Time Nick Message 17:05 Krock will merge #16549 #16556 #16563 #16565 in 20 minutes 17:05 ShadowBot https://github.com/luanti-org/luanti/issues/16549 -- [no squash] Clean up tiledef/layer handling for node particles + another fix by sfan5 17:05 ShadowBot https://github.com/luanti-org/luanti/issues/16556 -- Respect node alpha node for inventory drawing by sfan5 17:05 ShadowBot https://github.com/luanti-org/luanti/issues/16563 -- Fix meta tool capabilities regression by cx384 17:05 ShadowBot https://github.com/luanti-org/luanti/issues/16565 -- Driver: Handle errors during texture creation by SmallJoker 17:08 cheapie Desour: I read through your killswitch proposal, I'm not sure how necessary such a thing really is, but maybe it could take the form of a warning integrated into the update popup that already exists? 17:09 Desour cheapie: the update check is disabled usually, afaik 17:09 Desour where usually = if you installed via your distro repos 17:10 cheapie That seems logical to me, if you installed through your distro then informing you about security issues is mostly their responsibility 17:10 Krock killswitch. seems interesting. 17:12 cheapie For the users that do have it enabled, what comes to mind for me is something to the effect of "WARNING: Your current version of Luanti (1.23) has known security vulnerabilities. However, an updated version (4.56) is available to resolve this. Update now? [Yes] [No] [More info] [ ] Don't show again" 17:13 Desour #16568 btw 17:13 ShadowBot https://github.com/luanti-org/luanti/issues/16568 -- Should Luanti have a kill switch? 17:14 cheapie But at the same time, none of the other software I have here does anything like this, as it's just generally understood that old software versions are probably vulnerable to something. I'm not aware of anything that makes Luanti more special than, say, a web browser or IRC client here 17:15 Desour web browsers usually receive updates much sooner on debian/ubuntu versions than other software, according to my experience 17:15 Desour idk if we need a kill switch feature. but I thought I'd open the issue because it didn't exist yet 17:17 Desour and irc clients don't have sscsm / javascript, cheapie, to complete my answer 17:31 rubenwardy killswitch is a bit overdramatic as a name really. I support the idea though when we have SSCSM 17:36 Krock merging .... 17:36 Desour euthanizeswitch 17:38 Krock done 17:59 luatic lay-your-weary-head-to-rest-switch 18:03 cheapie This is just reminding me of this now: [CW: NSFW, like more than usual, even by the standards of a cs188 video... and the rest of the video is even worse] https://www.youtube.com/watch?v=rwwN6KRD8OI&t=67 18:05 rubenwardy it's more an in-app advisory 18:05 user333_ some kind of way to easily communicate security issues to users ingame is a good idea 18:15 luatic i agree. good communication will be key. 18:16 luatic otherwise i can already see users speculating about some ulterior motive, e.g. this being "not really about security" and more about bullying users into upgrading or something. 18:18 luatic hmm on that note though, an interesting idea comes to mind: we could, by default, force users to be on the latest version (maybe with a little leniency, e.g. one version older is still acceptable) if they want to use SSCSM, until SSCSM has stabilized both feature- and security-wise 18:19 Desour before SSCSM has stabilized, I wouldn't allow it outside simple singleplayer (and localhost) 18:24 rubenwardy this could be part of the serverlist payload 18:28 Desour forks will have to host their own kill switch thing, but might still want the same server list, so I wouldn't tie it together 18:55 luatic to me extending the existing update checking mechanism (which fetches the static JSON file from luanti.org) to include security advisories seems like the obvious option 18:57 MTDiscord Or you could just include a copy of the oldest version that is considered secure, when the current version goes below that version the current client is considered insecure and it triggers an update warning with a separate toggle than the current one... something like severe_update_disabled 18:59 MTDiscord It's probably fine as long as there's a documented #define for disabling these sorts of reminders/advisories. 18:59 MTDiscord That way if people want to run an old version to test the Legacy code they can without constantly looking at a pop-up every time, and when the update pop-up is disabled by a distribution the severe pop-up will still come on so that the user can disable it if " I know what I'm doing, stop showing me this" 18:59 MTDiscord Maybe it's for the best to annoy most casual users into updating. 18:59 MTDiscord Also, it's just kind of kinky. 18:59 luatic nathan4220776: If you look at the issue, it acknowledges that user choice comes first, and suggests a setting. 19:00 MTDiscord Excellent. 19:01 MTDiscord I think it's a good idea to add as of right now thing, before SSCSM comes online and complicates the necessary scope to achieve security. As long as there's a setting that allows me to go back to an insecure version, and execute code without being accosted by a pop up every time I'm fine with it. 19:03 MTDiscord The only thing I worry about is what happens when the pop up to update and the pop up to update to a secure version both trigger, last time it caused a ui glitch. 19:04 MTDiscord Also probably offer a flag to disable the pop-up from the command line, I believe there's one for the current update flag as well? 20:13 Krock pushing https://github.com/luanti-org/luanti/pull/16565#issuecomment-3393579263