Time Nick Message 12:20 rubenwardy looking for review: https://github.com/minetest/minetest.github.io/pull/282 12:29 fishmongler Are there plans to reduce the unnecessary data collection later or is this it? 12:29 Krock no because there's nothing unnecessary 12:31 Krock actually there has been a suggestion to reduce the amount of information provided in the user agent: https://github.com/minetest/minetest/issues/14819#issuecomment-2211721126 12:33 fishmongler Well, what's stopping me from making a fork that randomizes this user agent to something plausible looking? 12:33 sfan5 nothing 12:34 Krock fishmongler: https://i.postimg.cc/sXkpvh4y/grafik.png 12:40 fishmongler @Krock I'm 3 microseconds late? Ahead? 12:40 fishmongler Being snarky doesn't help your case here 12:42 Krock fishmongler: it's not sarcastic. it just means it's probably not worth the effort to care about this case 12:42 Krock you're free to propose a change, if it's important to you. 12:44 Krock rubenwardy: what about the version update checker? 12:44 rubenwardy Wdym 12:44 fishmongler I beg to differ, I'm sure a lot of downstreams would care about this if they were aware in the first place 12:44 rubenwardy #14827 12:44 ShadowBot https://github.com/minetest/minetest/issues/14827 -- Add setting to disable Content tab update indicator by rubenwardy 12:44 Krock rubenwardy: I mean the startup version check in Minetest that is not the same as ContentDB 12:45 rubenwardy Ah yeah 12:45 rubenwardy That can be disabled using the update checker config 12:45 pgimeno fishmongler: lets unite and make a bulge in that bell :) 12:46 rubenwardy If we decide to require user affirmative confirmation to enable some network requests, that would apply to the Mt update checker as well as the contentdb update indicator 12:46 Krock yes, in-dev builds and such from repos generally have that disabled by default, thus should mostly affect Windows users 12:46 fishmongler And that's what you should do 12:46 rubenwardy I think it's extreme and would scare users. Better to let privacy conscious distros configure to their needs 12:48 fishmongler rubenwardy Uh..... so hang on, let my brain process this 12:50 fishmongler We want something from the user's house. We are currently sneaking in to take it when they're not looking. Let's not knock on the door to ask for it because... it might scare them, and let's instead keep breaking in to avoid scaring them? 12:50 fishmongler This logic itself is what's scary 12:50 rubenwardy It's disproportionate to the minimal privacy impact the requests have 12:50 fishmongler I'd say it's more about respect than impact 12:51 ROllerozxa I still don't understand the issue with fetching a list of package releases. the list of mods isn't sent to the server and the checking of releases against what you have is done locally on the client. hecks misinterpreted that it was sent to the server in the first place which I think blew things out of proportion 12:51 rubenwardy I'm not against removing info for the user-agent though, maybe we could just include the port name (windows/macos/android/linux) and not specific information like distro or architecture 12:51 fishmongler That part has been explained already, it's not a problem, I assumed there's too many mods already  to fetch the list wholesale 12:52 fishmongler It might become a problem in the future 12:52 Krock to spit more oil into the fire: just turn off the internet 12:52 rubenwardy Yeah if I ever need to send a package list that absolutely would require affirmative consent 12:53 fishmongler What do you need the port name for? 12:54 ROllerozxa yeah I agree that the user agent might send too much details about the OS. for linux I believe it would also send the custom version name of the kernel if one has built it themselves 12:54 sfan5 it looks like we're in the process of re-enacting the discussion from the linked issue 12:55 fishmongler I just wanted to hear from the horse's mouth whether this is actually getting fixed or if we're only updating the policy to avoid getting sued immediately 12:55 fishmongler and I wanted to discuss this without the peanut gallery rabble having tribal ook ooks about how much they don't care about their own security, but it looks like I can't have that Krock 12:56 fishmongler Never mind security, this software is just rude 12:56 fishmongler You don't get to be very rude in FOSS because someone less rude can come along and take over 12:57 fishmongler Every ad blocker that implements a sponsored whitelist gets instantly forked to not have that whitelist. Every web browser that has telemetry has a fork without said telemetry. etc 12:58 Krock as I said, you're free to propose a change. If that does not fit you either, forking is a possibility here as well. 12:58 fishmongler I have proposed enough in the issue 12:59 Krock I rather meant code-wise, but the issue is a good start for that. 13:00 sfan5 I suppose the next step is to wait for consensus to emerge 13:00 fishmongler 1. That means less time for me to deal