| Time |
Nick |
Message |
| 01:19 |
|
Ruslan1 joined #minetest-dev |
| 01:21 |
|
luizrpgluiz joined #minetest-dev |
| 01:21 |
luizrpgluiz |
hi |
| 01:22 |
|
luizrpgluiz left #minetest-dev |
| 01:25 |
rubenwardy |
lol |
| 01:25 |
|
Icedream joined #minetest-dev |
| 01:59 |
paramat |
this is not the channel for 'hi' :) dev talk only |
| 02:18 |
|
Cornelia joined #minetest-dev |
| 03:26 |
|
paramat joined #minetest-dev |
| 03:41 |
|
YuGiOhJCJ joined #minetest-dev |
| 06:36 |
|
RedTomato joined #minetest-dev |
| 06:37 |
|
RedTomato joined #minetest-dev |
| 07:26 |
|
ANAND joined #minetest-dev |
| 07:30 |
ANAND |
Should #7557 introduce another protocol bump? |
| 07:30 |
ShadowBot |
https://github.com/minetest/minetest/issues/7557 -- Expose player FOV to Lua API by ClobberXD |
| 07:30 |
ANAND |
Backwards compat is retained; no existing packets are modified, and only a new one is added |
| 07:51 |
|
AndroBuilder joined #minetest-dev |
| 08:00 |
nerzhul |
if you are on 5.0.0 branch it's not important |
| 08:54 |
|
Krock joined #minetest-dev |
| 09:00 |
|
ElementW joined #minetest-dev |
| 11:13 |
nerzhul |
merging #7279 |
| 11:13 |
ShadowBot |
https://github.com/minetest/minetest/issues/7279 -- Replace auth.txt with SQLite auth database by bendeutsch |
| 11:13 |
nerzhul |
finally we got it |
| 11:14 |
nerzhul |
when i get time i will add the postgresql backend :) |
| 11:14 |
nerzhul |
and finally we will have shared auth in server networks |
| 11:35 |
|
Krock joined #minetest-dev |
| 11:39 |
rubenwardy |
Argh, the server sandbox is so insecure |
| 11:49 |
nerzhul |
rubenwardy, it doesn't seems to be waited by server owners, they are focused on CSM security not their servers :p |
| 11:49 |
rubenwardy |
:'( |
| 11:50 |
rubenwardy |
Well, I'll need to fix it to readd require. But there is a different standard of security needed for server mods and client scripts |
| 11:53 |
nerzhul |
yes |
| 12:05 |
|
Krock joined #minetest-dev |
| 12:21 |
|
Fixer joined #minetest-dev |
| 13:05 |
|
lisac joined #minetest-dev |
| 13:27 |
rubenwardy |
#7621 |
| 13:27 |
ShadowBot |
https://github.com/minetest/minetest/issues/7621 -- Add secure require() function by rubenwardy |
| 13:29 |
sfan5 |
a description would be nice because i have no idea what this is or why it should be added |
| 13:30 |
sfan5 |
also why should builtin libraries (string, table, ...) be protected from modification? |
| 13:32 |
rubenwardy |
done |
| 13:32 |
rubenwardy |
and remove |
| 13:33 |
rubenwardy |
those changes shouldn't have been there |
| 13:33 |
rubenwardy |
the issue is that you could effect unsandboxed Lua libraries by modifying string/table/etc, by making them do bad stuff |
| 13:34 |
rubenwardy |
for example, a secure mod or lib could do this: os.execute(("path/to/exe %s %d"):format(a, b)) which is a vulnerability |
| 13:34 |
rubenwardy |
however I'll leave that to a later PR |
| 13:34 |
rubenwardy |
or not at all |
| 13:34 |
sfan5 |
hm, right |
| 13:35 |
rubenwardy |
the same applies to `minetest`, but it's less practical to avoid modifications there |
| 13:36 |
rubenwardy |
it would be nice to give each mod its own environment. This wouldn't actually break too many things providing that mods don't rely on globals exported by another mod which is not the name of the mod |
| 13:36 |
rubenwardy |
but, low priority |
| 13:36 |
rubenwardy |
it also wouldn't help to much, there's loads of ways of escaping environments :( |
| 13:37 |
rubenwardy |
