Time  Nick        Message
01:21 luizrpgluiz hi
01:25 rubenwardy  lol
01:59 paramat     this is not the channel for 'hi' :) dev talk only
07:30 ANAND       Should #7557 introduce another protocol bump?
07:30 ShadowBot   https://github.com/minetest/minetest/issues/7557 -- Expose player FOV to Lua API by ClobberXD
07:30 ANAND       Backwards compat is retained; no existing packets are modified, and only a new one is added
08:00 nerzhul     if you are on 5.0.0 branch it's not important
11:13 nerzhul     merging #7279
11:13 ShadowBot   https://github.com/minetest/minetest/issues/7279 -- Replace auth.txt with SQLite auth database by bendeutsch
11:13 nerzhul     finally we got it
11:14 nerzhul     when i get time i will add the postgresql backend :)
11:14 nerzhul     and finally we will have shared auth in server networks
11:39 rubenwardy  Argh, the server sandbox is so insecure
11:49 nerzhul     rubenwardy, it doesn't seems to be waited by server owners, they are focused on CSM security not their servers :p
11:49 rubenwardy  :'(
11:50 rubenwardy  Well, I'll need to fix it to readd require. But there is a different standard of security needed for server mods and client scripts
11:53 nerzhul     yes
13:27 rubenwardy  #7621
13:27 ShadowBot   https://github.com/minetest/minetest/issues/7621 -- Add secure require() function by rubenwardy
13:29 sfan5       a description would be nice because i have no idea what this is or why it should be added
13:30 sfan5       also why should builtin libraries (string, table, ...) be protected from modification?
13:32 rubenwardy  done
13:32 rubenwardy  and remove
13:33 rubenwardy  those changes shouldn't have been there
13:33 rubenwardy  the issue is that you could effect unsandboxed Lua libraries by modifying string/table/etc, by making them do bad stuff
13:34 rubenwardy  for example, a secure mod or lib could do this:      os.execute(("path/to/exe %s %d"):format(a, b))    which is a vulnerability
13:34 rubenwardy  however I'll leave that to a later PR
13:34 rubenwardy  or not at all
13:34 sfan5       hm, right
13:35 rubenwardy  the same applies to `minetest`, but it's less practical to avoid modifications there
13:36 rubenwardy  it would be nice to give each mod its own environment. This wouldn't actually break too many things providing that mods don't rely on globals exported by another mod which is not the name of the mod
13:36 rubenwardy  but, low priority
13:36 rubenwardy  it also wouldn't help to much, there's loads of ways of escaping environments :(
13:37 rubenwardy  also, that PR has MIT licensed code from the Lua library. MIT is (L)GPL compatible, but you still need to keep copyright licenses
13:37 rubenwardy  not sure how to handle that
13:59 rubenwardy  I wonder if animations could be done efficiently with shaders in mt
13:59 rubenwardy  wait
14:00 rubenwardy  #6820
14:00 ShadowBot   https://github.com/minetest/minetest/issues/6820 -- [Concept] Smooth shader-based animation by numberZero
14:09 rubenwardy  another cool thing about that PR is you could do           require("mymod.api")        instead of         dofile(minetest.get_modpath("mymod") .. "/api.lua")
14:09 rubenwardy  with some modifications, ie: adding mod dirs to package.path
14:09 rubenwardy  oh noes, potential vulnerability
14:11 Krock       rubenwardy: see CSM mod loading. dofile("modname:filename.lua"
14:11 Krock       )
14:11 sfan5       https://github.com/minetest/minetest/blob/master/src/script/lua_api/l_server.cpp#L492
14:11 rubenwardy  https://github.com/minetest/minetest/pull/7621#issuecomment-410522839
14:11 sfan5       why is this a no-op, I feel like this is not correct
14:13 Krock       unless builtin localizes that function, it could be used for exploits in mods that rely on get_last_run_mod for security
14:13 rubenwardy  huh?
