Time Nick Message 03:13 hmmmm oh jesus christ 03:13 hmmmm adding /Wall to msvc builds was a huge mistake 03:13 hmmmm i'm surprised nobody complained about this recently 03:14 VanessaE define "complained" 03:14 VanessaE and what harm is it besides tons of warnings? 03:16 hmmmm the tons of warnings is the harm 03:16 hmmmm there were ~510000 warnings, almost 99% of them from the included windows headers 03:16 VanessaE well considering that "to.... 03:16 VanessaE holy fuck 03:17 VanessaE ok I take back what I was about to say :P 03:17 hmmmm warnings are useless unless they're actually noteworthy issues 03:17 hmmmm what i expected: something like gcc's -Wall 03:17 hmmmm what i got: oh my god stopstopstopstop 03:18 exio4 well, you expected something that is useful from microsoft 03:21 VanessaE lol 03:22 VanessaE well what I was gonna say was, "tons of warnings" (were they legit that is) could explain why Wayward_One has hanging problems with MT now, as well as MichaelEh's weird crashing problem 03:23 VanessaE (where there's a warning, there's code not precisely to C/C++ standard, which of course can lead to bugs, blah blah blah) 06:33 hmmmm did the formspec_escape issue ever get fixed? 06:33 hmmmm it seems like all backslashes are missing from strings displayed in formspecs 06:46 est31 #2225 ready to go, no feature changed, so even within freeze? 06:46 ShadowBot https://github.com/minetest/minetest/issues/2225 -- Fixes for minetest.get_(all_)craft_recipe(s) by gregorycu 06:46 hmmmm sure, but it needs to be reviewed first 07:41 kahrl hmmmm, yes, 77e20a0c21 07:42 kahrl backslashes work for me (on linux) 08:05 hmmmm it's broken on current HEAD windows 08:09 hmmmm lol... somehow when compiled with msvc, minetest.exe exports lua functions 08:10 hmmmm oh that makes sense, that's from the embedded lua 08:14 kahrl seems strange that they are marked declspec(dllexport) if lua is compiled as a static lib 08:17 kahrl hmmmm: re the last commit, shouldn't there are be a "bin\\Semidebug"? 08:17 kahrl s/are/also 08:18 hmmmm maybe, i'm not sure if cmake build types map over like that 08:18 kahrl oh ok 08:18 hmmmm well sorta 08:18 hmmmm I must have added semidebug wrong somehow because it doesn't show up in the batch build dialog for the generated MSVC solution 08:19 hmmmm but yeah there is RelWithDebInfo and MinSizeRel 08:23 kahrl dunno, the solution generator might just have hardcoded build types 09:00 hmmmm ah nevermind 09:01 hmmmm the path needs to be escaped for the build info that shows up on the left of the pause menu 11:43 gregorycu Do we have any blockers I can look at for the release? 13:16 gregorycu There are more pull requests than bugs 13:16 gregorycu I'm not sure what that means 13:36 gregorycu Hello PilzAdam 13:36 gregorycu Do you think dead players should take damage? 13:36 Wayward_One gregorycu: maybe we're gaining ground against the bugs? o.O 13:36 gregorycu We only gain ground if PRs are merged 13:37 Wayward_One oh... true 13:37 gregorycu The longer a PR sits, the more chance it will need a rebase before merge, the more chance it will never get merged 13:38 PilzAdam gregorycu, it should be up to mods / games 13:38 gregorycu The reason I ask about dead players is that #81 becomes trivial to fix if we don't damage already-dead players 13:38 ShadowBot https://github.com/minetest/minetest/issues/81 -- dying on lava causes repeated death, if respawn location isnt quickly updated 13:39 PilzAdam (damage handling in general, that is) 13:39 gregorycu I see 13:39 gregorycu Once you're dead though... 13:40 gregorycu That respawn window pops up... Is there any coming back from that? 13:42 gregorycu I gotta sleep in 5 minutes, so yeah 13:47 twoelk gregorycu: iirc the issue was importand on connection lag with remote servers 13:47 gregorycu Yes 13:47 gregorycu The reason that is, is because the client continually sends "I got damaged" 13:48 gregorycu Eventually the client sends "I want to respawn" 13:48 twoelk you die, respawn at place of death and before you are teleported to spawn you die again 13:48 gregorycu No, that's not accurate 13:48 nrzkt +1 13:48 twoelk maybe not anymore 13:48 gregorycu Yeah 13:49 twoelk maybe the issue has been resolved by some opther fix or change 13:49 gregorycu Basically, the issue happens when you have an "I want to respawn" message in-flight, and you send "I got damaged" behind it 13:49 twoelk -p 13:49 twoelk same effect 13:49 twoelk doa 13:49 gregorycu Eventually the server processes the "I want to respawn" and then it processes all the buffered "I got damaged" messages behind it 13:49 gregorycu Well, simply by rearranging the setHP and respawn will do nothing 13:50 twoelk never looked into it, just remember the things happening 13:50 gregorycu You need to stop the "I got damaged" messages, or rather have a concept of "life id" 13:50 gregorycu Where previous lifes messages get dropped 13:50 twoelk it was rather annoying with some version of adventuretest iirc 13:51 gregorycu Yeah, I really want to fix this, the oldest bug 13:51 twoelk you kept loosing the inventory that way 13:51 gregorycu I have a very simple 2 line fix 13:51 gregorycu But it involves not continually getting damaged after death... Which mods may use 13:52 twoelk so death blocks messaeges that come in after death ? 13:52 twoelk gah -a 13:53 gregorycu I don't know what you mean 13:53 gregorycu Damage messages happen, even after death 13:53 gregorycu If you sit in lava for 10 years, for 10 years you will get damaged 13:53 gregorycu 4 units of health a second 13:54 gregorycu You can't hook player damage, so I'm not sure how mods use it 13:54 twoelk hm, maybe not good for the gameplay 13:54 gregorycu I was hoping to have a chat with PilzAdam but he has gone away 13:55 twoelk yeah, he's not much for talking lately, University seems to take it's toll 13:55 gregorycu Been there, not fun 13:56 twoelk University? I actually miss the place, sort of 13:56 gregorycu I think the best way is I submit a PR, and the convo can happen there at peoples convenience 13:56 gregorycu Yeah, I did a double degree, twice the fun as a regular degree 13:56 gregorycu But that was 4 years ago 13:58 twoelk thinking off it, I guess I miss the being at the hub of information. Now I live in a more rural place, where even the next library worth such a name is a little off 13:58 gregorycu What's a library? 