also, that PR has MIT licensed code from the Lua library. MIT is (L)GPL compatible, but you still need to keep copyright licenses |
| 13:37 |
rubenwardy |
not sure how to handle that |
| 13:53 |
|
red-001 joined #minetest-dev |
| 13:59 |
rubenwardy |
I wonder if animations could be done efficiently with shaders in mt |
| 13:59 |
rubenwardy |
wait |
| 14:00 |
rubenwardy |
#6820 |
| 14:00 |
ShadowBot |
https://github.com/minetest/minetest/issues/6820 -- [Concept] Smooth shader-based animation by numberZero |
| 14:09 |
rubenwardy |
another cool thing about that PR is you could do require("mymod.api") instead of dofile(minetest.get_modpath("mymod") .. "/api.lua") |
| 14:09 |
rubenwardy |
with some modifications, ie: adding mod dirs to package.path |
| 14:09 |
rubenwardy |
oh noes, potential vulnerability |
| 14:11 |
Krock |
rubenwardy: see CSM mod loading. dofile("modname:filename.lua" |
| 14:11 |
Krock |
) |
| 14:11 |
sfan5 |
https://github.com/minetest/minetest/blob/master/src/script/lua_api/l_server.cpp#L492 |
| 14:11 |
rubenwardy |
https://github.com/minetest/minetest/pull/7621#issuecomment-410522839 |
| 14:11 |
sfan5 |
why is this a no-op, I feel like this is not correct |
| 14:13 |
Krock |
unless builtin localizes that function, it could be used for exploits in mods that rely on get_last_run_mod for security |
| 14:13 |
rubenwardy |
huh? |
| 14:14 |
sfan5 |
Krock: indeed, but then why do we even have this |
| 14:14 |
rubenwardy |
I think that's to show which mod was running when an OOM happens |
| 14:14 |
rubenwardy |
added by hmmmm |
| 14:14 |
Krock |
yet another left-over from the Lua API dinosaur state |
| 14:14 |
rubenwardy |
or generally which mod was runnign when a crash happens |
| 14:14 |
Krock |
rubenwardy: but it's not helpful when it depends on a define |
| 14:15 |
rubenwardy |
wait |
| 14:15 |
rubenwardy |
oh right |
| 14:15 |
rubenwardy |
strange |
| 14:15 |
Krock |
and is a stack backtrace not possible there? |
| 14:15 |
rubenwardy |
OOM causes an unravel, losing the backtrace |
| 14:15 |
rubenwardy |
iirc |
| 14:15 |
Krock |
hmm.. maybe the Lua instance already became unusable as soon the error occured |
| 14:16 |
rubenwardy |
what's the better term than unravel? |
| 14:17 |
sfan5 |
so basically, minetest has no idea at all which mod is running during e.g. a callback |
| 14:17 |
sfan5 |
a callback registered by builtin will not have the privileges builtin usually has (that is: being able to write everywhere on the fs) |
| 14:17 |
Krock |
yes, but as long Lua doesn't panic or throw an OOM, it's possible to figure that out by a stack backtrace |
| 14:18 |
rubenwardy |
does builtin actually have elated privileges? |
| 14:18 |
rubenwardy |
my tests show otherwise |
| 14:18 |
sfan5 |
this is a actually a good thing because it would've been another possiblity of bypassing script security |
| 14:18 |
sfan5 |
but still strange how this is leftover and essentially a no-op |
| 14:18 |
rubenwardy |
unless there's some insecure env in a local |
| 14:18 |
sfan5 |
rubenwardy: https://github.com/minetest/minetest/blob/master/src/script/cpp_api/s_security.cpp#L529 |
| 14:19 |
rubenwardy |
oh, gross |
| 14:19 |
rubenwardy |
although, this guarantees it only happens at load time, right? |
| 14:19 |
rubenwardy |
which means less chance of the insecure env table leaking |
| 14:19 |
sfan5 |
these privileges only apply at load time yes |
| 14:20 |
rubenwardy |
why are they needed? |
| 14:20 |
sfan5 |
¯\_(ツ)_/¯ |
| 14:20 |
