Time Nick Message 12:38 dievri hello. Today I'm trying to write my own authentication. I would like to store user password in plain form (not hashed). I'm defined get_auth and create_auth function and registered them as auth handler. But get_auth get called already with hashed password. How can I avoid hashing? 13:01 MTDiscord <06j​akeh04> why would you avoid hashing? 13:02 Ingar easier to steal plaintext passwords from users 13:04 guzzi sounds illegal. 13:04 MTDiscord <06j​akeh04> ah the ol logging into your user's bank accounts that reuse their passwords lol 13:05 guzzi you planning on creating a honeypot to try to get peoples passwords? 13:05 guzzi evil 13:06 Ingar imho, a bug if the mt client would actually accomodate sending plaintext passwords 13:09 MTDiscord <06j​akeh04> yeah, let us know if you succeed so we can make an emergency release to fix the huge security flaw lol 13:10 MTDiscord <03s​hivajiva> lmao ? 13:17 ubone https://paste.ubuntu.com/p/4N2ShXdMcT/ 13:18 ubone im trying to proxy minetest with nginx but connection fails 13:19 guzzi Ingar is probably creating a fork and then join the serverlist. 13:19 guzzi he wouldn't dare do a pull request 13:19 guzzi but he would still be able to collect passwords 13:20 sfan5 there is no way for the server to get a plaintext password 13:20 guzzi I am sure if you forked the server too you could do it 13:21 guzzi Not sure how we could prevent this server from joining the list 13:21 sfan5 no you can't 13:21 guzzi really? 13:22 guzzi i doubt that. 13:22 sfan5 minetest uses SRP to securey do password authentication 13:22 sfan5 the plaintext password is never sent 13:24 sfan5 ubone: are you sure nginx isn't attempting a tcp connection? 13:25 ubone is minetest udp only? 13:25 ubone idk what nginx does, there's nothing in the logs 13:25 sfan5 yes minetest is udp only 13:27 guzzi oh i see like private public key sorta. 13:27 guzzi srp is beyond my understanding, but basicaly the server never stores the users password. 13:27 guzzi one would have to completely overhaul the system. 13:28 MTDiscord <06j​akeh04> or trick someone into using an evil client 13:28 guzzi right. you would need to redo the server to accept plain text passwords and store them . then also get the user to use your modified client. 13:28 guzzi that is a tough sell 13:29 guzzi I guess webapps dont have this issue since no client thus django just saves the hashed password 13:29 guzzi thanks sfan5, i learned something new 13:30 guzzi man, between here and NodeCore i learn so much 13:30 MTDiscord <06j​akeh04> the browser is the client on the web and all the code that makes it works is downloaded from the server 13:31 guzzi right. thus no worry about saving a hashed password as much 13:34 MTDiscord <06j​akeh04> there's still a lot of that stuff happenning on the web. same authentication ideas really. I'm sure you could make a website implement SRP 13:38 MTDiscord <12W​arr1024> There's stuff like digest auth but nobody particularly cares about that kind of thing on the web. Digest auth was actually originally intended to solve more like 3rd party eavesdropping issues, which it actually doesn't solve, but TLS does. So everyone just does basic over TLS, or the moral equivalent with web forms. 13:40 MTDiscord <06j​akeh04> is ssl/tls to slow for gaming? 13:40 MTDiscord <12W​arr1024> Tbh I'd be more comfortable with MT sending plaintext passwords over a fully encrypted authenticated connection, as I'm already trained by the web not to reuse passwords, but the infrastructure to authenticate an MT server would probably be prohibitive. 13:41 MTDiscord <12W​arr1024> There are datagram versions of TLS and modern TLS has something like a 1% overhead. OpenVPN is designed on I think a mix of IPSec and DTLS paradigms. 13:41 MTDiscord <12W​arr1024> The problem though is establishing server identity and trust... 13:42 MTDiscord <06j​akeh04> I can sell certs for 5.99 13:42 MTDiscord <06j​akeh04> lol 13:43 MTDiscord <12W​arr1024> Yeah, I mean, just having a central server authority in the first place is an undertaking, an possibly anathema to the kind of decentralization that MT probably wants to support. Trust on first use schemes are limited if you hop between clients, as users realistically don't compare fingerprints. 