13:59 twoelk at university, there was always interesting events or there where people I could ask for help. I guess I would be totally lost today if I had no internet 13:59 gregorycu Just don't need help :) 14:00 twoelk can't be expert in everything and the advance in technology is at a breathtaking pace anyways 14:01 gregorycu Sure you can :) 14:01 gregorycu And if not, fake it till you make it 14:02 twoelk I work in the civil engineering sector and I really do wish I was closer to some testing institute with all them new materials 14:03 gregorycu What type of civil engineering? 14:03 twoelk and faking knowledge must be carefully dosed or it may cost lives 14:04 twoelk designing, building and installing smoke and heat extracting devices 14:04 twoelk so if I blunder, people die 14:05 gregorycu I know how you feel 14:05 gregorycu If I blunder, a lot of rich people lose money 14:05 kilbith you should move in private for pure offtopic like that guys... 14:06 gregorycu Sorry, I'll shutup now 14:06 twoelk sooooo on death I think nothing should affect the player until a respawn has been confirmed 14:07 gregorycu I think so too, but people have commented otherwise 14:07 twoelk and on respawn I don't think a shitload of damage aquired while he couldn't move should pe dumped on him 14:07 gregorycu I'll submit a PR, see what is said 14:08 gregorycu The problem is the server doesn't know 14:08 gregorycu And it can't know reliably 14:08 twoelk that's why I said confirmed, although I have not spent a thought on how that should work ;-P 14:12 gregorycu Life sequence number 14:12 gregorycu But yeah, easy fix is the no damage while dead 14:14 DFeniks should all accumulated drowning damage be dumped on player if server been busy or network problem? it is problem in moontest because vacuum is drownable , and player gets breath by lua code that is executed by server 14:15 gregorycu This only affects clients that have died 14:15 gregorycu This particular bug 14:15 twoelk ^the real server life example needed for a functional test :) 14:15 gregorycu This issue is different 14:16 gregorycu Because this is about the server keeping you alive, as opposed to not killing you after respawning 14:16 twoelk ? disconnected clients? am I missing something? 14:16 gregorycu DFeniks is referring to a mod where you take damage locally, but the server gives you health (effectively) 14:17 twoelk I think the issue is you collect damage while in the limbo 14:17 gregorycu So when the server lags, you don't get enough heath to keep you alive, and you die 14:18 gregorycu The issue is that you collect damage between clicking respawn, and respawning 14:18 twoelk er, no, you die and when you respawn you have less hp because you took more damage befor respawning 14:18 gregorycu Urgh, two issues here 14:19 twoelk oops, wait got to read what was said, might be missinterpreting 14:19 DFeniks im not sure if i should comment on this . but i wonder if idea to take damage locally is that good idea 14:19 gregorycu It is probably not a good idea 14:19 DFeniks also having hardcoded health and breath values 14:19 gregorycu But it's the way it is, so in the short term I want to get this bug fixed 14:21 twoelk it is because it is part of predicting otherwise strange behaviour when lagging, or not as reallity tends to catch up with a surprise, whatever, don't know, ... guess -no lag- is the sollution to everything, the rest is up to 42 14:24 gregorycu Yeah... *sigh* 14:26 twoelk actually could a priority flag be attached to certain things in the communication que? 14:27 twoelk death is more important than say growth of a sapling nearby 14:27 gregorycu Doesn't fix the issue though 14:27 gregorycu (Probably makes for better perf) 14:28 gregorycu It's possible the com queue is handled from a different thread from the ABMs 14:29 * twoelk confesses to know absolutely nothing about details of the comunication between client and server 14:31 gregorycu It's only fleeting knowledge for me 14:31 gregorycu I'm just trying to fix as many perf issues and bugs as possible 14:31 twoelk hm that spelling did look a little short for a thing that can get pretty endless :D 14:32 gregorycu #2244 and #2245 14:32 ShadowBot https://github.com/minetest/minetest/issues/2244 -- Fix rebase bug, make render loop use cache setting by gregorycu 14:32 ShadowBot https://github.com/minetest/minetest/issues/2245 -- Fix dying of lava causes repeated death by gregorycu 14:35 twoelk so kicking a dead body should be useless :) 14:35 gregorycu Just like in real life 14:35 gregorycu I mean... err... 14:35 gregorycu Goodnight twoelk 14:36 twoelk bye - hm allready gone 15:09 vitaminx hi everyone, i'd like to speak privately to a developer who has knowledge about player account hacking 15:09 vitaminx or at least knows how minetest does authorization 15:10 vitaminx i have some strange activity going on on my server and would like to know the opinion of someone who's experienced 15:13 vitaminx with authorization i mean authentication ,sry 15:14 hmmmm can you just as your damn question 15:15 hmmmm ask*. sorry for that but it's violating the golden rule of don't ask to ask just ask 15:16 sofar hmmmm: you missed his first 2 lines of chat 15:16 shadowzone hmmmm: he has been having people join his server and exploit some sort of hack and extract and possibilly send them anywhere. So he was wondering if there was someone who knew about authentication to help him. 15:16 sofar hi everyone, i'd like to speak privately to a developer who has knowledge about player account hacking / or at least knows how minetest does authorization 15:16 hmmmm there is no need to speak privately about that 15:16 hmmmm minetest is open source 15:17 vitaminx yes, because I'd like to provide server logs which contain some sensitive info 15:17 vitaminx like account names / passwords 15:17 hmmmm server logs are a different matter 15:17 vitaminx chat logs 15:17 sofar I'm pretty sure minetest just passes credentials over the network in decodable format 15:17 hmmmm typically PMing eachother isn't welcome because it's not in the channel logs and annoying 15:18 vitaminx ok ok 15:18 vitaminx one moment then 15:18 hmmmm yea... the whole conversation doesn't need to be private 15:18 hmmmm but chances are i won't even need your server logs to answer the question 15:18 hmmmm so like i said... just ask 15:20 vitaminx ok, so in public then - i've uploaded a conversation here: CHAT: someone was on my accont 15:20 vitaminx CHAT: they where just on 15:20 vitaminx CHAT: HELP NO SOMEONE HACKED MY ACCOUNT I AM DATEING JOHNSEN 15:20 vitaminx CHAT: wtf someone hacked my account 15:20 vitaminx CHAT: ? 