with Hat Lag 2: Transform Chain Boogaloo and other blockers 13:00 fishmongler 2. I don't like spending time cleaning up after others though fixing hatlag bugs is also that I guess 13:02 Krock what does "hatlag" mean? 13:02 fishmongler I think I need to make some transform/attach stress tests for devtest because these bugs keep slipping in unnoticed otherwise 13:02 fishmongler Hatlag is #14818 13:02 ShadowBot https://github.com/minetest/minetest/issues/14818 -- Attachments lag behind bones under some circumstances 13:07 fishmongler also what follows from 2. is that if the amount of damage from bad practices and bugs hits a critical mass, it becomes cheaper to fork than to do this constant crisis management 13:16 MTDiscord Okay so, the minetest collects the operating system, the architecture, and if you have a custom kernel it might pull that in. In the contentdb tab. Is there anything else? 13:18 Krock it also sells your soul to bill gates 13:18 fishmongler Bill Gates era Windows collected less data 13:18 MTDiscord Ah, well, I hope he at least stores it in a nice jar 13:22 fishmongler @jordan4ibanez According to the policy text, the master server does this too. This is actually new information to me but not surprising. And currently the main menu does this, not the CDB tab. 13:22 MTDiscord wait windows xp had ceip 13:23 fishmongler "Windows XP was released one year after Gates stepped down as Microsoft CEO.[53]" 13:24 MTDiscord So he helped make it lol 13:24 MTDiscord But regardless, we should enable a debian mode so it breaks minetest's ability to look at contentdb and the server list 13:24 fishmongler Oh, but you know what win XP also did? It asked you whether you want to participate when you ran the install 13:24 fishmongler and so did 7 13:25 MTDiscord So I take it you agree with debian mode then? 13:25 fishmongler I'm not sure what do you mean by "debian mode", I mean, debian does the bare minimum 13:26 fishmongler I roll my eyes when debian asks me whether i want to participate in the "package popularity contest" or whatever, but at least it asks 13:26 MTDiscord Yes exactly, absolutely no internet connectivity from any home servers when enabled by default on foss servers 13:26 MTDiscord foss repository servers, I mean, like debians 13:26 fishmongler That's the bare minimum of respect you can have for your user 13:26 MTDiscord so we don't want any communication with the home base, we don't want to have any contentdb tab enabled, and you'll have to go find your own servers 13:27 fishmongler Just have a modal the first time you open the content tab 13:27 MTDiscord No, we don't want any exposure to any of that 13:27 fishmongler I don't understand why is Minetest suddenly cargo culting sleazy corporate practices that are already on their way out 13:28 fishmongler even using the same "to assist in development and improve things" language which never meant what it said when it shows up in corporate policies 13:29 MTDiscord You're offending my gfortran compiler talking about corporate practices. But anyways, if you are in favor of disabling these hard links by default on certain linux distros, feel free to chime into the issue that wardenruby linked earlier 13:30 fishmongler "the issue" that I'm the OP in? 13:31 MTDiscord Yes 13:31 MTDiscord But hold on I would like to chime into it 13:35 MTDiscord Well it turns out you are not the operator of that post, different issue 13:36 fishmongler i hope it'll be a higher IQ take than "iF yOu DOn't lIke tracKerS, maYbe yOu ShOUlD GET ofF tHe inteRnet" 13:36 MTDiscord No, debian mode, not joking. A boolean value you can disable the entire thing with 13:37 MTDiscord Should disable server list, contentdb tab, all that stuff 13:37 MTDiscord If a user or distro wants to recompile in debian mode, they should be allowed to easily 13:37 fishmongler Doesn't fix the real issue but it's useful for development 13:37 MTDiscord Well, it'll become compiled out, so it won't be machine code at that point 13:38 fishmongler The real issue is bad defaults, bad practices, and probably a rotten culture 13:38 MTDiscord If there was a true rotten core along the core team, debian mode wouldn't even be a valid suggestion at all 13:38 fishmongler Disabling CDB entirely as the solution is just malicious because you don't even get devtest with the engine nowadays 13:39 MTDiscord No, in fact, even debian agrees that you should not use contentdb 13:40 MTDiscord That's where the name debian mode came from, it's the base of freedom. If you want to not be exposed to even a sip of any telemetry it should honestly be respected 13:41 fishmongler If I didn't think the culture was salvageable, I'd fork instead of coming here. This debian mode you're suggesting sounds to me like malicious compliance 13:42 fishmongler I just don't want to make network requests from the main singleplayer page whenever I restart to test my game, which is a lot 13:42 MTDiscord No, because rubenwardy is the sole runner of contentdb. And many people like yourself do not agree with the way this is run, and we should have a tasteful way to enable this agreement that we do not agree 13:44 fishmongler He's the sole runner of it but he also tightly integrated it with software that's an upstream for many people. 