 celeron55_ so is this thing you are talking about server addresses or server names? 20:47 proller :30000 portnumbers! 20:47 celeron55_ if it's addresses, then include port; if names, then no port 20:47 celeron55_ it's as simple as that 20:48 sapier1 ok so decision has been made 20:48 celeron55_ a server name can include the port if it's relevant 20:48 proller celeron55_, why to show :30000 default port? 20:50 proller http://dev.minetest.net:80/ 8( 20:50 celeron55_ don't be silly 20:52 sapier1 proller if you want to be correct you have to write http://176.9.122.10:80 20:53 proller and with name too 20:53 celeron55_ there isn't much benefit in going either way, so the way which combines less conditionals and more clarity is better 20:53 PilzAdam sapier1, so, just do what celeron55_ said 20:54 sapier1 already done celeron was 2:1 ... more than enough in respect to recent poor participation 20:55 thexyz PilzAdam: what's the point for "outsider" to know the port server is running on? 20:56 celeron55_ what's the point for "outsider" to know the address the server is running on? 20:56 PilzAdam actually thats a good question :-) 20:56 thexyz celeron55_: to distinguish servers 20:57 celeron55_ but the original question was about name and port, not address and port 20:58 celeron55_ name and port doesn't make any sense 20:58 proller name and port - its bug, address and :30000 - its imperfection 20:58 thexyz oh 20:59 thexyz yes, lol 20:59 sapier1 I wonder why discussion always starts after I "fixed" it ... no matter how long I wait to fix it 21:00 thexyz showing names without addresses isn't a good idea either 21:01 PilzAdam thexyz, in the list in the client only the name is shown (due to limited space), but you can see the adress by clicking on it once 21:01 proller address shown in lower input 21:01 sapier1 you always will see address and port below ... at least if you don't happen to run into doubleclick bug 21:02 thexyz I mean, it's insecure 21:02 thexyz I can fake a name and steal passwords 21:03 PilzAdam only the hashes 21:03 thexyz but I guess there's no much we can do about it 21:03 thexyz PilzAdam: well, yeah 21:03 sapier1 if you really want to be safe we'd need to implement certificate check for servers 21:03 PilzAdam then, after 30 days of bruteforcing you get the password from a random user to a Minetest server 21:03 PilzAdam thats totally worth it! 21:04 thexyz well yeah 21:04 thexyz or you can just use it to login to the server 21:04 thexyz and kill everybody 21:04 sapier1 considering most ppl dualuse passwords it might be usefull ... but I guess there are much more common attack vectors than minetest atm 21:04 thexyz true, that's another problem 21:05 sapier1 I think thexyz is right 21:05 sapier1 what about showing name entrys in different color? 21:05 PilzAdam can you use the same hash all the time? 21:06 thexyz PilzAdam: hm? 21:06 PilzAdam nvm 21:06 celeron55_ well hashing is currently just player name + password; it's very vulnerable to mimicking a server 21:06 sapier1 does someone want to add a simple challange response mechanism? 21:06 celeron55_ altough if you just run a good GPU password cracking software on the name+password pairs, you're going to find out practically all of them in no time anyway 21:07 Exio4 what shaXXX was used? 21:07 Exio4 256? 21:07 celeron55_ Exio4: doesn't matter 21:07 Exio4 yeah, i know 21:07 Exio4 i just wonder what one, but don't want to look at the code ;P 21:07 celeron55_ if there was a challenge+response thing, then at least the attacker would need to listen to the communication when it happens 21:07 celeron55_ on a server not his own 21:07 celeron55_ actually 21:08 celeron55_ wait, wha 21:08 thexyz why not salt everything? 21:08 celeron55_ a challenge+response doesn't actually do any good in this case 21:09 celeron55_ if somebody sets up a server that looks like something else and a user logs in there, the challenge can be just set up so that they have easy time breaking the hashes 21:09 PilzAdam we have to keep in mind that this is a game, not a browser or OS 21:09 sapier1 sure? e.g. server sends some random code to client 21:09 sapier1 client adds his pwd hash and hashes again 21:09 thexyz oh we can't salt it 21:09 celeron55_ sapier1: an attacking server? 21:09 sapier1 same thing is done on server 21:09 celeron55_ for sure 8D 21:09 thexyz how sad 21:09 celeron55_ sapier1: an attacking server will just send whatever it wants 21:09 sapier1 atacking server doesn't have the real password hash 21:10 celeron55_ as i said, cracking any hash that doesn't contain unknown random data is very easy 21:10 celeron55_ and the server must know all the random data in whatever the client sends to it 21:10 celeron55_ because otherwise it wouldn't make any sense 21:11 sapier1 yes but hash does contain random unknown data 21:11 sapier1 hash (challange + (user_pwd_hash) 21:11 celeron55_ ... 21:11 PilzAdam why doesnt the server send some random salt to the client at first connection, and both remember the salt for every following connection? 