15:20 vitaminx ehm sorry about that :( 15:20 hmmmm if you're pasting over 3 lines of text, please use a paste site 15:20 vitaminx copy paste fail 15:21 hmmmm also is this a development topic even? 15:21 vitaminx well i'm turning to developers as #minetest nobody really knows 15:21 vitaminx http://pastebin.com/T6ez4a4D 15:22 vitaminx this is a conversation where someone apparently hacked player accounts, but i'm not 100% sure how he's doing it and how to protect 15:22 vitaminx and *where* the vulnerability is 15:23 shadowzone oh hail no! 15:23 shadowzone I recently granted her interact on MTZ-Basic. 15:24 hmmmm could you please translate that conversation to me... 15:24 vitaminx ok 15:24 hmmmm nevermind, summarize 15:24 vitaminx lets make it short 15:24 hmmmm in an intelligible manner 15:24 vitaminx magicman12 apparently has a way to retreive passwords of accounts of his choice 15:25 shadowzone http://www.dtccom.net/about-dtc 15:25 shadowzone Just ban him 15:25 hmmmm did you create a new account with a strong password and ask him to get that account? 15:25 hmmmm (i.e. is it reproducable) 15:26 vitaminx he wasnt connected recently so i havent had the chance to talk to him 15:26 vitaminx i also dont want to ban him because i'd like to understand what happened 15:26 vitaminx if i ban him someone else will come one day and will do the same 15:27 hmmmm it's highly unlikely there's an issue with minetest itself 15:27 vitaminx he's talking about a D.T.C client 15:27 hmmmm are you sure your computer hasn't been compromised 15:27 vitaminx yes 100% 15:27 hmmmm right.. 15:27 hmmmm nobody can be sure their computer hasn't been compromised 15:28 vitaminx as far as 100% goes at least, trust me I'm a profi admin ;) 15:28 hmmmm so yeah, what do the server logs say? 15:29 vitaminx nothing related 15:29 vitaminx as far as I understand what he's saying is that he pulls the passwords using the (modified?) client 15:29 vitaminx that would be strange because minetest is probably not storing hashes client-side 15:30 hmmmm soo 15:30 hmmmm I don't get it 15:30 vitaminx me neither 15:30 vitaminx thats why i asked if someone could read the chat logs 15:30 hmmmm if the server logs have nothing related, why were you going to show me them 15:30 hmmmm and why did you make a big stink about this being private 15:31 vitaminx because he mentions account names and the password he hacked in the chat logs - i just didnt want to put that public 15:31 vitaminx anyways it's xxxx'd out in pastebin now 15:31 hmmmm and you can delete the pastebin entry too 15:31 vitaminx yes, it aut-deletes in an hour 15:32 hmmmm the server was probably compromised and he has the password hashes which are then sent raw during authentication 15:33 hmmmm but the only way to be sure there's no problem is to log each authentication attempt 15:33 vitaminx ok yes, the minetest auth attempts are logged of course 15:34 vitaminx just need to grep them out, give me a sec 15:35 crazyR just a quick though... check all your mods 15:36 sofar yeah, don't forget to audit for rogue mods 15:39 hmmmm well, it doesn't look like the packet sequence is enforced 15:40 hmmmm i'm probably wrong but theoretically someone can simply skip TOSERVER_INIT2 completely? 15:40 hmmmm ..thanks sapier 15:41 kilbith ^ nrzkt 15:41 hmmmm it's an initial guess 15:41 hmmmm vitaminx, what you're doing is basically saying, "help help, somebody on my server got haxed, here are some vague irrelevant details, i need a complete audit of the relevant authentication code" 15:42 vitaminx http://pastebin.com/cwBpv1AL 15:42 vitaminx -> chat + relevant auth attempts 15:43 vitaminx yes I'll certainly audit the mods as far as its feasible 15:43 hmmmm at the very most that tells us there weren't any failed attempts in between 15:44 hmmmm i'll have to take a better look at all this later 15:44 nrzkt in fact protocol is shit 15:44 nrzkt _INIT2 doesn't serve to anything :p 15:44 vitaminx sure, make sure you copy that snippet, cause it expires in an hour 15:45 nrzkt i'm rewriting all protocol to prevent those problem, and it's also a problem with using a pure UDP without any exchange between the client and the server to negociate some hidden params 15:46 vitaminx and hmmm, i'm not coming here to cry for help - i could just ban the guy if necessary - I want to provide a good quality server, where security is just part of it - to help making minetest a bit better maybe 15:46 Krock let's use rot13 on all network data! 15:46 nrzkt vitaminx, approved 15:55 hmmmm well i don't know man] 15:55 hmmmm the protocol isn't that great but it is what it is 15:55 hmmmm we inherited it 15:56 hmmmm this isn't going to get fixed 15:57 hmmmm it's too large of a code issue to do quickly and there's no evidence this wasn't a simple server compromise 15:57 nrzkt it's easy to bypass some things with this protocol. 15:58 hmmmm TOSERVER_INIT can't be skipped unless you want no username 15:58 hmmmm so that scenario isn't happening 15:59 hmmmm regardless, this complaint increased the priority of the authentication protocol overhaul 15:59 nrzkt i found a strange issue yesterday, bypassing credentials when disconnecting server and re-auth with another login 15:59 hmmmm this could be related 16:00 vitaminx hmmmm: as you said it, there can only be evidence of a server compromise, but not the opposite - my word on it doesnt count i guess? (ssh root + password logins disabled, i only use ssh-keys + server is minimal Debian install with only minetest port reachable from outside - no other ports open, etc.) 16:02 hmmmm of course your word doesn't count 16:02 hmmmm there's no way anybody can reasonably say with certainty they weren't compromised 16:03 nrzkt hmmmm, are you sure you're not compromized ? 