Time Nick Message 09:57 BuckarooBanzai sfan5: when you have some spare time can you update the "worldedit" mod on the contentdb (https://content.minetest.net/packages/sfan5/worldedit/) or give me the go-ahead and i'll do it for you :) 09:58 BuckarooBanzai latest master doesn't error out if you don't have a inv-mod installed 10:04 sfan5 BuckarooBanzai: done 10:45 BuckarooBanzai Thanks ;) 12:12 MTDiscord "package managers packaging mods is weird though" Is there possibly examples of games or other software where core is released as package but software uses its own package format and repository? I can't recall any similar to minetest right now but if you can it could be good to provide few examples for that debian guy. Keeping engine release package up to date would be more useful. 12:13 erlehmann SX which bug are you referring to? 12:13 erlehmann > examples of games or other software where core is released as package but software uses its own package format and repository? 12:14 erlehmann openttd, and it sucked until openttd-opengfx, openttd-openmsx, openttd-opensfx were packaged 12:14 erlehmann battle for wesnoth, and it sucked when you wanted to install campaigns for all users 12:14 MTDiscord Only reason I could see to use packages would be to allow easy global installs. erlehmann, referring to short discussion between sfan5/rubenwardy (yesterday). 12:16 erlehmann well, there is also the issue that contentdb is full of fun stuff that is *always* the newest version 12:16 erlehmann when a distribution delivers minetest engine + mod packages, it basically should make sure they match 12:18 erlehmann and with some mod devs only workig on bleeding edge engine stuff and the engine devs aggressively deleting/refactoring stuff, i bet distributions will want to be more conservative, not less 12:19 MTDiscord Yeah, problem with packaging games (and some other larger software) like that is mostly with rapid upgrades at upstream and users trying to find ways to upgrade ultimately breaking their package managers :p 12:20 erlehmann rapid upgrades at upstream are not a problem until you have a hostile upstream 12:20 erlehmann hostile, as in, breaking stuff in minor revisions (instead of being honest about it) 12:20 MTDiscord It does increase workload if you're trying to assure too much. 12:20 MTDiscord I hate domain specific package managers 12:21 erlehmann i hate it too if everything under the sun wants its own package management. windows and OS X have it and it is a nuisance. 12:21 erlehmann also that way all users have to upgrade separately. 12:22 MTDiscord Seen many attempts fail because of that workload, simply not enough free time. That's why IMO ContentDB should be used as much as possible. Still packaging would be useful for few use cases but probably way less than "regular" gamers for minetest. 12:23 erlehmann the thing is, the distro usually do all the work 12:23 MTDiscord I mean mod packaging as distribution / version specific packages. ContentDB already knows what should be compatible. 12:23 erlehmann like they apply patches if upstream is being stupid 12:23 MTDiscord I have all of my minetest games installed as system packages 12:23 MTDiscord I'd do the same with mods but it'd take too much work and they're more intertwined 12:23 MTDiscord Yeah, there's that. But that's why core engine should have distribution specific package, but mods should not. 12:24 rubenwardy erlehmann: ContentDB only installs versions of packages that support the engine version 12:24 erlehmann SX contentdb packages are not even cryptographically signed 12:24 rubenwardy so only supporting bleeding edge enging is fine 12:24 rubenwardy erlehmann: HTTPS 12:24 rubenwardy mod env is also sandboxed 12:25 rubenwardy Signing is used with apt to support multiple mirrors, which isn't something that we aim to support 12:25 erlehmann rubenwardy i live in a country (germany) where the gov can legally distribute malware 12:25 rubenwardy mod downloads tend to be small 12:25 erlehmann https does not protect against that 12:25 rubenwardy it does 12:25 rubenwardy it's impossible for them to hijack ContentDB unless you trust their CA 12:25 rubenwardy in which case, you have bigger issues 12:26 MTDiscord if the german government were to send you malware by MITMing CDB, wouldn't it give a certificate error? unless they somehow obtain a valid certificate 12:26 erlehmann i didn't say MITM 12:26 MTDiscord erlehmann: if gov did already install custom root certs to your machines then I don't think anything can save you... 12:27 erlehmann look, i once found a break-in in a server that distributed software, https did not save anyone from downloading it. 12:27 erlehmann (and it was not government, obv) 12:27 erlehmann but verifying signatures would have helped 12:27 erlehmann it was years ago 12:27 erlehmann nowadays i do, for example, gpg sign my commits 12:28 rubenwardy it's massively overkill 12:28 MTDiscord exactly same happens when someone steals