| Time |
Nick |
Message |
| 00:38 |
|
mrcheese joined #luanti-dev |
| 01:05 |
|
Eragon joined #luanti-dev |
| 02:27 |
|
panwolfram joined #luanti-dev |
| 04:00 |
|
MTDiscord joined #luanti-dev |
| 05:44 |
|
SFENCE joined #luanti-dev |
| 06:26 |
|
nekobit joined #luanti-dev |
| 10:12 |
|
SFENCE joined #luanti-dev |
| 10:36 |
|
Desour joined #luanti-dev |
| 13:23 |
|
turtleman joined #luanti-dev |
| 14:13 |
|
mrcheese joined #luanti-dev |
| 17:01 |
|
Desour joined #luanti-dev |
| 17:05 |
Krock |
will merge #16549 #16556 #16563 #16565 in 20 minutes |
| 17:05 |
ShadowBot |
https://github.com/luanti-org/luanti/issues/16549 -- [no squash] Clean up tiledef/layer handling for node particles + another fix by sfan5 |
| 17:05 |
ShadowBot |
https://github.com/luanti-org/luanti/issues/16556 -- Respect node alpha node for inventory drawing by sfan5 |
| 17:05 |
ShadowBot |
https://github.com/luanti-org/luanti/issues/16563 -- Fix meta tool capabilities regression by cx384 |
| 17:05 |
ShadowBot |
https://github.com/luanti-org/luanti/issues/16565 -- Driver: Handle errors during texture creation by SmallJoker |
| 17:08 |
cheapie |
Desour: I read through your killswitch proposal, I'm not sure how necessary such a thing really is, but maybe it could take the form of a warning integrated into the update popup that already exists? |
| 17:09 |
Desour |
cheapie: the update check is disabled usually, afaik |
| 17:09 |
Desour |
where usually = if you installed via your distro repos |
| 17:10 |
cheapie |
That seems logical to me, if you installed through your distro then informing you about security issues is mostly their responsibility |
| 17:10 |
Krock |
killswitch. seems interesting. |
| 17:12 |
cheapie |
For the users that do have it enabled, what comes to mind for me is something to the effect of "WARNING: Your current version of Luanti (1.23) has known security vulnerabilities. However, an updated version (4.56) is available to resolve this. Update now? [Yes] [No] [More info] [ ] Don't show again" |
| 17:13 |
Desour |
#16568 btw |
| 17:13 |
ShadowBot |
https://github.com/luanti-org/luanti/issues/16568 -- Should Luanti have a kill switch? |
| 17:14 |
cheapie |
But at the same time, none of the other software I have here does anything like this, as it's just generally understood that old software versions are probably vulnerable to something. I'm not aware of anything that makes Luanti more special than, say, a web browser or IRC client here |
| 17:15 |
Desour |
web browsers usually receive updates much sooner on debian/ubuntu versions than other software, according to my experience |
| 17:15 |
Desour |
idk if we need a kill switch feature. but I thought I'd open the issue because it didn't exist yet |
| 17:17 |
Desour |
and irc clients don't have sscsm / javascript, cheapie, to complete my answer |
| 17:31 |
rubenwardy |
killswitch is a bit overdramatic as a name really. I support the idea though when we have SSCSM |
| 17:36 |
Krock |
merging .... |
| 17:36 |
Desour |
euthanizeswitch |
| 17:38 |
Krock |
done |
| 17:46 |
|
SFENCE joined #luanti-dev |
| 17:59 |
luatic |
lay-your-weary-head-to-rest-switch |
| 18:03 |
cheapie |
This is just reminding me of this now: [CW: NSFW, like more than usual, even by the standards of a cs188 video... and the rest of the video is even worse] https://www.youtube.com/watch?v=rwwN6KRD8OI&t=67 |
| 18:05 |
rubenwardy |
it's more an in-app advisory |
| 18:05 |
user333_ |
some kind of way to easily communicate security issues to users ingame is a good idea |
| 18:09 |
|
SFENCE joined #luanti-dev |
| 18:15 |
luatic |
i agree. good communication will be key. |
| 18:16 |
luatic |
otherwise i can already see users speculating about some ulterior motive, e.g. this being "not really about security" and more about bullying users into upgrading or something. |
| 18:18 |
luatic |
hmm on that note though, an interesting idea comes to mind: we could, by default, force users to be on the latest version (maybe with a little leniency, e.g. one version older is still acceptable) if they want to use SSCSM, until SSCSM has stabilized both feature- and security-wise |
| 18:19 |
Desour |
before SSCSM has stabilized, I wouldn't allow it outside simple singleplayer (and localhost) |
| 18:24 |
rubenwardy |
this could be part of the serverlist payload |
| 18:28 |
Desour |
forks will have to host their own kill switch thing, but might still want the same server list, so I wouldn't tie it together |
| 18:55 |
luatic |
to me extending the existing update checking mechanism (which fetches the static JSON file from luanti.org) to include security advisories seems like the obvious option |
| 18:57 |
MTDiscord |
<redundantcc> Or you could just include a copy of the oldest version that is considered secure, when the current version goes below that version the current client is considered insecure and it triggers an update warning with a separate toggle than the current one... something like severe_update_disabled |
| 18:59 |
MTDiscord |
<nathan4220776> It's probably fine as long as there's a documented #define for disabling these sorts of reminders/advisories. |
| 18:59 |
MTDiscord |
<redundantcc> That way if people want to run an old version to test the Legacy code they can without constantly looking at a pop-up every time, and when the update pop-up is disabled by a distribution the severe pop-up will still come on so that the user can disable it if " I know what I'm doing, stop showing me this" |
| 18:59 |
MTDiscord |
<nathan4220776> Maybe it's for the best to annoy most casual users into updating. |
| 18:59 |
MTDiscord |
<nathan4220776> Also, it's just kind of kinky. |
| 18:59 |
luatic |
nathan4220776: If you look at the issue, it acknowledges that user choice comes first, and suggests a setting. |
| 19:00 |
MTDiscord |
<nathan4220776> Excellent. |
| 19:01 |
MTDiscord |
<redundantcc> I think it's a good idea to add as of right now thing, before SSCSM comes online and complicates the necessary scope to achieve security. As long as there's a setting that allows me to go back to an insecure version, and execute code without being accosted by a pop up every time I'm fine with it. |
| 19:03 |
MTDiscord |
<redundantcc> The only thing I worry about is what happens when the pop up to update and the pop up to update to a secure version both trigger, last time it caused a ui glitch. |
| 19:04 |
MTDiscord |
<redundantcc> Also probably offer a flag to disable the pop-up from the command line, I believe there's one for the current update flag as well? |
| 19:40 |
|
SFENCE joined #luanti-dev |
| 20:13 |
Krock |
pushing https://github.com/luanti-org/luanti/pull/16565#issuecomment-3393579263 |
| 22:33 |
|
panwolfram joined #luanti-dev |