16:03 vitaminx hmmmm: thats what i just said, so saying "it's too large of a code issue to do quickly and there's no evidence this wasn't a simple server compromise" makes no sense 16:04 vitaminx because no-one can prove you the opposite 16:04 hmmmm vitaminx: I'm saying it's something that can't be solved quickly 16:04 hmmmm so the best you can do is assume a compromise 16:05 vitaminx i'm sorry but no - the chat logs don't give any hint in that direction either 16:06 vitaminx everything points to some rogue client or protocol abuse 16:06 vitaminx but anyways, it's not my place to tell you something here i guess 16:06 vitaminx i'm not developing the game, basically just wanted to report an issue 16:19 hmmmm sorry 16:20 crazyR can i ask why the devs are so defensive on topics of security this is the second day of security related watering down.... maybe its just me miss interpreting i dont know# 16:20 hmmmm i want to take a better look at this but I can't 16:20 twoelk vitaminx: I don't really understand the explaination in the server chat. It looks like he just logged onto the server folder. If so the part of copying the relevant files is missing. Are you blocking casual access to your server? Maybe build an index.html or whatever to catch unspecific calls to that folöder and divert them to som page 16:20 hmmmm crazyR: not defensive, I know there is a huge problem with our auth 16:21 hmmmm but I can't magically find & fix a structural problem like that (if it is one) in a quick manner 16:21 * twoelk has a bad typing day of mega thick fingers 16:21 hmmmm especially when i have real life work 16:21 hmmmm I don't see how "everything points to a rogue client or protocol abuse" 16:22 crazyR hmmmm i understand that but no one is holding you personally responsible for the fix to be issued. again unless i missed something 16:25 hmmmm i'm not sure 16:25 Brains So... The dev says, "Nice incident there but there is no real proof of exactly what is going on so, other than increasing the priority of the already in discussion overhaul, it is probably best to treat it as a possible server compromise." (Address what you can and deal with what you can't, pretty straightforward.) How does that amount to watering down? 16:25 * Brains is paraphrasing, of course. 16:26 hmmmm it can always be a server compromise 16:26 hmmmm I could be compromised right now 16:26 Brains And there is seldom a downside to firming up your server's attack surface. 16:26 hmmmm my cpu could've been compromised 2 years ago when i bought it 16:27 hmmmm I do feel a sense of urgency from this issue 16:28 hmmmm in any case, I can't do anything more without vitaminx replicating the problem (having the attacker do the same thing again with a brand new account just created) 16:29 hmmmm bbl 16:31 crazyR brains: "it's too large of a code issue to do quickly and there's no evidence this wasn't a simple server compromise" that statement is the main part that i was referring too... when the bug/issue call it what you will was reported no asked for a quick solution. the fact that the devs know that the auth system isn't very good should actually be quite 16:31 crazyR concerning. but (and this is not directed at hmmmm) i always seem too find issues that on surface seem important being pushed to one side. 16:33 hmmmm it would be extremely concerning for any other type of project, but this is a video game where people (well, anybody reasonable) make their passwords "abcd1234" for the most part 16:33 Brains crazyR: Without evidence of what actually happened, you can't really expect much of any response. The conversation also happens to mention (by two separate people IIRC) that an overhaul is on the table. 16:34 hmmmm that's the reason why I'm not too concerned with the state of the authentication protocol, but others were making talk about improving it so I chimed in saying that if it's to be done, it's to be done the right way 16:35 hmmmm the hot option is currently switching to SRP 16:35 hmmmm I think est31 was working on it 16:35 hmmmm or me, I don't know 16:35 Brains crazyR: Oh, and, because it is required by custom in any discussion of open source software, patches accepted. (Mostly meant in an amusing manner) 16:36 hmmmm but we're in the middle of a release 16:36 hmmmm there are some blocking bugs that I need people get resolved first 16:37 Brains hmmmm: Is there a list of blocking bugs at the moment? 16:37 hmmmm in theory, it's the Issues list on github with the 'blocker' filter applied 16:37 hmmmm I think that only pops one item up that I have no idea of or any control over 16:38 vitaminx twoelk: by casual access you mean http access? there is no web server running on that machine 16:38 hmmmm also I haven't seen wayward_one around recently, I need him to try out a patch to see if it resolves his sp issues 16:38 hmmmm dammit I have RL stuff to do, stop dragging me into minetest land 16:39 twoelk was just a wild guess from what I made of the chat. It looked like he just pasted the IP somewhere 16:39 hmmmm ah the problem of remote work :( 16:39 vitaminx in any case, I can't do anything more without vitaminx replicating the problem -> ok i will try to do that, depends if the user connects again, i'll let you know if i find out more 16:39 crazyR as i said above no one expected you to say. damn.... this needs fixing right away lets stop everything we are doing.... he just wanted some clues as to what could be the issue so he could attempt to learn.... 16:42 crazyR hmmmm also without sounding disrespectful if you have RL stuff to do why stay online here. disable notifactions and let someone else deal with it :) 16:43 nrzkt i have RL stuff to, i go to highmaul mythic with my guild tonight :D 16:43 twoelk sounds like some mobile client and the only number in the main menu would be the IP number if I'm not missing something 16:44 Calinou what about IPv6? 16:44 Calinou and domain names 16:44 Calinou and localhost 16:45 Brains Calinou: We aren't talking about minetest proper but about somebody describing an exploit... 