| Time |
Nick |
Message |
| 00:09 |
|
JCM joined #minetest-dev |
| 00:41 |
|
JCM joined #minetest-dev |
| 01:15 |
|
JCM joined #minetest-dev |
| 01:24 |
|
v-rob joined #minetest-dev |
| 01:47 |
|
behalebabo joined #minetest-dev |
| 01:50 |
|
ShadowNinja joined #minetest-dev |
| 02:26 |
|
JCM joined #minetest-dev |
| 03:01 |
|
JCM joined #minetest-dev |
| 03:16 |
|
v-rob joined #minetest-dev |
| 04:00 |
|
MTDiscord joined #minetest-dev |
| 05:40 |
|
v-rob joined #minetest-dev |
| 05:56 |
|
JCM joined #minetest-dev |
| 06:06 |
|
d0p1 joined #minetest-dev |
| 07:05 |
|
JCM joined #minetest-dev |
| 07:07 |
|
v-rob joined #minetest-dev |
| 07:21 |
|
Warr1024 joined #minetest-dev |
| 07:40 |
|
JCM joined #minetest-dev |
| 08:17 |
|
JCM joined #minetest-dev |
| 08:22 |
|
Warr1024 joined #minetest-dev |
| 08:47 |
|
Warr1024 joined #minetest-dev |
| 08:52 |
|
JCM joined #minetest-dev |
| 09:27 |
|
JCM joined #minetest-dev |
| 11:11 |
|
JCM joined #minetest-dev |
| 11:12 |
|
SFENCE joined #minetest-dev |
| 11:23 |
|
SFENCE joined #minetest-dev |
| 11:27 |
|
SFENCE joined #minetest-dev |
| 11:29 |
|
SFENCE joined #minetest-dev |
| 11:36 |
|
SFENCE joined #minetest-dev |
| 11:40 |
|
SFENCE joined #minetest-dev |
| 11:48 |
|
SFENCE joined #minetest-dev |
| 11:52 |
|
SFENCE joined #minetest-dev |
| 11:54 |
|
fishmongler joined #minetest-dev |
| 12:00 |
|
SFENCE joined #minetest-dev |
| 12:08 |
|
SFENCE joined #minetest-dev |
| 12:20 |
rubenwardy |
looking for review: https://github.com/minetest/minetest.github.io/pull/282 |
| 12:29 |
fishmongler |
Are there plans to reduce the unnecessary data collection later or is this it? |
| 12:29 |
Krock |
no because there's nothing unnecessary |
| 12:30 |
|
PoochInquisitor joined #minetest-dev |
| 12:31 |
Krock |
actually there has been a suggestion to reduce the amount of information provided in the user agent: https://github.com/minetest/minetest/issues/14819#issuecomment-2211721126 |
| 12:33 |
fishmongler |
Well, what's stopping me from making a fork that randomizes this user agent to something plausible looking? |
| 12:33 |
sfan5 |
nothing |
| 12:34 |
Krock |
fishmongler: https://i.postimg.cc/sXkpvh4y/grafik.png |
| 12:36 |
|
PoochInquisitor joined #minetest-dev |
| 12:36 |
|
PoochInquisitor left #minetest-dev |
| 12:40 |
fishmongler |
@Krock I'm 3 microseconds late? Ahead? |
| 12:40 |
fishmongler |
Being snarky doesn't help your case here |
| 12:41 |
|
micro_bowels joined #minetest-dev |
| 12:42 |
Krock |
fishmongler: it's not sarcastic. it just means it's probably not worth the effort to care about this case |
| 12:42 |
Krock |
you're free to propose a change, if it's important to you. |
| 12:44 |
Krock |
rubenwardy: what about the version update checker? |
| 12:44 |
rubenwardy |
Wdym |
| 12:44 |
fishmongler |
I beg to differ, I'm sure a lot of downstreams would care about this if they were aware in the first place |
| 12:44 |
rubenwardy |
#14827 |
| 12:44 |
ShadowBot |
https://github.com/minetest/minetest/issues/14827 -- Add setting to disable Content tab update indicator by rubenwardy |
| 12:44 |
Krock |
rubenwardy: I mean the startup version check in Minetest that is not the same as ContentDB |
| 12:45 |
rubenwardy |
Ah yeah |
| 12:45 |
|
micro_bowels joined #minetest-dev |
| 12:45 |
|
micro_bowels left #minetest-dev |
| 12:45 |
rubenwardy |
That can be disabled using the update checker config |
| 12:45 |
pgimeno |
fishmongler: lets unite and make a bulge in that bell :) |
| 12:46 |
rubenwardy |
If we decide to require user affirmative confirmation to enable some network requests, that would apply to the Mt update checker as well as the contentdb update indicator |
| 12:46 |
Krock |
yes, in-dev builds and such from repos generally have that disabled by default, thus should mostly affect Windows users |
| 12:46 |
fishmongler |
And that's what you should do |
| 12:46 |
rubenwardy |
I think it's extreme and would scare users. Better to let privacy conscious distros configure to their needs |
| 12:47 |
|
micro_bowels joined #minetest-dev |
| 12:47 |
|
micro_bowels left #minetest-dev |
| 12:48 |
fishmongler |
rubenwardy Uh..... so hang on, let my brain process this |
| 12:49 |
|
micro_bowels joined #minetest-dev |
| 12:49 |
|
micro_bowels left #minetest-dev |
| 12:50 |
fishmongler |
We want something from the user's house. We are currently sneaking in to take it when they're not looking. Let's not knock on the door to ask for it because... it might scare them, and let's instead keep breaking in to avoid scaring them? |
| 12:50 |
fishmongler |
This logic itself is what's scary |