21:11 sapier1 yes it's still simple 21:11 celeron55_ sapier1: challenge is from server -> server knows it 21:11 celeron55_ server is the attacker 21:11 celeron55_ use your brain for a bit, please 21:11 sapier1 yes but server does only know a part ... true that'll make it more easy 21:12 celeron55_ it knows the part that you are adding to the current one 21:12 sapier1 and hash again after adding 21:13 celeron55_ PilzAdam: that would work in setting up trust between a server and an existing client, but setting up the storage for those is a bit of work 21:13 thexyz > you're going to find out practically all of them in no time anyway | i'm not sure if that's true 21:14 sapier1 and you can't login from another client ever 21:14 celeron55_ PilzAdam: also, how would it be handled if a same server loses the data, or the client loses the data? 21:14 PilzAdam celeron55_, the server could just store it in auth.txt, but the client would need an auth.txt with soemthing like "server:salt" 21:14 PilzAdam oh yea, it would require to use the same client to connect to a server 21:14 celeron55_ it'd need a dialog telling the user "this could be a spoofing attack" and users would get it often enough for them to always just click "continue anyway" 21:15 thexyz well have you decided what're we protecting from? 21:15 sapier1 I strongly suggest using certificates if we really want a strong authentification 21:15 celeron55_ thexyz: good question 8) 21:15 celeron55_ sapier1: certificates are useless 21:15 celeron55_ sapier1: what you mean is some kind of public key cryptography, probably 21:16 sapier1 that's why any good vpn uses it I know ;-) ... of course establishing trust first time is still an issue 21:16 celeron55_ but even doing it as securely as, say, SSH does, it still has the same problem as PilzAdam's suggestion 21:16 sapier1 of course combining it to e.g. ssl encryption will help even more 21:17 sapier1 yes problem is we'd need a pki ... we'd need it for modstore too 21:17 sapier1 so maybe this is at least a long term goal 21:17 celeron55_ i wouldn't want to set up any kind of "minetest certificate authority" 21:18 celeron55_ it's too central 21:18 sapier1 of course not a single one but maybe like browser add some sort of keyring 21:19 celeron55_ ........i seriously hope there would be some small and good cross-platform library for this 21:19 celeron55_ sadly there probably isn't 21:20 sapier1 the only trustworthy one I know is openssl .. but it's far from small 21:20 celeron55_ and far from convenient in a cross-platform situation 21:21 sapier1 yes windows isn't very well supported 21:22 thexyz we have keys for minetest forums 21:22 celeron55_ they're sitting on their high and large UNIX thrones thinking they're better than anything else 21:22 sapier1 imho only two solutions are usefull adding some randomness to password hash on login and live with it still beeing unsafe ... or add a full blown safe solution 21:23 thexyz alright, so what're we protecting from? 21:23 sapier1 userpassword 21:24 PilzAdam thexyz, our own paranoia ;-) 21:24 thexyz 1) evil server logins to trusted server using provided credentials or 2) trusted server knows user's password 21:24 celeron55_ thexyz: you pretty much binged up this whole discussion by noting that servers can't be trusted 21:24 sapier1 considering nsa behaviour none of us was paranoid enough ... not even myself 21:24 celeron55_ +r 21:24 thexyz I personally am fine with 2nd 21:25 thexyz but we can't do 1st without it 21:25 proller some users use 1 char passwords 21:25 celeron55_ i generally use very bad passwords in minetest because it's not worth it to use better ones 21:27 proller most of users too 21:27 sapier1 so maybe we don't have an issue at all? 21:28 proller its not paypal 8) 21:28 PilzAdam we have to keep in mind that this is a game, not a browser or OS 21:28 celeron55_ i think a better use of resources would be to make it possible for moderators to revert any damage done to players 21:29 sapier1 PilzAdam that's not an excuse but maybe if we'd added some note e.g. on download to warn users ... WE know passwords aren't safe but first time users may not 21:29 celeron55_ add a tooltip to the menu when typing password 21:30 sapier1 you're funny ;-) 21:30 sapier1 no tooltips in formspec atm ;-) 21:30 celeron55_ well just hardcode any password field to do that 8) 21:31 sapier1 I guess that's thexy's task he started the discussion :-) 21:31 celeron55_ i'm ok with that 8) 21:32 thexyz i just asked you to show server address 21:32 sapier1 what about my suggestion to at least use different colors for name and ip entrys? 21:32 thexyz s/show/make it show/ 21:33 PilzAdam thexyz, the adress is already shown if you click on it once 21:33 thexyz uh 21:33 thexyz whatever 21:48 kahrl wait, what was the challenge response discussion about 21:49 kahrl the server can dictate the challenge? well, that's easy to solve: let the client choose half of the challenge 21:49 nalkri Or send mutual challenges 21:49 kahrl nalkri: yeah, basically the same 21:50 nalkri Just thought I should say it for completeness :) 21:51 kahrl https://en.wikipedia.org/wiki/Challenge-response_authentication#Simple_Example_mutual_authentication_sequence 21:55 kahrl though, the problem with any (?) challenge response protocol is that it is incompatible to minetest's system of registering user+password on the first login to a server