16:48 twoelk anyways a thing that should be ruled out would be if someone can get some sort of access to the folder of the server world without using the game client 16:48 twoelk if so all world files would be easy prey 16:50 vitaminx twoelk: there's only ssh listening on the server with latest Debian security patches, plain passwords disabled. to hack the server he would have to exploit latest openssh-server or my 4096bit ssh key 16:50 Brains Hmmm... Just noticed my world files are readable by everybody. Might have to change that later. 16:50 vitaminx i dont think that any of them is likely 16:53 twoelk vitaminx: have you tried accessing your own server folder with some browser or whatever to rule that out? 16:53 vitaminx here, try yourself: 108.161.138.137 16:54 twoelk :D 16:54 Brains nmap'ed it recently? 16:55 twoelk hehe, nope, not that easy, one point for you 16:55 vitaminx nmap says port 22 is open... noooooo :D 16:56 Brains It should say more than 22 since you have minetest running. =:P 16:56 nrzkt no 16:56 sfan5 i don't think nmap detects minetest 16:56 nrzkt because minetest uses UDP 16:56 sfan5 thats not the reason 16:56 sfan5 nmap can scan UDP 16:56 nrzkt and if you send a little packet protocol will drop it 16:57 vitaminx -sU 16:57 hmmmm guys, this isn't dev related 16:57 hmmmm please take it to #minetest instead 16:57 Brains Good point 16:58 sfan5 nrzkt: 30000/udp open|filtered unknown 16:58 vitaminx i guess i'm taking it home, i have to go, anyways thanks for looking at it 16:58 nrzkt open|fitered doesn't say nothing :) 16:58 vitaminx ;) 16:58 sfan5 nrzkt: it does because all other ports are "closed unknown 16:58 sfan5 " 16:59 nrzkt becase there is no firewall and RST are answered 16:59 nrzkt sudo nmap -sU unix-experience.fr -PN -p 50000 16:59 sfan5 UDP does not have RSTs 16:59 nrzkt but UDP 50000 port isn't opened on my server 17:00 nrzkt and there is a firewall which block you packet and doesn't answer to it 17:00 nrzkt same for all closed UDP port on my server 17:00 sfan5 yeah, but vitaminx does not have a firewall so that matters 17:01 nrzkt your test doesn't mean there is something, it mean maybe something, or maybe not. 17:01 twoelk at least got a ping of 75ms and a message port 22 is closed 17:02 sfan5 nrzkt: i didn't say otherwise 17:05 vitaminx bye everyone 17:05 vitaminx \quit 17:05 vitaminx lol 17:14 oleastre Hi 17:15 oleastre Simple question: I'm playing with mapgen v5/7 and try to make growing trees using existing code in minetest_game. I currently register saplings as decoration and use set_gen_notify to post process the saplings and make thew grow in place. 17:17 oleastre I'm searching for a better solution... And would try to implement function based decorations (like schematic one, but using lua defined function to place the content). 17:17 oleastre Before I dig into minetest code, does it seems interesting, should it be discussed here, in the forum or github issue ? 17:18 Calinou forum 17:20 oleastre ok, thx 17:34 Wayward_One hmmmm, right here 18:39 VanessaE [02-02 13:36] VanessaE: Here you go https://www.dropbox.com/s/ioxvo5w4jdcisat/volcano_world.tar.gz?dl=0 18:39 VanessaE ^^^^ he reproduced that entities-multiplying-out-of-nowhere bug that causes #1426 18:39 ShadowBot https://github.com/minetest/minetest/issues/1426 -- repeated errors trying to delete extraneous entities from a block ends in segfault 18:39 VanessaE without anything installed but default, creative, and a mod he's working on that does not create entities at all. 18:40 T4im did he say what backend he was using? 18:40 T4im db backend I mean 18:40 VanessaE no 18:41 VanessaE or rather, he reproduced the "suspiciously large number of objects" message, which amounts to the same thing anyway 19:46 est31 can anyone remove the unconfirmed label for #2222 19:46 ShadowBot https://github.com/minetest/minetest/issues/2222 -- minetest.get_craft_recipe occasionally returns wrong recipes 19:49 sapier not sure if this is really a bug for what I understood it just returns a different reciep with same output? 19:50 sapier if this is correct I'd consider it a missing feature but not a bug 19:50 T4im you request the default chest and get the locked chest as result 19:51 T4im i.e. it returns the recipe of a different output 19:52 T4im est31 already found out why though.. string matching gone too far 19:52 sapier oh sorry misread est31's explanation 19:53 T4im the unit test should already have been enough though :P 19:54 sapier well code doesn't show why it's wrong but only prooves it is 19:54 T4im yes, confirms it ;) 19:55 T4im (just pointing out, because est31 asked about label removal, which might not be a bad idea, to avoid it being ignored to the soon™ release date, hehe) 19:58 sapier maybe I can even push a fix immediatly 19:58 sapier if I'm right it's a one line fix 19:58 est31 Two line 19:59 est31 the other method get_all_craft_recipes has this behaviour too 20:01 T4im hmm didn't #2225 fix that too? not that you guys conflict there 20:01 ShadowBot https://github.com/minetest/minetest/issues/2225 -- Fixes for minetest.get_(all_)craft_recipe(s) by gregorycu 20:01 est31 2225 would also give a huge speed improvement 20:02 sapier possible but I don't wanna read all that text below there, shadowninja seems to have already checked it I'll let him merge it once he likes it ;-) 20:04 est31 That discussion was mostly about changing the API behaviour. We agreed on doing that in a later PR, with entirely new functions to not break mods 20:05 est31 and the comments following that discussion was me testing the patch and gregory fixing the PR 20:11 est31 ok getCraftRecipes is not affected by 2222, but I dont know why... 20:11 est31 yetr 20:11 est31 yet* 20:13 sapier https://gist.github.com/sapier/d715be2ba96c50d79a7a can you check this works? if yes I'm gonna push it 20:14 * est31 checking... 20:17 sapier est31 your patch adds a new chance for data inconsistency 20:17 est31 2225? 