13:45 MTDiscord <12W​arr1024> I suppose as it stands doing SRP over an encrypted connection to a TOFU-authenticated server to establish a session that is subsequently hard to hijack or snoop would be an improvement at least, but no small task. 13:45 mtplayer Hello! I'm playing Minetest on FreeBSD. (I'll admit, 5.2.0) Is it intentional that papyrus only grows on dirt and not on soil? I used the hoe on quite a bit of dirt earlier and noticed papyrus won't grow on it, but does grow on on-hoe'd dirt. 13:46 mtplayer on un-hoe'd dirt* 13:46 MTDiscord <12W​arr1024> I had actually considered a way of tunneling MT connections over websockets as a means for people behind extremely restrictive firewalls (i.e. web browsing only) to self-host an MT server with the help of a host on the outside. 13:49 MTDiscord <06j​akeh04> yeah but those kids in the school computer lab should be doing homework lol 13:49 mtplayer https://files.catbox.moe/0ilc2r.png 13:50 MTDiscord <06j​akeh04> papyrus is setup to grow on regular dirt. i agree though, it should grow on hoed dirt too though 13:51 MTDiscord <06j​akeh04> could open an issue on minetest game github repo if it bothers you enough 13:51 mtplayer won't make a github account, but if you guys have a mailing list, I'll send it that way 13:52 mtplayer or someone else can make the github issue :P 13:53 MTDiscord <06j​akeh04> no likey github? 13:54 mtplayer n'aww, just won't make an account for a single issue is all 13:54 mtplayer if I was a dev in a project using GH I'd have one 13:54 mtplayer but email's just lower-effort for now 13:55 MTDiscord <06j​akeh04> dunno about a mailing list 14:56 MTDiscord <08a​ppguru> MTG is ded AFAIK 14:56 MTDiscord <08a​ppguru> although this could be seen as a bug 15:11 MTDiscord <12W​arr1024> I wouldn't file the issue. MTG isn't exactly "dead" but this doesn't sound like something that's clearly and undebatably a bug, and thus is likely not to get changed. 3rd party mods can also probably change this too, so that makes it less likely to be changed upstream... 15:12 specing Please stop using github. It makes no sense to me to use a proprietary software host to host development of a free software project 15:12 specing additionally, it is fast becomming a monopoly (if it isnt one already) 15:12 specing Also please stop using discord. Readings its ToS should provide you enough reason 15:13 MTDiscord <12W​arr1024> haha, "it's a monopoly" i.e. "there's no competition" is a kinda paradoxical argument to make for "you should switch to a competitor," you have to admit... 15:14 MTDiscord <12W​arr1024> if you don't like github I believe there are gitlab mirrors of all of the relevant MT projects somewhre 15:14 MTDiscord <06j​akeh04> I like getting paid for work so I can't bash others that do the same 15:15 MTDiscord <12W​arr1024> Dunno about access to the issues, but from my perspective I prefer to use pure git, so that projects are not vendor-locked-in by any service, whether they're open-source themselves or not, so I avoid using the issues features. 15:15 specing jakeh04 are you paid to work on Minetest? 15:15 MTDiscord <12W​arr1024> Is anybody? 15:16 specing That comment made me think that jakeh04 is 15:16 MTDiscord <08a​ppguru> Monte's staff prolly 15:16 MTDiscord <06j​akeh04> hmm could make a jakehcraft fork lol 15:16 MTDiscord <12W​arr1024> though you gotta admit that, again, "nobody is paid to do this stuff" does seem like a weird argument for "they should have higher standards about the services they use." 15:17 MTDiscord <08a​ppguru> specing: There has been lotta discussion, conclusion being that migration is not worth the effort. There's a mirror on GitLab. As GitHub gets microsoftified, I might decide to switch. But ATM there's been no good reason for doing so. 15:18 MTDiscord <12W​arr1024> git hub/lab can't really exercise lock-in over the repo contents, since that's plain git and easily portable/mirrorable. They CAN make you dependent on things like issue tracking, wikis, CI setups, integrations, etc. so I would definitely encourage projects to