13:44 rubenwardy I believe it's cached to once per day or something similar fyi 13:44 fishmongler This is a responsible role 13:50 MTDiscord Of course, but then we must think one level lower than this. If rubenwardy hadn't stepped up to the plate and financed this endeavour, we would not have contentdb at all. It came into existence out of the basis of necessity due to resource disbursement aka mods all over the forums. If you think that this is being handled in a truly egregious manor then you should open up a new issue on the github to explain what, why, and how 13:50 MTDiscord things are bad and need to be changed so it has a more staying presence than it being scrolled past in the irc channel 13:51 MTDiscord When something truly bothers me, I will open an issue, even though I know it will immediately get slammed shut, but I can always go back to it to see I expressed my disapproval and desire for change 13:51 fishmongler sigh. i have already opened the issue, i came here because the issue thread has deteriorated into a stupidity contest 13:57 MTDiscord fishmongler: i agree that devtest should have tests for this. we should probably replace green wizard with sam and throw some attachments in there. 13:58 MTDiscord "cool guy :]" might also be an option 13:58 fishmongler i don't understand your argument here jordan, so wardy decided to fix the problem of discovering mods by creating a central repository. okay, that's his own choice. he's funding it out of pocket. well fine, thanks, but i don't feel very guilty about it because i only use it to download devtest/mtg when i'm looking for bugs, i checked out a few 13:58 fishmongler other packages when it shipped and that's it 13:58 fishmongler @luatic sam and coolguy are too simple, i wanted to make something that actually can stress test this; possibly a 3d green wizard 13:59 MTDiscord okay sure but the bugs so far would've been found with a simple test as well if i'm not mistaken? 13:59 MTDiscord a stresstest seems like it would be more useful later when we move skinning to the GPU and want to see the performance impact of that 14:00 fishmongler i've noticed that mibi is like a particle accelerator for discovering new bugs and it has to do with being more complicated than minetest_game, so i want to make a test entity that's roughly this demanding 14:01 MTDiscord sounds good 14:01 fishmongler at the very least a skinned player model and an identical model living as an entity, and all sorts of bone attachment/override setups for it 14:01 fishmongler also a skinned vehicle because that's another edge case 14:03 fishmongler it's not about stress testing rendering but transform behavior and activeobject lifetimes, that's the code that breaks the most often 14:05 MTDiscord about the ao lifetimes, @ExeVirus has been working on tests for that since it's relevant for the spatial indexing 14:06 fishmongler huge entities are another desirable test case: #14686 14:06 ShadowBot https://github.com/minetest/minetest/issues/14686 -- Allow large entities: Large collision boxes, large selection boxes, large visuals 14:06 MTDiscord I mean, yeah I have been. Also I'll be looking at vectorizing our collision box math so that should provide a ~5x speedup of those calculations 14:07 MTDiscord between optimizing which objects to look at and optimizing the collision box math, that should help us increase collision box allowances as well as handle more objects in general. It'll likely expose bad collision handling though haha 14:08 fishmongler @exe_virus how do you "properly" vectorize code in minetest, do you just use arrays and hope the compiler picks it up? or do we use compiler vector extensions and write fallbacks? 14:08 MTDiscord no, I was going to work with google highway, since they do fallback nicely 14:08 MTDiscord https://github.com/google/highway 14:09 fishmongler okay so "this exists" basically 14:09 fishmongler avx2 mapgen would be nice 14:10 MTDiscord yep, small baby steps, first AO spatial index, then collision vectorization since that is another obvious bottleneck based on flame graphs, then whack a mole till we're happy. Gotta have robust detest runtime tests to support that 14:12 fishmongler light and liquids is where i'd like to see simd 14:22 pgimeno there used to be a compile-time switch to disable curl, which I always did; what happened to that? 14:25 ROllerozxa it has never gone anywhere, it still exists 14:30 fishmongler anyway back to the telemetry issue; there is a pattern to my complaints - "this feature wasn't here when i decided to invest time into minetest" 14:31 fishmongler sure i can edit and build myself a version without telemetry, but that's beside the point 14:32 MTDiscord by that logic then minetest devs should do nothing, because anyone who decides to use minetest afterword's will have something different than when they started 14:32 fishmongler fallacy 14:33 fishmongler i now have to explain to my users that the official client has telemetry in it and give them a mitigation guide, or give them a cleaned up version in which case i might want to break compat on purpose so that somebody doesn't accidentally end up using the bad one 14:34 MTDiscord Well, if that was the case, why didn't you just do that? 14:34 fishmongler the first or the second thing? 