20:18 sapier hmm ok at least it's encapsulated within craft manager so it's as good as it can be 20:20 sapier crap ccraftdefmanager is one of those cpp only classes again ... I really wanna know what celeron wanted to do by making class declarations in cpp files ... well I guess it's been celeron 20:20 est31 I've only applied your gist for the getCraftRecipe method, and made both methods work. 20:21 est31 meaning that getCraftRecipes is still broken, but the lua wrapper accounts for that 20:21 est31 https://github.com/minetest/minetest/blob/70074800a207974a0c1383275186cefe6955f297/src/script/lua_api/l_craft.cpp#L408 20:22 est31 and the method getCraftRecipes isn't used elsewhere 20:23 est31 gonna check changing getCraftRecipes doesn't break anything 20:25 est31 no doesnt 20:26 est31 sapier: your gist is ok. 20:28 sapier ok I'm pushing the fix 20:28 sapier guess it's small enough to not count as feature change 20:30 sapier hmm no I'm gonna remove the second part, if some craftmanager used it for searching the new variant may fail 20:31 est31 k remove it. as I said, the lua wrapper removes the longer names already, so the second part doesnt change anything. 20:32 sapier yes no risk in feature freeze phase 20:33 est31 yea 20:35 est31 2225 would stable enough btw, but your approach is stabler. 20:36 est31 be* 20:37 sapier I think your approach is right too so keep bugging ppl so it's gonna be merged right after release 20:40 est31 btw not my PR... 20:41 sapier oh :-) sorry gregorycu 20:41 est31 fine then thanks 20:42 est31 :) 20:50 hmmmm sapier 20:50 hmmmm am I nuts or is a user able to logon by skipping TOSERVER_INIT? 20:51 hmmmm that is, the logon sequence is not enforced 20:51 sapier are you sure? :-) 20:53 hmmmm no, that's why I'm asking if I'm nuts 20:53 hmmmm i just took a cursory glance 20:53 sapier I'm not sure, I never tried this ... tying to read it from code now 20:53 hmmmm some guy came on earlier saying that a user hax3d his server by modifying a client 20:54 hmmmm I said the modification is most likely inserting the raw hashes he stole from the server which might've been compromised a different way 20:55 hmmmm oh that was fun... minetest server drama paired with incomprehensible chat logs is all that i need as a reminder that minetest is primarily used by 12 year olds 20:56 sapier I'm not exactly sure but you could be right 20:57 hmmmm but notice how the username is specified in that same packet 20:57 hmmmm so if a modified client really did skip that packet they wouldn't be able to specify which account to steal 20:58 sapier most likely not but we don't drop the client on inconsistent data, that's bad 20:59 sapier easyest way would be server.cpp 1644 ... at least if we consider protocol_version 0 to be invalid 21:02 T4im sapier: your fix seems to change something, but not really fix it.. I now get a silver ingot (moreores I think?) in the middle instead of a steel ingot for the default chest 21:03 sapier hmmmm: what do you think about droping a peer if protocol version is 0? 21:03 hmmmm I have no qualms 21:04 sapier T4im: are you sure? the check in there did work fine 21:04 sapier and est31 told so too. maybe there's another reciep matching chest with a silver ingot in the middle? 21:04 T4im I think moreores adds those alternative metals for the locked chest recipes 21:04 T4im but I can double check 21:04 * est31 checks out origin master... 21:06 sapier the only thing my fix ensures it that the output reciep is a reciep for the requested output, if there's more then once reciep result will still be random 21:07 sapier well not exactly random, order of registration will define what is returned 21:07 est31 result will be the last added recipe 21:07 est31 yea 21:07 T4im yes, that's expected via doc 21:07 T4im but not that one gets a different output :) 21:07 T4im recipe for different output* 21:08 est31 T4im: which mods have you installed 21:08 est31 and which game 21:09 T4im default game, and that's a testing game.. but I'll just adapt quickly the unittest and run it with only moreores as mod to test if it still happens 21:09 T4im a testing world* 21:10 T4im well without moreores it even fails already 21:10 T4im in that case its still steel 21:10 est31 http://pastebin.com/hdSyunru 21:10 T4im moreores just adds another last_recipe then 21:11 est31 ^ with minimal development test 21:11 T4im well run the unit test in #2222 :) 21:11 ShadowBot https://github.com/minetest/minetest/issues/2222 -- minetest.get_craft_recipe occasionally returns wrong recipes 21:11 T4im that one is still failing in a vanilla _game 21:12 sapier just tried again, worksforme 21:13 T4im oops.. eh.. yea.. my fault.. disregard 21:13 sapier *smile* did you forget to rebuild? ;-) 21:13 T4im nearly 21:13 T4im seems I used a binary started before the recompile.. 21:13 T4im run in the background.. forgot to close it 21:14 sapier well happens :-) 21:14 * T4im blushes 21:15 T4im thanks for the fix :) 21:16 sapier well it's not a big deal to fix it if it's already located that precise 21:26 est31 hmmmm so do we want to use srp after all? --> If we do, we need additional dependencies. 21:27 est31 I could set up some ed25519 - based ssh-like protocol however 21:27 hmmmm SRP is the best choice here 21:28 hmmmm it offers actual security without requiring encryption 21:28 hmmmm and as we know, encryption is useless without certainty of who you're talking to :) 21:29 est31 yes 21:29 est31 the ed25519 protocol would be without encryption too 21:30 est31 only the start messages would be encrypted 21:30 hmmmm well 21:31 hmmmm is it a zero-knowledge proof algorithm 21:31 hmmmm this is why I strongly support SRP 21:32 hmmmm if we have to store the cryptographic equivalent of passwords on the server, the scenario that happened this morning will undoubtably happen again 21:34 est31 what happened 21:35 hmmmm i don't know for sure, but the likely scenario is that a server hosting minetest was compromised, or somehow the account list was leaked 21:36 hmmmm and then the person doing that modified the minetest client to use the stolen hashes directly instead of hashing the password first 21:37 sapier hmmmm that's not gonna help for stolen password lists 21:38 sapier for what I understood it it'd only help to prevent someone claiming to be the server to get the password from client trying to join 21:38 hmmmm the reason that works is because the server doesn't actually know what the password is 21:39 T4im wait, minetest servers accept hashes? no cram? 21:40 sapier T4im: the warning not to use a valuable password for minetest is there for a reason ;-) 21:40 hmmmm sapier: http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Overview read that 21:40 T4im well anyway.. those hashes are broken in milliseconds anyway.. 