have a way to keep mirrors of that data and be prepared to move it if necessary. I don't really worry about whether the service is proprietary or not; in a way, gitlab is 15:18 MTDiscord big enough that I treat it as if some parts of it must be proprietary somewhere. Claims of purity are generally exaggerated :-) 15:18 MTDiscord <06j​akeh04> That would be nice to get paid for mt stuff. It shall remain hobby effort until then and hobby stuff gets a lower priority than paid work and tends to be less polished because it is hobby work 15:19 specing W​arr1024 if they are easily portable then why aren't you moving away? 15:19 MTDiscord <12W​arr1024> In a way not getting paid for MT stuff is kinda nice too, assuming you get paid for other stuff, as it helps keep MT stuff all about having fun and doesn't make it get too serious 15:19 MTDiscord <08a​ppguru> Both GitHub and GitLab have a proper API, which means it should be fairly trivial to migrate. 15:19 MTDiscord <08a​ppguru> specing: Because there's no hecking reason apart from FLOSS dogmatism 15:19 MTDiscord <12W​arr1024> specing: I'm not moving away because ... I'm already fully moved away? 15:20 MTDiscord <12W​arr1024> I host all my own projects in basically "pure git"; they're on gitlab, but I don't depend on any of the "lab" parts either. 15:20 specing Ok Warr1024 15:20 MTDiscord <08a​ppguru> I will move away as soon as I can't put up with the changes for the worse MS is applying to GitHub anymore 15:20 MTDiscord <12W​arr1024> As for the engine folks, they can do what they want too, but there's a heckuva lot of those folks so getting them all moved at the same time would take some significant effort, and they'd need an equally compelling reason to halt all other work and make that leap. 15:22 MTDiscord <12W​arr1024> I already applied my own standards of ideological purity when I chose where to host my own projects, but I'm okay with working with other projects where they want to host even if they're less puritanical about those ideological factors. 15:23 MTDiscord <06j​akeh04> if mt was proprietary, it would probably already have rtx multi render passes and a MTG design team that makes a fun default game lol 15:23 MTDiscord <12W​arr1024> haha, nah, it'd be a dead project with no funding, or it'd be all about microtransactions and loot boxes in a desperate effort to compete with roblox or something 15:23 Copenhagen_Bram Which Minetest mods are mostly translated to Spanish? I'd like to try playing Minetest in Spanish to practice the language. 15:24 MTDiscord <12W​arr1024> again, in a way not bringing money into the picture can actually be FREEING, at least in part because it allows you to attract people who share a passion for something. Once you bring any amount of money into the picture it tends to start driving passion away... 15:24 Copenhagen_Bram Oh hey warr 15:25 MTDiscord <12W​arr1024> Big popular packages are most likely to have some level of translation, probably 15:25 MTDiscord <12W​arr1024> also hi :-) 15:25 Copenhagen_Bram For a moment I thought this discussion had something to do with using prills as currency in nodecore 15:26 MTDiscord <06j​akeh04> i think management practices play the biggest part in a loss of passion. One boss makes life suck and the other crafts a productive environment 15:26 Warr1024 Haha, tbh I'm also a first-class IRC citizen but often cba to switch over to my IRC client. Took me a long time to even find one that lets me hop between mobile and desktop reasonably well, which is basically like 99% of the reason why I got into Discord in the first place. 