14:14 sfan5       Krock: indeed, but then why do we even have this
14:14 rubenwardy  I think that's to show which mod was running when an OOM happens
14:14 rubenwardy  added by hmmmm
14:14 Krock       yet another left-over from the Lua API dinosaur state
14:14 rubenwardy  or generally which mod was runnign when a crash happens
14:14 Krock       rubenwardy: but it's not helpful when it depends on a define
14:15 rubenwardy  wait
14:15 rubenwardy  oh right
14:15 rubenwardy  strange
14:15 Krock       and is a stack backtrace not possible there?
14:15 rubenwardy  OOM causes an unravel, losing the backtrace
14:15 rubenwardy  iirc
14:15 Krock       hmm.. maybe the Lua instance already became unusable as soon the error occured
14:16 rubenwardy  what's the better term than unravel?
14:17 sfan5       so basically, minetest has no idea at all which mod is running during e.g. a callback
14:17 sfan5       a callback registered by builtin will not have the privileges builtin usually has (that is: being able to write everywhere on the fs)
14:17 Krock       yes, but as long Lua doesn't panic or throw an OOM, it's possible to figure that out by a stack backtrace
14:18 rubenwardy  does builtin actually have elated privileges?
14:18 rubenwardy  my tests show otherwise
14:18 sfan5       this is a actually a good thing because it would've been another possiblity of bypassing script security
14:18 sfan5       but still strange how this is leftover and essentially a no-op
14:18 rubenwardy  unless there's some insecure env in a local
14:18 sfan5       rubenwardy: https://github.com/minetest/minetest/blob/master/src/script/cpp_api/s_security.cpp#L529
14:19 rubenwardy  oh, gross
14:19 rubenwardy  although, this guarantees it only happens at load time, right?
14:19 rubenwardy  which means less chance of the insecure env table leaking
14:19 sfan5       these privileges only apply at load time yes
14:20 rubenwardy  why are they needed?
14:20 sfan5       ¯\_(ツ)_/¯
14:20 rubenwardy  lol
14:20 rubenwardy  great
14:21 rubenwardy  how about we remove Lua support and replace it with something secure, like JavaScript
14:22 sfan5       2/10 I chuckled
14:22 rubenwardy  https://i.imgur.com/jWr67J8.png?1
14:23 Krock       well, we have an issue for that :)
14:23 Krock       most likely it's already closed
14:24 Krock       also, builtin also needs to write to client/*, which might be the reason why simply all actions are allowed
14:24 Krock       also deleting games/*, mods/* and textures/*
14:25 rubenwardy  the main menu is completely unsandboxes though
14:26 rubenwardy  so the elevated privileges only applies to server-side and client-side at load time
14:26 rubenwardy  writing to client may be why
14:26 rubenwardy  feels strange
14:36 Krock       attached entities are weird. Tried to use that hat mod on the local player and in some cases the hat was glues onto the head (ok), and in the other it was behind by a server step (not ok)
14:36 Krock       *was glued
14:37 Krock       maybe the client didn't get the attachment packet and so it relies on the server sent data
14:38 rubenwardy  ew
14:39 rubenwardy  any chance of some love for #7469? ;)
14:39 ShadowBot   https://github.com/minetest/minetest/issues/7469 -- Formspecs: Add tooltip element for area by rubenwardy
14:40 Krock       rubenwardy: are the new changes tested?
14:40 rubenwardy  yes
14:40 rubenwardy  both with buttons and the new form
14:40 Krock       tbh I thought this was already merged last night
14:40 rubenwardy  I'll quickly double check
14:41 rubenwardy  it's not trivial ;)
14:43 rubenwardy  cool, will merge in ~10
14:55 rubenwardy  > MFW when clang-format passes first time
14:55 rubenwardy  also, done
15:23 rubenwardy  what's the easiest way to move all changes to a file in HEAD~1 to the commit HEAD?
15:23 rubenwardy  git reset --soft? :'(
15:25 Krock       git reset -i HEAD~(n+1)  and then specify what to do with the commits
15:25 Krock       well, per-file isn't possible there
15:30 rubenwardy  done
15:30 rubenwardy  thanks#
15:36 Krock       !next
15:36 ShadowBot   Another satisfied customer. Next!