| 12:50 |
rubenwardy |
It's disproportionate to the minimal privacy impact the requests have |
| 12:50 |
fishmongler |
I'd say it's more about respect than impact |
| 12:51 |
ROllerozxa |
I still don't understand the issue with fetching a list of package releases. the list of mods isn't sent to the server and the checking of releases against what you have is done locally on the client. hecks misinterpreted that it was sent to the server in the first place which I think blew things out of proportion |
| 12:51 |
rubenwardy |
I'm not against removing info for the user-agent though, maybe we could just include the port name (windows/macos/android/linux) and not specific information like distro or architecture |
| 12:51 |
fishmongler |
That part has been explained already, it's not a problem, I assumed there's too many mods already to fetch the list wholesale |
| 12:52 |
fishmongler |
It might become a problem in the future |
| 12:52 |
Krock |
to spit more oil into the fire: just turn off the internet |
| 12:52 |
rubenwardy |
Yeah if I ever need to send a package list that absolutely would require affirmative consent |
| 12:52 |
|
micro_bowels joined #minetest-dev |
| 12:52 |
|
micro_bowels left #minetest-dev |
| 12:53 |
fishmongler |
What do you need the port name for? |
| 12:54 |
ROllerozxa |
yeah I agree that the user agent might send too much details about the OS. for linux I believe it would also send the custom version name of the kernel if one has built it themselves |
| 12:54 |
sfan5 |
it looks like we're in the process of re-enacting the discussion from the linked issue |
| 12:55 |
fishmongler |
I just wanted to hear from the horse's mouth whether this is actually getting fixed or if we're only updating the policy to avoid getting sued immediately |
| 12:55 |
fishmongler |
and I wanted to discuss this without the peanut gallery rabble having tribal ook ooks about how much they don't care about their own security, but it looks like I can't have that Krock |
| 12:56 |
fishmongler |
Never mind security, this software is just rude |
| 12:56 |
fishmongler |
You don't get to be very rude in FOSS because someone less rude can come along and take over |
| 12:57 |
fishmongler |
Every ad blocker that implements a sponsored whitelist gets instantly forked to not have that whitelist. Every web browser that has telemetry has a fork without said telemetry. etc |
| 12:58 |
Krock |
as I said, you're free to propose a change. If that does not fit you either, forking is a possibility here as well. |
| 12:58 |
fishmongler |
I have proposed enough in the issue |
| 12:59 |
Krock |
I rather meant code-wise, but the issue is a good start for that. |
| 12:59 |
|
micro_bowels joined #minetest-dev |
| 12:59 |
|
micro_bowels left #minetest-dev |
| 13:00 |
sfan5 |
I suppose the next step is to wait for consensus to emerge |
| 13:00 |
fishmongler |
1. That means less time for me to deal with Hat Lag 2: Transform Chain Boogaloo and other blockers |
| 13:00 |
fishmongler |
2. I don't like spending time cleaning up after others though fixing hatlag bugs is also that I guess |
| 13:02 |
Krock |
what does "hatlag" mean? |
| 13:02 |
fishmongler |
I think I need to make some transform/attach stress tests for devtest because these bugs keep slipping in unnoticed otherwise |
| 13:02 |
fishmongler |
Hatlag is #14818 |
| 13:02 |
ShadowBot |
https://github.com/minetest/minetest/issues/14818 -- Attachments lag behind bones under some circumstances |
| 13:04 |
|
SFENCE joined #minetest-dev |
| 13:07 |
fishmongler |
also what follows from 2. is that if the amount of damage from bad practices and bugs hits a critical mass, it becomes cheaper to fork than to do this constant crisis management |
| 13:16 |
MTDiscord |
<jordan4ibanez> Okay so, the minetest collects the operating system, the architecture, and if you have a custom kernel it might pull that in. In the contentdb tab. Is there anything else? |
| 13:18 |
Krock |
it also sells your soul to bill gates |
| 13:18 |
fishmongler |
Bill Gates era Windows collected less data |
| 13:18 |
MTDiscord |
<jordan4ibanez> Ah, well, I hope he at least stores it in a nice jar |
| 13:21 |
|
SFENCE joined #minetest-dev |
| 13:22 |
fishmongler |
@jordan4ibanez According to the policy text, the master server does this too. This is actually new information to me but not surprising. And currently the main menu does this, not the CDB tab. |
| 13:22 |
MTDiscord |
<jordan4ibanez> wait windows xp had ceip |
| 13:23 |
|
SFENCE joined #minetest-dev |
| 13:23 |
fishmongler |