rubenwardy |
lol |
| 14:20 |
rubenwardy |
great |
| 14:21 |
rubenwardy |
how about we remove Lua support and replace it with something secure, like JavaScript |
| 14:22 |
sfan5 |
2/10 I chuckled |
| 14:22 |
rubenwardy |
https://i.imgur.com/jWr67J8.png?1 |
| 14:23 |
Krock |
well, we have an issue for that :) |
| 14:23 |
Krock |
most likely it's already closed |
| 14:24 |
Krock |
also, builtin also needs to write to client/*, which might be the reason why simply all actions are allowed |
| 14:24 |
Krock |
also deleting games/*, mods/* and textures/* |
| 14:25 |
rubenwardy |
the main menu is completely unsandboxes though |
| 14:26 |
rubenwardy |
so the elevated privileges only applies to server-side and client-side at load time |
| 14:26 |
rubenwardy |
writing to client may be why |
| 14:26 |
rubenwardy |
feels strange |
| 14:36 |
Krock |
attached entities are weird. Tried to use that hat mod on the local player and in some cases the hat was glues onto the head (ok), and in the other it was behind by a server step (not ok) |
| 14:36 |
Krock |
*was glued |
| 14:37 |
Krock |
maybe the client didn't get the attachment packet and so it relies on the server sent data |
| 14:38 |
rubenwardy |
ew |
| 14:39 |
rubenwardy |
any chance of some love for #7469? ;) |
| 14:39 |
ShadowBot |
https://github.com/minetest/minetest/issues/7469 -- Formspecs: Add tooltip element for area by rubenwardy |
| 14:40 |
Krock |
rubenwardy: are the new changes tested? |
| 14:40 |
rubenwardy |
yes |
| 14:40 |
rubenwardy |
both with buttons and the new form |
| 14:40 |
Krock |
tbh I thought this was already merged last night |
| 14:40 |
rubenwardy |
I'll quickly double check |
| 14:41 |
rubenwardy |
it's not trivial ;) |
| 14:43 |
rubenwardy |
cool, will merge in ~10 |
| 14:48 |
|
Ruslan1 joined #minetest-dev |
| 14:55 |
rubenwardy |
> MFW when clang-format passes first time |
| 14:55 |
rubenwardy |
also, done |
| 15:23 |
rubenwardy |
what's the easiest way to move all changes to a file in HEAD~1 to the commit HEAD? |
| 15:23 |
rubenwardy |
git reset --soft? :'( |
| 15:25 |
Krock |
git reset -i HEAD~(n+1) and then specify what to do with the commits |
| 15:25 |
Krock |
well, per-file isn't possible there |
| 15:30 |
rubenwardy |
done |
| 15:30 |
rubenwardy |
thanks# |
| 15:36 |
Krock |
!next |
| 15:36 |
ShadowBot |
Another satisfied customer. Next! |
| 15:40 |
rubenwardy |
wondering what the best way to do --crash-on-failed-tests would be |
| 15:41 |
rubenwardy |
argh |
| 15:41 |
rubenwardy |
especially as tests may not all by done by load time |
| 15:42 |
rubenwardy |
and os.exit isn't in the sandbox |
| 15:50 |
rubenwardy |
wait |
| 15:50 |
rubenwardy |
throwing a Lua error would cause a return of 1 |
| 16:03 |
rubenwardy |
argh, rebasing is such fun |
| 16:19 |
|
paramat joined #minetest-dev |
| 16:20 |
paramat |
i closed the auth.txt blocker issues. remaining blockers are https://github.com/minetest/minetest/issues?q=is%3Aopen+is%3Aissue+label%3ABlocker please add any missing blockers for 5.0.0 |
| 16:21 |
rubenwardy |
argh |
| 16:21 |
paramat |
some issues labelled with the 5.0.0 milestone may need adding to blockers |
| 16:21 |
rubenwardy |
why does the command line of MT perpetually suck |
| 16:25 |
paramat |
oh and some android issues may deserve blocker if they're really bad |
| 16:26 |
rubenwardy |
mkdir -p worlds/test && echo -e "gameid = minimal\nbackend = dummy" > worlds/test/world.mt && ./bin/minetest --worldname test --gameid minimal --name test --address '' --go |