21:41 T4im no kdf used it seems :/ no salt, no iterations.. just a simple digest :/ 21:44 hmmmm celeron designed the minetest protocol. :-) 21:44 sapier hmmmm still ifor what I understand this it's not a protection against hacked servers 21:44 est31 you cant protect against hacked servers 21:44 est31 if its hacked its hacked 21:44 sapier T4im: it's never been designed to be used in internet ;) 21:44 est31 no protocol can ensure that 21:44 T4im :D 21:45 T4im est31: you can make sure that it takes a few weeks or months to break it instead millisecons, so you have time changing your passwords 21:45 est31 The biggest problem is that the hash from the auth.txt can be used to authenticate to other servers where the user has the same password 21:45 sapier est31 I know but hmmmm used a hacked server as example where srp would help ... I don't think that's correct ;-) 21:45 celeron55 hashing passwords with plain sha1 was the simplest acceptable solution four years ago with a 15-person userbase 21:46 celeron55 it's actually kind of surprising it's still not causing a lot of issues 21:46 est31 It was reasonable back then. but now we need a better protocol 21:46 T4im that's because there's not much to gain, I think 21:46 est31 ^ 21:47 sapier T4im: exactly the most valuable thing you can gain from minetest is someone using a good password for it ... which is strongly discouraged 21:47 T4im the only ones that might abuse that are scriptkiddies and trolls... just because they figured out how 21:47 hmmmm right and it's very important that the protocol is done correctly this time around 21:48 T4im though.. you know.. I can imagine people trying it if they want to gain server access 21:48 T4im like.. actually there is something to gain 21:48 est31 has anyone found an srp implementation without additional dependencies? 21:48 celeron55 if you pull in a crypto library, make sure it's good either very minimal or if it's large, it has to be usable for most other future things 21:48 T4im imagine you get the admin account of someone with enough privileges to run lua via worldedit... 21:48 sapier I'm completely with you hmmmm, yet without encryption there's still no protection against mim 21:48 T4im lua's os to quickly install a botnet client or bitcoin client or whatever 21:49 hmmmm there's no good encryption without trust 21:49 est31 yea and no sandboxing for lua 21:49 sapier hmmmm: of course you need both 21:49 hmmmm in any case, with SRP you effectively get a private/public key pair 21:49 hmmmm why not use that 21:49 est31 from the password 21:49 hmmmm but yeah, you're right I misread 21:49 est31 thats not very secure 21:49 T4im hmmmm: security is never absoloute.. thus any increase in security is valuable.. even if it means trustless encryption 21:49 sapier hmmmm: yes we could use srp in combination with encryption 21:49 hmmmm it can be used for negotiating 21:50 hmmmm the key 21:50 hmmmm symmetric key i mean 21:50 celeron55 note that in the future something else than passwords might be used for login 21:50 est31 ^ this 21:50 hmmmm I am a strong supporter of certificates but people didn't like that 21:50 est31 I'm for public key auth also for clients 21:50 celeron55 passwords are already kind of outdated technology, but there's no widely used alternative 21:51 est31 People want to log in from their desktop and from their smartphone. 21:51 celeron55 and they're a good fallback when you just don't care 21:51 hmmmm for websites I tend to use de-facto certificates by maxing out the possible enthropy in the password field and storing the logon in a secured file 21:51 est31 and when they visit their friends, they want to show them how cool MT is 21:52 est31 We can add certs as optional mechanism, and people caring about security can use that 21:52 est31 and secure the password based login with srp... 21:53 hmmmm we can do a lot of stuff 21:53 hmmmm but honestly who has the time to 21:53 hmmmm :( 21:53 sapier question is is it worth the benefit 22:15 VanessaE I have to point something out about this whole password discussion: 22:15 VanessaE until you can also make it easy for users to *manage* their passwords, you've only solved about a quarter of the problem. 22:16 T4im certificates would help that.. in fact they would solve all but the "multiple clients on the same account" problem 22:16 VanessaE ("easy" being either the client saves the user's passwords in some manner, or copy&paste works on all platforms and all DE's, so that the user can use their own password manager e.g. KeePass or so) 22:17 sapier VanessaE: in digital world there's no solution for having both comfort AND security 22:17 T4im there's always the option to have neither :p 22:17 VanessaE and it is ALWAYS worth the benefit to have a good, secure protocol for authentication, even in "a fucking video game" because peoples' reputations are also at stake here, not just a bunch of constructions in some random server. 22:18 VanessaE sapier: then a balance must be struck. 22:18 sapier yet is it worth spending months of development time for it instead of fixing issues? 22:18 est31 for the saving, I've done a password manager. Although it has no GUI yet: https://forum.minetest.net/viewtopic.php?f=14&t=11116 22:18 sapier a password manager is almost useless for the "multiclient issue" 22:19 VanessaE sapier: no one's saying to spend months of dev time, especially on that - that's why I said to get Copy&paste working across the board. 22:19 sapier copy&paste doesn't even work on windows for all applications 22:20 VanessaE we're not talking "all applications" though 22:20 VanessaE we're talking about minetest. 22:20 VanessaE and then, mostly on non-Windows systems, as I understand it (I don't know how it behaves on Windows) 22:20 sapier exactly... which ain't running on one specified os but dozends 22:21 est31 sapier: the password manager does help. You only need to sync the stored passwords file, e.g. with dropbox (although that might be insecure) 22:21 VanessaE dozens? three. with let's see... three copy&paste methods by my count. 