"Windows XP was released one year after Gates stepped down as Microsoft CEO.[53]" |
| 13:24 |
MTDiscord |
<jordan4ibanez> So he helped make it lol |
| 13:24 |
MTDiscord |
<jordan4ibanez> But regardless, we should enable a debian mode so it breaks minetest's ability to look at contentdb and the server list |
| 13:24 |
fishmongler |
Oh, but you know what win XP also did? It asked you whether you want to participate when you ran the install |
| 13:24 |
fishmongler |
and so did 7 |
| 13:25 |
MTDiscord |
<jordan4ibanez> So I take it you agree with debian mode then? |
| 13:25 |
fishmongler |
I'm not sure what do you mean by "debian mode", I mean, debian does the bare minimum |
| 13:26 |
fishmongler |
I roll my eyes when debian asks me whether i want to participate in the "package popularity contest" or whatever, but at least it asks |
| 13:26 |
MTDiscord |
<jordan4ibanez> Yes exactly, absolutely no internet connectivity from any home servers when enabled by default on foss servers |
| 13:26 |
MTDiscord |
<jordan4ibanez> foss repository servers, I mean, like debians |
| 13:26 |
fishmongler |
That's the bare minimum of respect you can have for your user |
| 13:26 |
MTDiscord |
<jordan4ibanez> so we don't want any communication with the home base, we don't want to have any contentdb tab enabled, and you'll have to go find your own servers |
| 13:27 |
fishmongler |
Just have a modal the first time you open the content tab |
| 13:27 |
MTDiscord |
<jordan4ibanez> No, we don't want any exposure to any of that |
| 13:27 |
fishmongler |
I don't understand why is Minetest suddenly cargo culting sleazy corporate practices that are already on their way out |
| 13:28 |
|
Road_Killer joined #minetest-dev |
| 13:28 |
fishmongler |
even using the same "to assist in development and improve things" language which never meant what it said when it shows up in corporate policies |
| 13:29 |
MTDiscord |
<jordan4ibanez> You're offending my gfortran compiler talking about corporate practices. But anyways, if you are in favor of disabling these hard links by default on certain linux distros, feel free to chime into the issue that wardenruby linked earlier |
| 13:29 |
|
Road_Killer joined #minetest-dev |
| 13:30 |
fishmongler |
"the issue" that I'm the OP in? |
| 13:31 |
MTDiscord |
<jordan4ibanez> Yes |
| 13:31 |
MTDiscord |
<jordan4ibanez> But hold on I would like to chime into it |
| 13:32 |
|
JCM joined #minetest-dev |
| 13:35 |
MTDiscord |
<jordan4ibanez> Well it turns out you are not the operator of that post, different issue |
| 13:36 |
fishmongler |
i hope it'll be a higher IQ take than "iF yOu DOn't lIke tracKerS, maYbe yOu ShOUlD GET ofF tHe inteRnet" |
| 13:36 |
MTDiscord |
<jordan4ibanez> No, debian mode, not joking. A boolean value you can disable the entire thing with |
| 13:37 |
MTDiscord |
<jordan4ibanez> Should disable server list, contentdb tab, all that stuff |
| 13:37 |
MTDiscord |
<jordan4ibanez> If a user or distro wants to recompile in debian mode, they should be allowed to easily |
| 13:37 |
fishmongler |
Doesn't fix the real issue but it's useful for development |
| 13:37 |
MTDiscord |
<jordan4ibanez> Well, it'll become compiled out, so it won't be machine code at that point |
| 13:38 |
fishmongler |
The real issue is bad defaults, bad practices, and probably a rotten culture |
| 13:38 |
MTDiscord |
<jordan4ibanez> If there was a true rotten core along the core team, debian mode wouldn't even be a valid suggestion at all |
| 13:38 |
fishmongler |
Disabling CDB entirely as the solution is just malicious because you don't even get devtest with the engine nowadays |
| 13:39 |
MTDiscord |
<jordan4ibanez> No, in fact, even debian agrees that you should not use contentdb |
| 13:40 |
MTDiscord |
<jordan4ibanez> That's where the name debian mode came from, it's the base of freedom. If you want to not be exposed to even a sip of any telemetry it should honestly be respected |
| 13:41 |
fishmongler |
If I didn't think the culture was salvageable, I'd fork instead of coming here. This debian mode you're suggesting sounds to me like malicious compliance |
| 13:42 |
fishmongler |
I just don't want to make network requests from the main singleplayer page whenever I restart to test my game, which is a lot |
| 13:42 |
MTDiscord |
<jordan4ibanez> No, because rubenwardy is the sole runner of contentdb. And many people like yourself do not agree with the way this is run, and we should have a tasteful way to enable this agreement that we do not agree |
| 13:44 |
fishmongler |
He's the sole runner of it but he also tightly integrated it with software that's an upstream for many people. |