| 16:26 |
rubenwardy |
ew |
| 16:26 |
rubenwardy |
there also doesn't appear to be a way to start a singleplayer game from the command line |
| 16:27 |
rubenwardy |
also, in full mode there it doesn't return 1. Only does that in server mode :'( |
| 16:28 |
rubenwardy |
the aim of this is to add a travis check that starts up a server and connects a headless client (null video driver) |
| 16:31 |
rubenwardy |
sorry for the spam |
| 16:31 |
rubenwardy |
time for Rimworld now |
| 16:37 |
|
Beton joined #minetest-dev |
| 17:08 |
paramat |
it looks like the most urgent work for 5.0.0 now is those mysterious crashes |
| 17:09 |
|
Gael-de-Sailly joined #minetest-dev |
| 17:12 |
paramat |
android still seems to have many issues but meh .. at least controls are done, i feel android issues shouldn't delay 5.0.0 release otherwise we'll never release |
| 17:28 |
Krock |
Well, in the last few weeks I couldn't reproduce another one |
| 17:28 |
Krock |
still wonder how they were arised |
| 17:33 |
paramat |
i've asked our android usrs to check the open issues |
| 17:33 |
paramat |
*users |
| 17:34 |
paramat |
game#2184 works just not sure if implementation is optimal |
| 17:34 |
ShadowBot |
https://github.com/minetest/minetest_game/issues/2184 -- Player_api: Give laying players a low selection/collisionbox by paramat |
| 17:34 |
paramat |
i'll check your vehicle fix PR |
| 18:37 |
|
Fixer joined #minetest-dev |
| 19:05 |
|
reductum joined #minetest-dev |
| 19:18 |
|
Cornelia joined #minetest-dev |
| 19:19 |
rubenwardy |
Would people prefer that the library required by the testing PR be bundled with Minetest, or downloaded as part of CMake? |
| 19:19 |
rubenwardy |
cmake allows you to download and extract files |
| 19:19 |
rubenwardy |
s/files/zips |
| 19:20 |
rubenwardy |
the former makes more sense to me, and is more reliable |
| 19:20 |
rubenwardy |
the latter makes updating it easier |
| 19:20 |
rubenwardy |
but heh |
| 20:04 |
|
YuGiOhJCJ joined #minetest-dev |
| 20:08 |
paramat |
Krock #7610 tests ok but i have a question in a line comment |
| 20:08 |
ShadowBot |
https://github.com/minetest/minetest/issues/7610 -- Prevent from colliding with own children by SmallJoker |
| 20:10 |
paramat |
apart from that +1 |
| 20:17 |
Krock |
comments addressed. thanks for reviewing |
| 20:17 |
paramat |
ok fine +1 |
| 20:18 |
paramat |
will merge in5 mins |
| 20:18 |
Krock |
hah yes.. other people might looks suspicious to the police by googling "How to destroy children as parent" |
| 20:18 |
Krock |
(programming context) |
| 20:20 |
Krock |
That collision distance issue might also be the reason for such a poor collision detection performance when there are some objects around |
| 20:22 |
paramat |
the adding of 1.5 nodes of tolerance was necessary |
| 20:22 |
paramat |
? |
| 20:23 |
paramat |
well anyway, merging |
| 20:24 |
Krock |
yes, to ensure that larger collision boxes work about the same as before |
| 20:29 |
paramat |
merged, excellent |
| 20:51 |
|
paramat joined #minetest-dev |
| 22:16 |
rubenwardy |
merging trivial bug fix ~10 minutes https://github.com/rubenwardy/minetest/commit/8d68b2cd210fea3cd852c648464c8bdd9cac02a7 |
| 22:16 |
rubenwardy |
!title |
| 22:16 |
ShadowBot |
Fix debug and info text being the wrong color · rubenwardy/minetest 8d68b2c · GitHub |
| 22:21 |
paramat |
good |
| 22:35 |
rubenwardy |
ooops |
| 22:35 |
rubenwardy |
merging now |
| 22:35 |
rubenwardy |
done |