14:34 MTDiscord Either or 14:34 fishmongler the first thing is laughable from a PR perspective and was only rhetorical, so only option 2 remains 14:35 fishmongler and that means i have been scammed out of any time i spent looking for and fixing bugs 14:35 MTDiscord Then why don't you fork it and just roll your own release and only pull in changes you want? 14:35 fishmongler I'm basically threatening this 14:35 MTDiscord I say go for it bro, I already did this where I gutted out all android compatibility and pause timers 14:36 fishmongler The situation during the shading fiasco was a little different in that I was still dependent on the master server for discovery 14:36 fishmongler I can afford to advertise now or just spin my own protocol-compatible closed source client 14:37 fishmongler but I'm also pissed off enough to just maintain a competing foss fork 14:37 MTDiscord If you're angry enough about it then why not just go all in on it? 14:38 fishmongler Because it's not for you to decide, jordan 14:38 MTDiscord Oh well I'm not telling you to do it, you're telling me lol 14:38 fishmongler And because this is a very stupid thing to hard fork over 14:38 fishmongler The smart thing to do is to stop being spyware in need of a fork 14:44 fishmongler Another reason is that I genuinely care about the existing users and I don't think they should be tracked or exposed to security holes 14:46 fishmongler and I'm seeing bad practices slowly creep in, so now's a good time to examine the bigger picture 14:49 fishmongler So far it's 50/50, some of the devs are taking this seriously and others are being absolute clowns 14:51 fishmongler Ironically the guys taking it the most seriously are the author of this feature and the guy running the server for it 15:00 fishmongler The rest are basically having a contest of signalling how much they don't care, they don't care so much they just have to come in and tell everyone about it 15:00 fishmongler As if bad practices could become any less bad by popular vote 15:03 celeron55_ with a less aggressive start to that issue it could have been a lot more productive 15:04 fishmongler rubenwardy You've at least noticed that a consent dialog might scare people, that's a good observation, only the conclusion is wrong. It might scare people because the software is doing scary things 15:04 fishmongler hi celeron 15:05 celeron55_ you could close it, make a new one with a simple reasonable suggestion and see if it goes better. it's not unreasonable to ask e.g. "Do not perform the request until the CDB tab has been clicked". but now nobody sees that suggestion because it's buried within the flamewar 15:05 fishmongler I don't see how this could have been pointed out less aggressively, besides the one misconception because I was auditing the code as I was typing out the issue 15:06 MTDiscord not to mention the lead post is wrong about certain things 15:06 fishmongler The relevant people already know what's up and how they should fix it anwyay, I only came here to ask if they're actually going to do it 15:06 fishmongler and to try to evangelize good practices and respect for the users 15:07 rubenwardy Calling it telemetry is very misleading, there's a legitimate interest and the piracy impact is very small 15:07 fishmongler No you see, intent does not matter here, what matters is what the software does 15:07 celeron55_ fishmongler: it's just laziness, not malice. laziness tends to get fixed over time. you obviously want to take part into it 15:08 fishmongler Check your logs, you literally own a heatmap of when I'm at my computer right now 15:08 fishmongler My user agent is probably close to unique 15:08 fishmongler yes it is laziness, but I think it's gonna creep up if I don't raise it now 15:09 fishmongler and there are nasty implications such as the part with downstreams potentially not wanting this change 15:09 fishmongler I could get MT soft-booted of F-Droid right now if I snitched, but I'm not doing that 15:11 fishmongler Since we're discussing this, the objective has been achieved 15:12 fishmongler I'd just like to add that I absolutely do not understand the use for any of the data or the attitude towards it, from a web admin perspective I consider data toxic and want to retain as little of it as possible, especially in the EU 15:12 celeron55_ MT's goals align with your complaint. you can see how most people react: they're not wanting to shut you down. but this needs to be actively turned into a productive thing in order for something to