Time  Nick       Message
06:10 MTDiscord  <_.juri._> Just commenting out the line made it compile yes
06:11 MTDiscord  <_.juri._> v-rob: that's interesting, I assumed it's just some legacy name scheme thing
06:15 MTDiscord  <_.juri._> got any idea why i get this "declared in this scope" error on recent master?
06:16 MTDiscord  <_.juri._> *not declared
06:47 v-rob      My guess is that these definitions are not necessarily portable across SDL versions (which would make sense, since they have "HINT" in the prefix)
06:49 v-rob      However, I'm pretty sure that these are just #defines to a string constant, so changing it to SDL_SetHint("SDL_HINT_MOUSE_TOUCH_EVENTS", "0") with quotes should fix it.
06:53 v-rob      Better yet, we shouldn't use hints at all and instead ignore mouse events with `which = SDL_TOUCH_MOUSEID`, and similarly for touch events.
09:02 sfan5      those hints exist since at least SDL 2.0.16 (from 2021)
09:05 sfan5      more specifically 2.0.10 (2019) has them both
09:05 sfan5      so I guess we should just set that as minimum
09:05 sfan5      (https://github.com/libsdl-org/SDL/commit/56cab6d45280fbb4b645083eceeaa8f474c0aac3 | https://github.com/libsdl-org/SDL/commit/e41576188d17fd09c95777d665f6c4532574f8ac)
09:08 grorp      makes sense
09:09 grorp      v-rob: why would you want to reimplement something that can be done with a hint?
09:50 sfan5      merging #14370, #14365 in 10m
09:50 ShadowBot  https://github.com/minetest/minetest/issues/14370 -- [no squash] Remove insecure environment from async and emerge environment by sfan5
09:50 ShadowBot  https://github.com/minetest/minetest/issues/14365 -- Fix undefined behaviors by fuzun
10:10 sfan5      should we publish security advisories only when a fixed version has been released or asap?
10:15 MTDiscord  <jordan4ibanez> Probably asap so people can help fix them
10:16 MTDiscord  <paradust> If there's a chance of it being exploited, definitely right away. It doesn't need to contain a description that would allow someone to exploit it.
10:17 MTDiscord  <paradust> *being exploited in the wild
10:20 sfan5      the advisory would contain a description of the bug, a link to the patch and maybe more text
10:21 sfan5      example: https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc
10:23 MTDiscord  <jordan4ibanez> I thought the VM would have been deleted and reloaded
10:24 MTDiscord  <paradust> that's a fixed bug
10:25 sfan5      (it was an example for how an advisory looks)
10:25 MTDiscord  <jordan4ibanez> Oh, oh. I see I see
10:25 MTDiscord  <jordan4ibanez> See? That worked out immediately lol
10:26 MTDiscord  <jordan4ibanez> I saw the advisory and mapped out a plan even though I forgot to check if it was actually closed
10:27 MTDiscord  <paradust> I'm of the opinion that an advanced warning or pre-advisory that contains advice for mitigating the attack, but not enough info to reproduce the attack, is a good idea. Especially if it is going to take a while to fix and ship a patched version.
10:34 sfan5      the main concern in this case is not availability of a fix, just that we can't tell people "oh just update to 5.8.1/5.9.0"
10:34 sfan5      hmm I guess patching it via builtin would be possible
12:11 Juri       sfan5: apparently I have 2.0.8 here on my laptop, thanks for investigating
12:11 Juri       (sdl2)
12:16 Juri       I am no expert but I think I would keep the advisories hidden until there is either a fix or exploitation itw is being reported
12:19 Juri       Reasoning is to not make skiddies try hard to find and abuse the vulnerability before it is patched and rolled out but in case someone is actively abusing it you guys can make it public to signal that you guys are aware and working on a fix
15:51 sfan5      planning to merge #14371 this late evening. not literally just comment changes but I promise there is zero functional change
15:51 ShadowBot  https://github.com/minetest/minetest/issues/14371 -- [no squash] Minor maintenance stuff by sfan5
16:00 lhofhansl  Hello. Planning to merge #14338 is a few.
16:00 ShadowBot  https://github.com/minetest/minetest/issues/14338 -- Allow shaders with disabled post processing pipeline by lhofhansl
16:25 lhofhansl  Done
16:50 sfan5      11:10 <+sfan5> should we publish security advisories only when a fixed version has been released or asap?
16:50 sfan5      ^ more opinions welcome
16:51 nrz_       like all software, when a bugfix release has been published
16:51 nrz_       the goal of advisories is to tell people, go update. if you publish it but no update released, it's not useful
18:29 Desour     merging #14323 in 5
18:29 ShadowBot  https://github.com/minetest/minetest/issues/14323 -- Inline g/setPixel in imageCleanTransparent by Desour
19:03 v-rob      Re: "why would you want to reimplement something that can be done with a hint?"
19:03 v-rob      I've never particularly liked hints because they're poorly documented, and it's difficult to know how they really behave.  But I think it's not unreasonable to use them.
19:05 v-rob      Specifically for the hints previously mentioned, they aren't documented in the SDL2 documentation at all, so I had to go source code diving to understand what they did.
19:19 celeron55_ sfan5: ideally a fixed release should be released along with the advisory. if not, there should be a specific reason why not
19:28 rubenwardy in an ideal world, this would be a nonissue as making a fixed point release should be easy
19:31 MTDiscord  <luatic> the question is: which steps can we take to approach such an ideal world?
19:32 rubenwardy CI/CD for all release binaries would be a good step
19:32 rubenwardy Windows and Android are currently done manually. With Android, we could probably download from the Action and sign using the CLI, idk how to do that though
19:33 rubenwardy you'd still need to do testing though
19:39 rubenwardy I should if releasing was easy enough, could let end users do the testing ;)
19:39 rubenwardy *suppose
19:43 ROllerozxa the artifacts produced by the mingw CI are ready to be used for releases now since #14098 I believe
19:43 ShadowBot  https://github.com/minetest/minetest/issues/14098 -- [no squash] Windows CI/build improvements by sfan5
19:44 ROllerozxa for android, I assume the CI would need to build an AAB bundle that can then be uploaded to google play?
19:44 rubenwardy oh yeah, needs to be an .aab
19:51 ROllerozxa for building a bundle from the CLI you'd need to do `./gradlew bundleRelease`, and then sign with jarsigner. so the CI would generate the bundle and the signing would be done locally during release
20:37 MTDiscord  <luatic> merging #14349 in 15m
20:37 ShadowBot  https://github.com/minetest/minetest/issues/14349 -- Fix minimap textures overwrite by cx384
23:15 sfan5      postponing #14371 merge to tomorrow morning
23:15 ShadowBot  https://github.com/minetest/minetest/issues/14371 -- [no squash] Minor maintenance stuff by sfan5