| 13:44 |
rubenwardy |
I believe it's cached to once per day or something similar fyi |
| 13:44 |
fishmongler |
This is a responsible role |
| 13:50 |
MTDiscord |
<jordan4ibanez> Of course, but then we must think one level lower than this. If rubenwardy hadn't stepped up to the plate and financed this endeavour, we would not have contentdb at all. It came into existence out of the basis of necessity due to resource disbursement aka mods all over the forums. If you think that this is being handled in a truly egregious manor then you should open up a new issue on the github to explain what, why, and how |
| 13:50 |
MTDiscord |
things are bad and need to be changed so it has a more staying presence than it being scrolled past in the irc channel |
| 13:51 |
MTDiscord |
<jordan4ibanez> When something truly bothers me, I will open an issue, even though I know it will immediately get slammed shut, but I can always go back to it to see I expressed my disapproval and desire for change |
| 13:51 |
fishmongler |
sigh. i have already opened the issue, i came here because the issue thread has deteriorated into a stupidity contest |
| 13:57 |
MTDiscord |
<luatic> fishmongler: i agree that devtest should have tests for this. we should probably replace green wizard with sam and throw some attachments in there. |
| 13:58 |
MTDiscord |
<luatic> "cool guy :]" might also be an option |
| 13:58 |
fishmongler |
i don't understand your argument here jordan, so wardy decided to fix the problem of discovering mods by creating a central repository. okay, that's his own choice. he's funding it out of pocket. well fine, thanks, but i don't feel very guilty about it because i only use it to download devtest/mtg when i'm looking for bugs, i checked out a few |
| 13:58 |
fishmongler |
other packages when it shipped and that's it |
| 13:58 |
fishmongler |
@luatic sam and coolguy are too simple, i wanted to make something that actually can stress test this; possibly a 3d green wizard |
| 13:59 |
MTDiscord |
<luatic> okay sure but the bugs so far would've been found with a simple test as well if i'm not mistaken? |
| 13:59 |
MTDiscord |
<luatic> a stresstest seems like it would be more useful later when we move skinning to the GPU and want to see the performance impact of that |
| 14:00 |
fishmongler |
i've noticed that mibi is like a particle accelerator for discovering new bugs and it has to do with being more complicated than minetest_game, so i want to make a test entity that's roughly this demanding |
| 14:01 |
MTDiscord |
<luatic> sounds good |
| 14:01 |
fishmongler |
at the very least a skinned player model and an identical model living as an entity, and all sorts of bone attachment/override setups for it |
| 14:01 |
fishmongler |
also a skinned vehicle because that's another edge case |
| 14:03 |
fishmongler |
it's not about stress testing rendering but transform behavior and activeobject lifetimes, that's the code that breaks the most often |
| 14:05 |
MTDiscord |
<luatic> about the ao lifetimes, @ExeVirus has been working on tests for that since it's relevant for the spatial indexing |
| 14:06 |
fishmongler |
huge entities are another desirable test case: #14686 |
| 14:06 |
ShadowBot |
https://github.com/minetest/minetest/issues/14686 -- Allow large entities: Large collision boxes, large selection boxes, large visuals |
| 14:06 |
|
JCM joined #minetest-dev |
| 14:06 |
MTDiscord |
<exe_virus> I mean, yeah I have been. Also I'll be looking at vectorizing our collision box math so that should provide a ~5x speedup of those calculations |
| 14:07 |
MTDiscord |
<exe_virus> between optimizing which objects to look at and optimizing the collision box math, that should help us increase collision box allowances as well as handle more objects in general. It'll likely expose bad collision handling though haha |
| 14:08 |
fishmongler |
@exe_virus how do you "properly" vectorize code in minetest, do you just use arrays and hope the compiler picks it up? or do we use compiler vector extensions and write fallbacks? |
| 14:08 |
MTDiscord |
<exe_virus> no, I was going to work with google highway, since they do fallback nicely |
| 14:08 |
MTDiscord |
<exe_virus> https://github.com/google/highway |
| 14:09 |
fishmongler |
okay so "this exists" basically |
| 14:09 |
fishmongler |
avx2 mapgen would be nice |
| 14:10 |
MTDiscord |
<exe_virus> yep, small baby steps, first AO spatial index, then collision vectorization since that is another obvious bottleneck based on flame graphs, then whack a mole till we're happy. Gotta have robust detest runtime tests to support that |