happen and you need to take part in that 15:12 fishmongler Data is just trouble 15:13 fishmongler I'm taking part in that, I'm not forking anything 15:13 fishmongler Some idiots poured oil into the fire too 15:13 celeron55_ like, to sum it up into the shortest possible statement: i think everyone agrees "unsolicited network request" is a thing, and it makes sense to be careful with those 15:14 fishmongler uhhuh, also Minetest has a reputation as a comfy nonhostile FOSS thing and I think that's worth preserving 15:14 fishmongler and FOSS users usually have high standards for quality and conduct 15:15 fishmongler Honestly the base Content tab has enough dead space for a "Check for updates automatically" checkbox 15:16 celeron55_ with a hostile opening, you get a hostile response. people tend to behave in that way. i like it that we have people rather than some kind of soul-less corporate interaction 15:21 celeron55_ it's all too common these days for software taking a longer time to start when you have a bad internet connection. and it's always a bad sign. but it's everywhere, and only a very few people actually manage to live lives where data about them isn't being constantly sent to various places 15:23 celeron55_ MT should take part in making it possible, because it's one of the few programs that can do it 15:23 MTDiscord Oh interesting, so we're concerned about tagging users to their check-ins with CDB. So, don't update until they tab over to CDB? 15:23 celeron55_ (in the FOSS world it's of course very common to be able to) 15:24 MTDiscord Is there an issue for this? Should be an easy enough thing to get done 15:24 MTDiscord Exevirus, go read up first please 15:24 fishmongler @exe_virus Basically, and also don't send more than is needed for the service to operate 15:24 celeron55_ well i'd say as a rule: a network request should be only made when the user expects it to be made 15:24 fishmongler Sending the exact OS version is overkill and could potentially be used by a malicious actor if they get their hands on it 15:25 celeron55_ if the user checks a checkbox for automatic updates at startup, then the user does expect requests to be made at startup. but not otherwise. otherwise the user expects them to be made when they enter the cdb menu, or whatever 15:25 MTDiscord That's a reasonable rule, not too hard to meet either. And wsor: did read, still not seeing if an issue has been made yet 15:26 celeron55_ yes and of course sending excessive data does nothing other than enables fingerprinting which is not desirable. it's not even desirable to the person who receives the data, because it's a liability 15:26 BuckarooBanzai ^ https://github.com/minetest/minetest/issues/14819 15:26 fishmongler This was basically the behavior before CDB auto update integration and MT auto update check 15:26 fishmongler The multiplayer tab was the only source of requests and you had to click it, also it literally cannot function without making a request (if LAN discovery is added, maybe that will change) 15:27 MTDiscord Okay sounds good, will read up there and see if I can summarize it 15:27 MTDiscord Also for the record, very few people here seem in disagreement, should be doable for 5.10 15:27 fishmongler addendum to the lan discovery thing: quake 3 has different modes of its server browser and the "Internet" mode makes a master request only when you navigate to it 15:28 fishmongler so if we, for example, had sub-tabs between LAN and internet servers, only the internet tab warrants a master fetch 15:30 celeron55_ it would be good if the issue was made somehow more accessible. it's a super annoying wall of text 15:31 fishmongler Let's just split the issue then, I'll close the original 15:40 MTDiscord Okay, fully caught up, we are* taking it seriously, relatively fast turnaround it looks like too. If you do make the new issue, please keep it concise. Offer the issues to be addressed only, preferably no exact solutions, and then we can hash out exact implementations in the PR(s). But feel free not to do any of that, because we'll get it solved either way 15:42 MTDiscord Also, as an aside, I wish OS's would come with a good network traffic sniffer/tracker to help us know when and which programs are phoning out in general - I have this problem with a lot of software haha 16:02 fishmongler #14830 #14829 16:02 ShadowBot https://github.com/minetest/minetest/issues/14830 -- Minimize data sent in network requests 16:02 ShadowBot https://github.com/minetest/minetest/issues/14829 -- Network requests are being performed without the user's consent 18:57 celeron55_ @exe_virus a tool that shows a popup any time a program contacts a new server would be cool. (the trigger condition could of course be configurable) 19:15 pgimeno I have a DNS proxy that logs all DNS accesses in a window, so it pretty much fulfils that purpose (not 100% reliable because it won't catch e.g. http://123.45.67.89/ but good enough) 19:53 sfan5 such firewall tools exist, famously https://www.obdev.at/en/products/littlesnitch/index.html 19:58 sfan5 I could get MT soft-booted of F-Droid right now if I snitched, but I'm not doing that 19:58 sfan5 you should absolutely tell them because this isn't going to get fixed in light speed and the users deserve to know 21:17 grorp alright, I'll open an fdroid issue 21:19 grorp https://gitlab.com/fdroid/fdroiddata/-/issues/3309 22:17 MTDiscord So is this something you're seriously considering fixing or just reporting it out of a duty to be honest? 