22:22 VanessaE (linux, BSD, Mac; X11 middle click, ctrl-c/ctrl-v, and whatever OS-X uses) 22:22 sapier ubuntu debian suse freebsd kubuntu xubuntu fedora windows xp windows 7 windows 8 windows 8.1 windows 10 macos android 2 3 4 5 22:22 sapier I could mention different versions of the linux distributions in there too ;-) 22:22 VanessaE I said non-windows systems, and you said "dozens" of "OS's" 22:22 sapier all of those are different os 22:23 est31 its not that ubuntu and kubuntu have completely different APIs 22:23 VanessaE so from your list, that leaves ubuntu debian suse freebsd kubuntu xubuntu fedora macos android, and there are only two OS's common among those 22:23 VanessaE excuse me, three. 22:23 VanessaE linux distros are distros, not OS's 22:23 sapier well ubuntu has unity while kubuntu has kde ... I'd consider this a significant difference 22:24 VanessaE it's not like you have to change which kernel, libc, etc calls you're making just because you move from Ubuntu to SuSE or something. 22:24 sapier nope VannessaE actually distribution is almost same as OS 22:24 sapier kernel libc & co aren't related to copy&paste at all 22:24 VanessaE I'd continue to debate that idea... 22:24 VanessaE but it doesn't matter 22:25 VanessaE we're not talking about major differences in system calls and so forth 22:25 VanessaE we're talking about copy&paste ffs. 22:25 sapier relevant is graphics subsys and windowmanager 22:25 acerspyro Thing is, there is no "type" of OS 22:25 VanessaE what does graphics have to do with receiving a paste event from the system clipboard? 22:25 sapier well graphics as of X-server 22:26 VanessaE that's at a layer only just above the windowing system, when I last checked 22:26 acerspyro Nothing defines the term OS apart from what runs on your system. Windows 7 with an update applied compared to one without the update could or could not be considered a different OS 22:26 VanessaE (though I'm no expert on X11 :P ) 22:27 sapier well especially in this area it's quite fluid atm 22:27 est31 with mir and wayland and so on 22:27 est31 ? 22:28 sapier yes est 22:29 VanessaE well if you think it's THAT hard to get something as basic as copy&paste going, then encryption + a good built-in password manager (in the spirit of what browsers do) is what's gonna have to be, if you want any chance of getting users to create decent passwords and not have the same one on multiple servers. 22:29 sapier well I'd may even be more easy to get encryption work as we'd have all of the code within minetest itself ;-) 22:30 VanessaE perhaps, but you DID say you expected it to take "months" of work :P 22:30 sapier I didn't say how much time would be required to fix copy&paste for each and every os ;-) 22:31 VanessaE granted. 22:31 sapier still as always the better a bugreport is the better the chance it's gonna be fixed 22:32 sapier well unless copy&paste issue is related to irrlicht 22:32 VanessaE I don't recall who but I seem to recall someone said it is 22:33 acerspyro What are we talking about? 22:33 acerspyro Isn't the clipboard an X11? 22:33 acerspyro +thing 22:33 VanessaE acerspyro: when sapier and I get at each other like this, it gets random :) 22:33 VanessaE sapier: right? ;) 22:33 acerspyro lol 22:33 exio4 irrlicht's clipboard support doesn't .. really work 22:34 VanessaE the thing that bothers me is WHY you have to go through irrlicht in the first place 22:35 acerspyro ^ 22:35 VanessaE I mean, what's stopping you from writing your own minimal input handler for stuff like this? 22:35 acerspyro https://github.com/graphitemaster/neothyne 22:36 acerspyro Using as little dependancies as possible 22:36 acerspyro SDL2 and g++ or clang++... I think that's it. 22:36 VanessaE back in the old days, that's what we did. run through our own code first, and then if it didn't understand the input, pass it on to the kernel's input handler (if there was a reason to) 22:36 acerspyro And it's gonna be a full FPS game. 22:37 exio4 VanessaE: back in the old days, you didn't have to support at least 3 operating systems, where things may change between them, and what not 22:38 acerspyro By using as little deps as possible, you support all 4 OSes in one shot. 22:38 exio4 mantaining code is more expensive than writing it, and not offloading the work to a library is adding useless load to the little time dev core devs have to 'waste' in MT 22:38 acerspyro Linux, Unix, Mac, Windows 22:38 VanessaE exio4: point taken. 22:38 T4im from what I heared x11 clipboard support is quite messy 22:38 exio4 acerspyro: how do you get "clipboard support" without using platform-dependant APIs or a library? 22:38 T4im 2-3 different systems in place 22:38 exio4 also, there is more than one clipboard 22:38 T4im ^ 22:38 exio4 which one do you like most? 22:38 VanessaE useless load? if you're worrying about "load" in a keyboard handler, you're doing something terribly wrong. 22:38 acerspyro exio4: change the way you do it depending on the target OS 22:39 est31 exio4: http://standards.freedesktop.org/clipboards-spec/clipboards-latest.txt 22:39 acerspyro You know, ever heard of ifdef's? 22:39 est31 everything specified 22:39 est31 I dont say its not messy 22:40 exio4 acerspyro: but then you are doing platform specific things, and you have to support them! 22:40 exio4 est31: freedesktop is a cool joke 22:40 acerspyro I think SDL2 deals with the clipboard 22:41 exio4 is minetest using SDL2? 22:41 VanessaE it does not afaik? 22:41 exio4 exactly. 22:41 exio4 I don't say "it's the best we have", but it is what we have got! 22:41 VanessaE I see no reason not to use SDL if it would be helpful - nearly every system already has it anyway don't they? 22:42 acerspyro ^ 22:42 acerspyro Steam uses SDL, too 22:43 VanessaE there you go. 22:43 celeron55 irrlicht sometimes uses SDL as its windowing backend 22:43 celeron55 i don't know if anyone is doing builds like that though 22:55 sapier steam? isn't this the tool deleting users homedir? 22:56 VanessaE that's since been fixed ;P 22:57 VanessaE some nitwit messed up writing a script that does rm -rf $foo"/" where $foo could end up being empty heh 22:57 VanessaE or something substantially similar. 22:58 est31 all sdl's fault ;) 23:01 acerspyro Well, steam 23:01 acerspyro Steam games, to be exact 23:01 acerspyro Steam uses GTK 23:01 acerspyro (except for the fullscreen interface) 23:11 T4im can happen to everyone... "rm -rf /usr /share/minetest" (note the accidental space) ;-) 23:12 T4im so good minetest is not using bash scripts :)