| 14:12 |
fishmongler |
light and liquids is where i'd like to see simd |
| 14:22 |
pgimeno |
there used to be a compile-time switch to disable curl, which I always did; what happened to that? |
| 14:25 |
ROllerozxa |
it has never gone anywhere, it still exists |
| 14:30 |
fishmongler |
anyway back to the telemetry issue; there is a pattern to my complaints - "this feature wasn't here when i decided to invest time into minetest" |
| 14:31 |
fishmongler |
sure i can edit and build myself a version without telemetry, but that's beside the point |
| 14:32 |
MTDiscord |
<wsor4035> by that logic then minetest devs should do nothing, because anyone who decides to use minetest afterword's will have something different than when they started |
| 14:32 |
fishmongler |
fallacy |
| 14:33 |
fishmongler |
i now have to explain to my users that the official client has telemetry in it and give them a mitigation guide, or give them a cleaned up version in which case i might want to break compat on purpose so that somebody doesn't accidentally end up using the bad one |
| 14:34 |
MTDiscord |
<jordan4ibanez> Well, if that was the case, why didn't you just do that? |
| 14:34 |
fishmongler |
the first or the second thing? |
| 14:34 |
MTDiscord |
<jordan4ibanez> Either or |
| 14:34 |
fishmongler |
the first thing is laughable from a PR perspective and was only rhetorical, so only option 2 remains |
| 14:35 |
fishmongler |
and that means i have been scammed out of any time i spent looking for and fixing bugs |
| 14:35 |
MTDiscord |
<jordan4ibanez> Then why don't you fork it and just roll your own release and only pull in changes you want? |
| 14:35 |
fishmongler |
I'm basically threatening this |
| 14:35 |
MTDiscord |
<jordan4ibanez> I say go for it bro, I already did this where I gutted out all android compatibility and pause timers |
| 14:36 |
fishmongler |
The situation during the shading fiasco was a little different in that I was still dependent on the master server for discovery |
| 14:36 |
fishmongler |
I can afford to advertise now or just spin my own protocol-compatible closed source client |
| 14:37 |
fishmongler |
but I'm also pissed off enough to just maintain a competing foss fork |
| 14:37 |
MTDiscord |
<jordan4ibanez> If you're angry enough about it then why not just go all in on it? |
| 14:38 |
fishmongler |
Because it's not for you to decide, jordan |
| 14:38 |
MTDiscord |
<jordan4ibanez> Oh well I'm not telling you to do it, you're telling me lol |
| 14:38 |
fishmongler |
And because this is a very stupid thing to hard fork over |
| 14:38 |
fishmongler |
The smart thing to do is to stop being spyware in need of a fork |
| 14:42 |
|
JCM joined #minetest-dev |
| 14:44 |
fishmongler |
Another reason is that I genuinely care about the existing users and I don't think they should be tracked or exposed to security holes |
| 14:46 |
fishmongler |
and I'm seeing bad practices slowly creep in, so now's a good time to examine the bigger picture |
| 14:49 |
fishmongler |
So far it's 50/50, some of the devs are taking this seriously and others are being absolute clowns |
| 14:51 |
fishmongler |
Ironically the guys taking it the most seriously are the author of this feature and the guy running the server for it |
| 15:00 |
fishmongler |
The rest are basically having a contest of signalling how much they don't care, they don't care so much they just have to come in and tell everyone about it |
| 15:00 |
fishmongler |
As if bad practices could become any less bad by popular vote |
| 15:03 |
celeron55_ |
with a less aggressive start to that issue it could have been a lot more productive |
| 15:04 |
fishmongler |
rubenwardy You've at least noticed that a consent dialog might scare people, that's a good observation, only the conclusion is wrong. It might scare people because the software is doing scary things |
| 15:04 |
fishmongler |
hi celeron |
| 15:05 |
celeron55_ |
you could close it, make a new one with a simple reasonable suggestion and see if it goes better. it's not unreasonable to ask e.g. "Do not perform the request until the CDB tab has been clicked". but now nobody sees that suggestion because it's buried within the flamewar |
| 15:05 |
fishmongler |
I don't see how this could have been pointed out less aggressively, besides the one misconception because I was auditing the code as I was typing out the issue |
| 15:06 |
MTDiscord |
<wsor4035> not to mention the lead post is wrong about certain things |
| 15:06 |
fishmongler |