22:17 fishmongler it's probably getting fixed but 5.8 was released with the flaw 22:18 MTDiscord I mean I still don't see the issue with a little bit of logging as long as it's limited to data built into the binary, the binary should be able to log that it's executing as compiled for Windows... what specific Windows version or things like kernel information probably shouldn't be sent but data about the compilation shouldn't be considered privileged information? 22:18 MTDiscord What specific data is being sent? 22:19 fishmongler specific OS version is being sent which i don't think is useful for anything anyway 22:19 fishmongler it just makes rare OS users identifiable 22:19 MTDiscord Oh well yeah that's violation of trust, unexecutable should never be acting on its own much less sending fingerprint information autonomously. 22:21 MTDiscord At most I could see some built-in string like "mt-nix", or something similar being used for metrics. But you should never pull data about a user specific configuration, at least without explicit permission. 22:21 fishmongler in the unlikely event that someone evil gains control of this server and figures out how to exploit users using the update pull, the OS info lets them select a payload efficiently 22:22 fishmongler I really don't think those metrics are useful for anything 22:22 fishmongler not even mobile vs nonmobile 22:23 MTDiscord Oh don't be silly Ruben's code is well known to not have bugs, that being said the infrastructure he runs on might not be so well protected. Not to mention that encryption is a hotly debated topic, which means it's probably not implemented for transactions against cdb. Pretty much anyone could snoop on it if they have the right access. 22:23 fishmongler forget snooping, mitm is the issue 22:24 fishmongler but sure, someone with a tap close to the server gets the same activity log 22:24 MTDiscord Yeah but that's an issue for the main execution Loop of the program anyway, ssl should really be implemented regardless of any trust violation issues. In fact there wouldn't be the possibility of mitm if all your connections were encrypted by default. 22:25 fishmongler yeah not doing TLS is stone age 22:26 MTDiscord In fact no, asymmetric encryption is going to get broken by quantum computers in a couple years. It would be better to Implement two forms of encryption one for SSL communication traffic, and one for the client to use internally that was resistant to quantum decryption attacks. 22:26 MTDiscord it uses https: https://github.com/minetest/minetest/blob/master/minetest.conf.example#L661 22:26 fishmongler well that's one worry less 22:26 MTDiscord Oh it does that's wonderful, if it's already a dependency why is client traffic not encrypted? 22:27 MTDiscord I mean I understand not wanting to implement something custom, but nothing at all seems a bit barbaric. 22:27 fishmongler shrug, chat should really be encrypted at this point 22:27 MTDiscord there is a massive difference between using curl and custom networking 22:27 fishmongler movement packets don't need to 22:28 fishmongler but chat is sensitive, people send commands using it 22:28 fishmongler omemo-like ratchet for chat would be cool 22:28 MTDiscord Well but there's the expectation, if my developers hear the connection is encrypted they're going to assume that it's safe to put passwords in forms. 22:28 MTDiscord The developers also have to think about what's expected versus what provided by the API 22:28 MTDiscord as per usual, it would be cool, , someone needs to write the pr 22:29 MTDiscord that seems like a you issue tbh, no one said minetests connection is encrypted 22:30 MTDiscord I was speaking hypothetically, more so if it was encrypted but only part of it was it would be confusing. I was simply stating that if there was going to be encryption it should be all encompassing, so you didn't have to memorize a list of what was and wasn't safe. 22:30 MTDiscord Memorizing the API is a long enough processes it is 22:31 rubenwardy yeah all my servers are HSTS and HTTPS only 22:34 MTDiscord Well that's good, still probably shouldn't be calling them without user interaction though. Or at least a checkbox to disable it, the CIA needs to be able to play minetest too. :juanchi_face: 22:37 MTDiscord Actually I think a good way of going about it would be to Simply ask with a pop up or something the first time you open the cdb tab, or just have a checkbox to the side to enable and disable auto updating. Hiding it in the settings is a very strange way of doing it.