15:26 MTDiscord <06j​akeh04> same can happen with OSS. say your PRs always get shutdown for instance lol 15:26 MTDiscord <12W​arr1024> CB: you did mention you were interested in doing spanish translations for nodecore ... I should set you up that weblate account one of these days... :-/ 15:27 * Copenhagen_Bram checks what client Warr1024 is using 15:27 MTDiscord <08a​ppguru> Ze Bridge 15:27 Copenhagen_Bram Huh. If I want IRC on mobile, I can run weechat with tmux on my computer and ssh in using termux on my phone 15:27 Warr1024 I wonder if my client responds to such requests properly. It's TheLounge, which is a bit weird and feature-barren, but it has good mobile-to-desktop-hopping support, and I can self-host it. 15:28 Warr1024 I tried the irssi-in-tmux-in-ssh thing for a while but ssh clients for mobile add so much awkwardness 15:28 rom1504 weechat + glowing bear works fine 15:28 Copenhagen_Bram You might like to look into termux, it's not an SSH client, it's an entire linux terminal 15:29 Copenhagen_Bram It even has an apt package manager 15:29 Warr1024 I wouldn't call TheLounge ready quite yet to receive my general recommendation though. It lacks certain features that bother me from time to time, and I'd really love to see some kind of scriptability. 15:29 Copenhagen_Bram Hmm 15:30 Warr1024 btw, if you're looking for a good "mobile ssh client" WeTTY is an interesting project to look into, if you're okay substituting TLS security for SSH. Most mobile clients will have a browser, and with WeTTY you basically can turn that into a no-installation-needed SSH client... 15:30 Copenhagen_Bram > I wonder if my client responds to such requests properly. 15:30 Copenhagen_Bram Well, it responded to my CTCP request 15:30 Warr1024 though I haven't tried certain things in it like all the keybinds for example... 15:31 Copenhagen_Bram How would you define a good mobile ssh client? 15:31 Warr1024 One of the problems with the irssi+tmux solution I had was all the hoops I had to jump through to get push notifications sent to my phone. I think what I used was email-to-SMS in the end, but it was a PITA. First-class mobile support makes the push notification thing cleaner... 15:32 Warr1024 I define a good mobile ssh client as (1) mobile, (2) an ssh client, and (3) doesn't find ways to piss me off when I try to actually use it for stuff. 15:32 Copenhagen_Bram And how do I find WeTTY? Duckduckgo searches aren't case sensitive it seems, and searching for wetty brings up a song and a male shaving brand 15:33 Warr1024 https://github.com/butlerx/wetty 15:34 Warr1024 Basically I run nginx reverse proxy -> wetty running in nodejs -> ssh server and it makes a good emergency way to access my machines' terminals when I might not have proper access to an ssh client, or I'm running into firewall problems, like those networks that only let 443/tcp and 80/tcp outbound. 15:35 specing you could have port 80 redirect to 22 15:35 Warr1024 Get yourself a dynamic DNS that you can maintain (I actually use a paid one from dyn.com because :shrug: and it works fine for me) plus a TLS cert from LetsEncrypt... 15:35 specing IPv6 addresses are plentiful 15:36 specing no need for a ton of javascript 15:36 Warr1024 Redirecting from 80 to 22 would be tricky because it would require some complex analysis to determine if the protocol being used is actually ssh or http, and it wouldn't work for some networks I've used where they actually do some heuristic inspection of the packet content and verify that it sanely matches the set of protocols they allow. 15:40 specing no 15:40 specing use one of the 2^64 IPv6 addresses that you arent using 15:41 Warr1024 I'm pretty sure that I'm not using a lot more IPv6 addresses than just that. 15:42 swift110 hey all 15:42 Warr1024 I'd be more inclined to use IPv6 addresses if I didn't have to worry about networks that don't support them, forcing me to use IPv4 fallbacks anyway. It's kind of a shame that IPv6 never really caught on, but I guess I have to live with that. 15:45 MTDiscord <06j​akeh04> gonna be a pain to type those adresses though lol 15:46 MTDiscord <12W​arr1024> I wouldn't recommend typing any addresses one way or another anyway. Get a hostname :-) 15:48 MTDiscord <06j​akeh04> ideally 21:09 DS-minetest What is the best way to get the latest version of the minimal game? 21:09 DS-minetest I'd like to look into my old maps. 21:14 sfan5 grab the one from the commit before devtest was added 21:14 sfan5 or any old one e.g. 5.2.0 21:14 sfan5 there haven't really been relevant changes 21:14 DS-minetest ok, thanks 21:26 DS-minetest for logs (so that someone who reads this won't search for the commit): I've gotten latest minimal via git checkout a9b74f4c3966ad38c2f9a97364d3fdda0e514c93 games/