The relevant people already know what's up and how they should fix it anwyay, I only came here to ask if they're actually going to do it |
| 15:06 |
fishmongler |
and to try to evangelize good practices and respect for the users |
| 15:07 |
rubenwardy |
Calling it telemetry is very misleading, there's a legitimate interest and the piracy impact is very small |
| 15:07 |
fishmongler |
No you see, intent does not matter here, what matters is what the software does |
| 15:07 |
celeron55_ |
fishmongler: it's just laziness, not malice. laziness tends to get fixed over time. you obviously want to take part into it |
| 15:08 |
fishmongler |
Check your logs, you literally own a heatmap of when I'm at my computer right now |
| 15:08 |
fishmongler |
My user agent is probably close to unique |
| 15:08 |
fishmongler |
yes it is laziness, but I think it's gonna creep up if I don't raise it now |
| 15:09 |
fishmongler |
and there are nasty implications such as the part with downstreams potentially not wanting this change |
| 15:09 |
fishmongler |
I could get MT soft-booted of F-Droid right now if I snitched, but I'm not doing that |
| 15:11 |
fishmongler |
Since we're discussing this, the objective has been achieved |
| 15:12 |
fishmongler |
I'd just like to add that I absolutely do not understand the use for any of the data or the attitude towards it, from a web admin perspective I consider data toxic and want to retain as little of it as possible, especially in the EU |
| 15:12 |
celeron55_ |
MT's goals align with your complaint. you can see how most people react: they're not wanting to shut you down. but this needs to be actively turned into a productive thing in order for something to happen and you need to take part in that |
| 15:12 |
fishmongler |
Data is just trouble |
| 15:13 |
fishmongler |
I'm taking part in that, I'm not forking anything |
| 15:13 |
fishmongler |
Some idiots poured oil into the fire too |
| 15:13 |
celeron55_ |
like, to sum it up into the shortest possible statement: i think everyone agrees "unsolicited network request" is a thing, and it makes sense to be careful with those |
| 15:14 |
fishmongler |
uhhuh, also Minetest has a reputation as a comfy nonhostile FOSS thing and I think that's worth preserving |
| 15:14 |
fishmongler |
and FOSS users usually have high standards for quality and conduct |
| 15:15 |
|
SFENCE joined #minetest-dev |
| 15:15 |
fishmongler |
Honestly the base Content tab has enough dead space for a "Check for updates automatically" checkbox |
| 15:16 |
celeron55_ |
with a hostile opening, you get a hostile response. people tend to behave in that way. i like it that we have people rather than some kind of soul-less corporate interaction |
| 15:21 |
celeron55_ |
it's all too common these days for software taking a longer time to start when you have a bad internet connection. and it's always a bad sign. but it's everywhere, and only a very few people actually manage to live lives where data about them isn't being constantly sent to various places |
| 15:23 |
celeron55_ |
MT should take part in making it possible, because it's one of the few programs that can do it |
| 15:23 |
MTDiscord |
<exe_virus> Oh interesting, so we're concerned about tagging users to their check-ins with CDB. So, don't update until they tab over to CDB? |
| 15:23 |
celeron55_ |
(in the FOSS world it's of course very common to be able to) |
| 15:24 |
MTDiscord |
<exe_virus> Is there an issue for this? Should be an easy enough thing to get done |
| 15:24 |
MTDiscord |
<wsor4035> Exevirus, go read up first please |
| 15:24 |
fishmongler |
@exe_virus Basically, and also don't send more than is needed for the service to operate |
| 15:24 |
celeron55_ |
well i'd say as a rule: a network request should be only made when the user expects it to be made |
| 15:24 |
fishmongler |
Sending the exact OS version is overkill and could potentially be used by a malicious actor if they get their hands on it |
| 15:25 |
celeron55_ |
if the user checks a checkbox for automatic updates at startup, then the user does expect requests to be made at startup. but not otherwise. otherwise the user expects them to be made when they enter the cdb menu, or whatever |
| 15:25 |
|
YuGiOhJCJ joined #minetest-dev |
| 15:25 |
MTDiscord |
<exe_virus> That's a reasonable rule, not too hard to meet either. And wsor: did read, still not seeing if an issue has been made yet |
| 15:26 |
celeron55_ |
yes and of course sending excessive data does nothing other than enables fingerprinting which is not desirable. it's not even desirable to the person who receives the data, because it's a liability |
