For now the feature is disabled, because it breaks a few legitimate mods (although most of them have been patched by now).
You can explicitly enable it by setting secure.enable_security = true in your minetest.conf.
What does this mean for me, the user?
As long as you update all of your mods you shouldn't have any issues. However if you're using some mods (notably IRC) you'll have to list them as trusted. Mods are trusted if they are listed in the secure.trusted_mods setting (see minetest.conf.example). Mods might not be updated in the mod store, so you might have to download the latest version from Git or the mod's download page.
Mods that have to be updated to support security:
- IRC done. Must be listed as trusted.
- WorldEdit done.
- DataStorage done.
- player_textures done but not merged (PR)
I'm a modder, will my mods break?
Probably not. I tried very hard to minimize the amount of breakage that this causes. But the following things shouldn't work:
- Using some insecure functions like require(), os.execute(), or debug.getlocal().
- Running compiled Lua bytecode.
- Reading/writing to anywhere outside the world directory or your mod directory.
- Reading/writing to anywhere in your mod directory after the init stage. (this is a limitation of the way that minetest implements mods. A workaround is to open all files that you will need at startup and use the file descriptors later. Note that you should never write in your mod directory though, only read; the mod directory is not always writable. Use the world directory if you have to save something)
- Setting any setting with a name starting with "secure."
If you need to do one of these things you can use minetest.request_insecure_environment() (see lua_api.txt for details) to access functions that are normally inaccessible or unusable for mods. If you use this your mod will have to be listed as trusted though.