15:40 rubenwardy  wondering what the best way to do        --crash-on-failed-tests     would be
15:41 rubenwardy  argh
15:41 rubenwardy  especially as tests may not all by done by load time
15:42 rubenwardy  and os.exit isn't in the sandbox
15:50 rubenwardy  wait
15:50 rubenwardy  throwing a Lua error would cause a return of 1
16:03 rubenwardy  argh, rebasing is such fun
16:20 paramat     i closed the auth.txt blocker issues. remaining blockers are https://github.com/minetest/minetest/issues?q=is%3Aopen+is%3Aissue+label%3ABlocker please add any missing blockers for 5.0.0
16:21 rubenwardy  argh
16:21 paramat     some issues labelled with the 5.0.0 milestone may need adding to blockers
16:21 rubenwardy  why does the command line of MT perpetually suck
16:25 paramat     oh and some android issues may deserve blocker if they're really bad
16:26 rubenwardy  mkdir -p worlds/test && echo -e "gameid = minimal\nbackend = dummy" > worlds/test/world.mt && ./bin/minetest --worldname test --gameid minimal --name test --address '' --go
16:26 rubenwardy  ew
16:26 rubenwardy  there also doesn't appear to be a way to start a singleplayer game from the command line
16:27 rubenwardy  also, in full mode there it doesn't return 1. Only does that in server mode :'(
16:28 rubenwardy  the aim of this is to add a travis check that starts up a server and connects a headless client (null video driver)
16:31 rubenwardy  sorry for the spam
16:31 rubenwardy  time for Rimworld now
17:08 paramat     it looks like the most urgent work for 5.0.0 now is those mysterious crashes
17:12 paramat     android still seems to have many issues but meh .. at least controls are done, i feel android issues shouldn't delay 5.0.0 release otherwise we'll never release
17:28 Krock       Well, in the last few weeks I couldn't reproduce another one
17:28 Krock       still wonder how they were arised
17:33 paramat     i've asked our android usrs to check the open issues
17:33 paramat     *users
17:34 paramat     game#2184 works just not sure if implementation is optimal
17:34 ShadowBot   https://github.com/minetest/minetest_game/issues/2184 -- Player_api: Give laying players a low selection/collisionbox by paramat
17:34 paramat     i'll check your vehicle fix PR
19:19 rubenwardy  Would people prefer that the library required by the testing PR be bundled with Minetest, or downloaded as part of CMake?
19:19 rubenwardy  cmake allows you to download and extract files
19:19 rubenwardy  s/files/zips
19:20 rubenwardy  the former makes more sense to me, and is more reliable
19:20 rubenwardy  the latter makes updating it easier
19:20 rubenwardy  but heh
20:08 paramat     Krock #7610 tests ok but i have a question in a line comment
20:08 ShadowBot   https://github.com/minetest/minetest/issues/7610 -- Prevent from colliding with own children by SmallJoker
20:10 paramat     apart from that +1
20:17 Krock       comments addressed. thanks for reviewing
20:17 paramat     ok fine +1
20:18 paramat     will merge in5 mins
20:18 Krock       hah yes.. other people might looks suspicious to the police by googling "How to destroy children as parent"
20:18 Krock       (programming context)
20:20 Krock       That collision distance issue might also be the reason for such a poor collision detection performance when there are some objects around
20:22 paramat     the adding of 1.5 nodes of tolerance was necessary
20:22 paramat     ?
20:23 paramat     well anyway, merging
20:24 Krock       yes, to ensure that larger collision boxes work about the same as before
20:29 paramat     merged, excellent
22:16 rubenwardy  merging trivial bug fix ~10 minutes   https://github.com/rubenwardy/minetest/commit/8d68b2cd210fea3cd852c648464c8bdd9cac02a7
22:16 rubenwardy  !title
22:16 ShadowBot   Fix debug and info text being the wrong color · rubenwardy/minetest@8d68b2c · GitHub
22:21 paramat     good
22:35 rubenwardy  ooops
22:35 rubenwardy  merging now
22:35 rubenwardy  done