| 15:26 |
BuckarooBanzai |
^ https://github.com/minetest/minetest/issues/14819 |
| 15:26 |
fishmongler |
This was basically the behavior before CDB auto update integration and MT auto update check |
| 15:26 |
fishmongler |
The multiplayer tab was the only source of requests and you had to click it, also it literally cannot function without making a request (if LAN discovery is added, maybe that will change) |
| 15:27 |
MTDiscord |
<exe_virus> Okay sounds good, will read up there and see if I can summarize it |
| 15:27 |
MTDiscord |
<exe_virus> Also for the record, very few people here seem in disagreement, should be doable for 5.10 |
| 15:27 |
fishmongler |
addendum to the lan discovery thing: quake 3 has different modes of its server browser and the "Internet" mode makes a master request only when you navigate to it |
| 15:28 |
fishmongler |
so if we, for example, had sub-tabs between LAN and internet servers, only the internet tab warrants a master fetch |
| 15:29 |
|
SFENCE joined #minetest-dev |
| 15:30 |
celeron55_ |
it would be good if the issue was made somehow more accessible. it's a super annoying wall of text |
| 15:31 |
fishmongler |
Let's just split the issue then, I'll close the original |
| 15:36 |
|
SFENCE joined #minetest-dev |
| 15:40 |
MTDiscord |
<exe_virus> Okay, fully caught up, we are* taking it seriously, relatively fast turnaround it looks like too. If you do make the new issue, please keep it concise. Offer the issues to be addressed only, preferably no exact solutions, and then we can hash out exact implementations in the PR(s). But feel free not to do any of that, because we'll get it solved either way |
| 15:42 |
MTDiscord |
<exe_virus> Also, as an aside, I wish OS's would come with a good network traffic sniffer/tracker to help us know when and which programs are phoning out in general - I have this problem with a lot of software haha |
| 15:56 |
|
SFENCE joined #minetest-dev |
| 16:02 |
fishmongler |
#14830 #14829 |
| 16:02 |
ShadowBot |
https://github.com/minetest/minetest/issues/14830 -- Minimize data sent in network requests |
| 16:02 |
ShadowBot |
https://github.com/minetest/minetest/issues/14829 -- Network requests are being performed without the user's consent |
| 16:21 |
|
YuGiOhJCJ joined #minetest-dev |
| 16:41 |
|
SFENCE joined #minetest-dev |
| 17:04 |
|
fishmongler joined #minetest-dev |
| 17:30 |
|
SFENCE joined #minetest-dev |
| 18:15 |
|
JCM joined #minetest-dev |
| 18:21 |
|
v-rob joined #minetest-dev |
| 18:57 |
celeron55_ |
@exe_virus a tool that shows a popup any time a program contacts a new server would be cool. (the trigger condition could of course be configurable) |
| 19:04 |
|
fishmongler joined #minetest-dev |
| 19:09 |
|
grorp joined #minetest-dev |
| 19:15 |
pgimeno |
I have a DNS proxy that logs all DNS accesses in a window, so it pretty much fulfils that purpose (not 100% reliable because it won't catch e.g. http://123.45.67.89/ but good enough) |
| 19:23 |
|
JCM joined #minetest-dev |
| 19:53 |
sfan5 |
such firewall tools exist, famously https://www.obdev.at/en/products/littlesnitch/index.html |
| 19:57 |
|
JCM joined #minetest-dev |
| 19:58 |
sfan5 |
<fishmongler> I could get MT soft-booted of F-Droid right now if I snitched, but I'm not doing that |
| 19:58 |
sfan5 |
you should absolutely tell them because this isn't going to get fixed in light speed and the users deserve to know |
| 20:21 |
|
diceLibrarian joined #minetest-dev |
| 20:33 |
|
grorp left #minetest-dev |
| 20:34 |
|
JCM joined #minetest-dev |
| 21:08 |
|
cranez joined #minetest-dev |
| 21:17 |
|
grorp joined #minetest-dev |
| 21:17 |
grorp |
alright, I'll open an fdroid issue |
| 21:19 |
grorp |
https://gitlab.com/fdroid/fdroiddata/-/issues/3309 |
| 21:23 |
|
grorp left #minetest-dev |
| 21:27 |
|
JCM joined #minetest-dev |
| 22:17 |
MTDiscord |
<redundantcc> So is this something you're seriously considering fixing or just reporting it out of a duty to be honest? |
| 22:17 |
fishmongler |
it's probably getting fixed but 5.8 was released with the flaw |
| 22:18 |
MTDiscord |
<redundantcc> I mean I still don't see the issue with a little bit of logging as long as it's limited to data built into the binary, the binary should be able to log that it's executing as compiled for Windows... what specific Windows version or things like kernel information probably shouldn't be sent but data about the compilation shouldn't be considered privileged information? |
| 22:18 |
MTDiscord |
<redundantcc> What specific data is being sent? |
| 22:19 |
fishmongler |