package signing keys 12:28 MTDiscord well if the centralized server gets hacked, any hackers worth their salt would have changed the signatures to match the malicious software 12:28 rubenwardy also, I wouldn't trust modders to safely store a key 12:28 MTDiscord keep in mind we're not talking about binary packages, but packages where you can easily read the source code it contains 12:28 erlehmann rubenwardy that is why distributions do it. you don't need to put in much work. 12:29 erlehmann in fact, i think they prefer if you don't try to interfere 12:29 rubenwardy in which case, the distributions have an important key and you have the same issue 12:29 erlehmann true, but more likely that they get it right than any random game ;) 12:29 rubenwardy in that a hacker can gain access to the server 12:30 erlehmann yeah but access to the download server doesn't get you anything 12:30 rubenwardy I don't trust distributions to handle mods properly, they'll be super outdated and probably missing dependencies 12:30 erlehmann you have to have the signature, the debian devs use nitrokey or yubikey USB HSMs i think? 12:30 rubenwardy and also only support a subset of mods 12:30 erlehmann well i happen to have worked on mods i want in distributions 12:31 erlehmann and honestly, i think you can't really do something against them packaging it, can you? 12:31 rubenwardy I can't, but I can say that it's dumb 12:32 MTDiscord Thing is, engine would be signed package and executes mods in sandbox environment. There main security of course comes by assuming that sandbox is fine and core package is checked well enough. 12:32 rubenwardy do they have browser plugins packages as well? 12:32 erlehmann yes and with browser plugins it is really important 12:32 MTDiscord Linux distro serving mods and games is stupid, we already have problems with distro keeping mte up to date 12:32 MTDiscord there are firefox extensions packaged in arch 12:32 erlehmann rubenwardy, chrome browser plugins often get taken over (bought out) and malware gets added 12:32 erlehmann a coworker researched that topic a few years ago 12:33 erlehmann basically when an extension gets bought, it is often that the new owner adds a “load this code from this random host and use the existing permissions to do … somethinng” 12:33 rubenwardy you're not allowed to do that 12:33 erlehmann so with browser plugins/extensions it is *really* important 12:33 rubenwardy both Chrome and Firefox ban running code from remote hosts 12:34 erlehmann well, as i understand it firefox does actual reviews 12:34 erlehmann but the chrome team only removes that shit when you point it out 12:34 erlehmann but i may be wrong, my info is years outdated 12:34 rubenwardy distro packaging of extensions only helps if you review the updates, and this will inevitably result in extensions becoming outdated 12:34 erlehmann regardless, that can *not* happen with distro extensions 12:35 MTDiscord for the "the great suspender" extension which was bought out and embedded with malware, google ended up taking it down several months after the malicious update was uploaded 12:35 erlehmann yeah lol 12:35 erlehmann and meanwhile those extensions have permissions like “inject arbitrary code on all sites” 12:37 erlehmann rubenwardy “engine content will be outdated” is only a concern for devs that can't do backwards compatibility and minetest has been reasonably good on that so far. renpy for example though changes so much that games basically come with 1 version of renply in the download and then bitrot. 12:38 rubenwardy it's a concern for users too, especially on a platform like arch 12:38 erlehmann rubenwardy openttd also is so good on backwards compatibility that ms dos mods run on it. nothing gets deprecated bc ppl know that no one will upgrade the existing content. 12:39 erlehmann what does arch have to do with this? 12:39 MTDiscord I mentioned it packaging firefox extensions 12:40 erlehmann yeah debian does that too 12:40 erlehmann and tbh i'd not use password manager extension if it can be bought at any time lol 12:40 erlehmann (flamebait before i go make food: arch breaks all the time, isn't that the unique selling proposition?) 12:41 MTDiscord grr 14:51 koowgnojeel Mafdet :3 17:58 MTDiscord sfan5: Any opinion on pay-to-win scam servers on the serverlist? 18:07 sfan5 those exist? 18:08 sfan5 and you'll have to define what "scam" is, pay2win != scam 18:11 MTDiscord See https://media.discordapp.net/attachments/369123275877384192/903287519674773585/Screenshot_2021-10-28_16-21-04.png 18:12 MTDiscord The "scam" part is that it claims to be "for FREE" while it clearly isn't: Mining cryptocurrency costs computational power, which equals real world money. 18:13 MTDiscord Luckily, it seems nobody fell for it yet - according to the stats on the linked website, nobody is mining that cryptocurrency. 19:16 sfan5 eh well if that's what they want to do 19:17 Krock bitcoin mining CSM when? 19:20 Chpy0 wen rug ser