Time  Nick      Message
14:45 kilbith   man I'm fucking sick of this hecks' irrlicht stripping commit
14:45 kilbith   it's not because something is used now that it won't be in the future
14:46 kilbith   and it doesn't hurt at all to have these extra features we don't immediately need, it's a fucking a rendering engine
14:46 kilbith   -a
14:47 kilbith   so right now I'm forced to track down what was removed and add them back one by one
14:52 kilbith   so please do stop removing features that we *might* potentially use in the future; if you do a lot of irrrlicht stuff, you'd fucking understand
15:38 Guest74   I'm taking with sfan5 at the moment about a double listing problem with the minetest server list
15:39 Guest74   im suggesting we add an optional password field in minetest for the announce
15:39 Guest74   if no password is supplied the serverlist uses the remote ip as it does now
15:39 Guest74   if a password is supplied it only updates the record from announcements that supply that same password
15:39 Guest74   and finally; the password can only be changed once the listing times out from the server list naturally
15:40 Guest74   this would solve my particular issue where I am behind a GCNAT with a static ip assigned to inbound connections
15:40 Guest74   in my case i have both an IPv6 and an IPv4
15:41 Guest74   my IPv4 is static and my IPv6 is subject to changing every few hours due to the GCNAT
15:41 Guest74   the server list only logs my IPv6
15:42 Guest74   either the server list software needs to track both IPv6 and IPv4 per server record
15:43 Guest74   so that it can detect requests from a static IPv4 but dynamic IPv6
15:43 Guest74   and vice-versa
15:43 Guest74   or we need to add an optional "password" field to the announce system
15:43 Guest74   any other thoughts on how this can be solved
15:57 MTDiscord <Warr1024> "password" doesn't sound quite like the right thing for this, but maybe "server_uid" or something.
15:58 MTDiscord <Warr1024> Should it be kept private?  That's ... hard to say, actually ... isn't there actually already a vulnerability that somebody could send competing announces to the list to muddy up the listing for a server?
16:05 Guest74   yes it will double list server at the moment
16:07 MTDiscord <paradust> hm, can that be used to steal username/passwords ?
16:08 Guest74   also there is a very dedicated and well known group of "griefers" known across many server by many names but are all the same person and his friends most commonly identified by their use of "( ͡° ͜ʖ ͡°)" in the chat that would absolutely exploit this if they knew about it
16:09 Guest74   they abuse servers daily until the servers fix the problem or shutdown
16:10 Guest74   its only a matter of time before they realize that they can abuse the server list to also grief those servers they target
16:10 Guest74   so this does need to be solved tbh because eventually someone will use it to grief popular servers
16:15 Guest74   paradust: no
16:15 MTDiscord <paradust> why couldn't it? can someone spoof an existing server?
16:15 MTDiscord <paradust> or take advantage of a server that is down / fails to announce itself
16:24 Guest74   sure if it goes down
16:24 Guest74   that is a problem
16:24 Guest74   someone could steal the slot with a new UID/Password
16:24 Guest74   and bogart it
16:24 Guest74   this is why I am asking here for help
16:24 Guest74   this is not a simple problem to solve
16:25 Guest74   how hard would it be for the server software to track both IPv4 and IPv6?
16:25 sfan5     it doesn't know both your ipv4 and ipv6, only one, that is whichever you currently announce with
16:25 Guest74   paradust: at the moment yes someone can spoof an existing server with a duplicate entry
16:26 Guest74   okay so some how I would need to make the announce from a IPv4 TCP packet?
16:26 MTDiscord <MNH48> > hm, can that be used to steal username/passwords ?
16:26 MTDiscord <MNH48> if you mean the player, then not the actual password since Minetest uses SRP
16:26 Guest74   which means the minetest client would need to be updated to specify if the packet is sent as IPv4 or IPv6?
16:26 sfan5     I already proposed that to you in pm
16:27 MTDiscord <paradust> server could pop up another dialog box and ask for password confirmation, yea?
16:27 Guest74   I assume that IPv6 headers dont also contain an IPv4 address unless that IPv6 address is "the special one" that contains also the IPv4 inside it
16:27 Guest74   ah sfan5 suggested `enable_ipv6 = false`
16:28 Guest74   this sounds like the best solution
16:29 sfan5     "server spoofing" is also not an issue, the Minetest client only considers servers the same when `address` and `port` are the same
16:29 sfan5     so yes you can add duplicate entries, but only if the destination where clients connect is the same
16:29 Guest74   `enable_ipv6 = false` - IPv6 client will still be able to connect right?
16:29 sfan5     no
16:29 Guest74   ok i cant do that
16:29 Guest74   a lot of mobile devices are now only IPv6
16:29 Guest74   particularly from china
16:30 sfan5     ipv6 client connections are not configured to work by default
16:30 sfan5     so if you have not explicitly set it up you are not missing anything
16:30 MTDiscord <Warr1024> IPv6 clients would be able to connect to an IPv4-only server if they have some kind of 6-to-4 bridge to go through setup on their end, wouldn't they?  It seems like that would have to be kind of common, since there's still quite a lot of the open internet that's v6-challenged...
16:31 MTDiscord <MNH48> > server could pop up another dialog box
16:31 MTDiscord <MNH48> if server ask for password again after getting into the server then it's red flag
16:31 Guest74   still would be better to have an option that forces announce as IPv4 or IPv6
16:31 Guest74   and not everything else
16:32 Guest74   i might just wget my announce
16:32 Guest74   as IPv4 or something
16:32 Guest74   for now
16:32 Guest74   anyone got an announce template to make my life easier?
16:32 MTDiscord <paradust> sfan5: I'm thinking of the case where a user is looking for a server they have an existing account on, but ends up clicking on an impersonation
16:33 sfan5     I don't think we can reasonably prevent that
16:33 Guest74   also most clients save the host details in faves
16:33 Guest74   i assume
16:33 Guest74   so its a reduced risk vector
16:33 Guest74   for regular players
17:56 nrz       merging #12879
17:56 ShadowBot https://github.com/minetest/minetest/issues/12879 -- [NO SQUASH] Mod storage PostgreSQL backend by TurkeyMcMac
23:16 lhofhansl Hi. Planning to merge #12925 some time today.
23:16 ShadowBot https://github.com/minetest/minetest/issues/12925 -- Alternative I: Reduce active mgmt interval for a bit when a player joins by lhofhansl
23:53 Zughy[m]  thoughts on #12950? It seems pretty trivial but not a lawyer
23:53 ShadowBot https://github.com/minetest/minetest/issues/12950 -- Added copy of LGPL-2.1 by StrajnarFilip