specific OS version is being sent which i don't think is useful for anything anyway |
| 22:19 |
fishmongler |
it just makes rare OS users identifiable |
| 22:19 |
MTDiscord |
<redundantcc> Oh well yeah that's violation of trust, unexecutable should never be acting on its own much less sending fingerprint information autonomously. |
| 22:21 |
MTDiscord |
<redundantcc> At most I could see some built-in string like "mt-nix", or something similar being used for metrics. But you should never pull data about a user specific configuration, at least without explicit permission. |
| 22:21 |
fishmongler |
in the unlikely event that someone evil gains control of this server and figures out how to exploit users using the update pull, the OS info lets them select a payload efficiently |
| 22:22 |
fishmongler |
I really don't think those metrics are useful for anything |
| 22:22 |
fishmongler |
not even mobile vs nonmobile |
| 22:23 |
MTDiscord |
<redundantcc> Oh don't be silly Ruben's code is well known to not have bugs, that being said the infrastructure he runs on might not be so well protected. Not to mention that encryption is a hotly debated topic, which means it's probably not implemented for transactions against cdb. Pretty much anyone could snoop on it if they have the right access. |
| 22:23 |
fishmongler |
forget snooping, mitm is the issue |
| 22:24 |
fishmongler |
but sure, someone with a tap close to the server gets the same activity log |
| 22:24 |
MTDiscord |
<redundantcc> Yeah but that's an issue for the main execution Loop of the program anyway, ssl should really be implemented regardless of any trust violation issues. In fact there wouldn't be the possibility of mitm if all your connections were encrypted by default. |
| 22:25 |
fishmongler |
yeah not doing TLS is stone age |
| 22:26 |
MTDiscord |
<redundantcc> In fact no, asymmetric encryption is going to get broken by quantum computers in a couple years. It would be better to Implement two forms of encryption one for SSL communication traffic, and one for the client to use internally that was resistant to quantum decryption attacks. |
| 22:26 |
MTDiscord |
<wsor4035> it uses https: https://github.com/minetest/minetest/blob/master/minetest.conf.example#L661 |
| 22:26 |
fishmongler |
well that's one worry less |
| 22:26 |
MTDiscord |
<redundantcc> Oh it does that's wonderful, if it's already a dependency why is client traffic not encrypted? |
| 22:27 |
MTDiscord |
<redundantcc> I mean I understand not wanting to implement something custom, but nothing at all seems a bit barbaric. |
| 22:27 |
fishmongler |
shrug, chat should really be encrypted at this point |
| 22:27 |
MTDiscord |
<wsor4035> there is a massive difference between using curl and custom networking |
| 22:27 |
fishmongler |
movement packets don't need to |
| 22:28 |
fishmongler |
but chat is sensitive, people send commands using it |
| 22:28 |
fishmongler |
omemo-like ratchet for chat would be cool |
| 22:28 |
MTDiscord |
<redundantcc> Well but there's the expectation, if my developers hear the connection is encrypted they're going to assume that it's safe to put passwords in forms. |
| 22:28 |
MTDiscord |
<redundantcc> The developers also have to think about what's expected versus what provided by the API |
| 22:28 |
MTDiscord |
<wsor4035> as per usual, it would be cool, <insert something>, someone needs to write the pr |
| 22:29 |
MTDiscord |
<wsor4035> that seems like a you issue tbh, no one said minetests connection is encrypted |
| 22:30 |
MTDiscord |
<redundantcc> I was speaking hypothetically, more so if it was encrypted but only part of it was it would be confusing. I was simply stating that if there was going to be encryption it should be all encompassing, so you didn't have to memorize a list of what was and wasn't safe. |
| 22:30 |
MTDiscord |
<redundantcc> Memorizing the API is a long enough processes it is |
| 22:31 |
rubenwardy |
yeah all my servers are HSTS and HTTPS only |
| 22:33 |
|
panwolfram joined #minetest-dev |
| 22:34 |
MTDiscord |
<redundantcc> Well that's good, still probably shouldn't be calling them without user interaction though. Or at least a checkbox to disable it, the CIA needs to be able to play minetest too. :juanchi_face: |
| 22:37 |
MTDiscord |
<redundantcc> Actually I think a good way of going about it would be to Simply ask with a pop up or something the first time you open the cdb tab, or just have a checkbox to the side to enable and disable auto updating. Hiding it in the settings is a very strange way of doing it. |
| 23:05 |
|
Eragon joined #minetest-dev |
