Client-sided modding: Good or bad?

[Wuzzy]

Hi! This is a thread to discuss client-sided modding or “CSM” for short.

Client-sided modding is a feature which has been added into the developer version of Minetest a few days ago.

This thread has been created to stop the off-topic spam in this thread: viewtopic.php?f=9&t=17046

Documentation (looks very WIP): https://github.com/minetest/minetest/bl ... lua_api.md

[Wuzzy]

Linuxdirk wrote:The lack of communication to the users about CSM.

sofar wrote: We didn't communicate less than normal. All development and discussion is done in the open. Blame yourself instead.

In Linuxdirk's defense, there was no post in the News forum and there wasn't a serious discussion in the forum about this before it has been merged. So many players probably weren't aware. You can't expect that everyone tracks down every single commit of Minetest development in GitHub or to hang around in IRC 24/7. I think it is VERY reasonable to expect that such a gigantic change like client-sided modding deserves at least a mention in the News forum. But I didn't see any.
While I think it would be unfair to say that there was no communication at all, it clearly could have been better.

CSM has the potential to massively offload visual and audio features to the client to make the game much more visually and soundwise appealing (ambiance, particles, special effects) to the players. This is good. Minetest is really bleak without many sounds. More particles will make things like fire and torches nicer. We can finally get better fire sounds and not bring the server down with sound packets. Actual Fog. Better footsteps and water splashing, etc.. A lot of the UI can stop relying on the server and we can make better HUD bars, enhance the minimap, make game screen overlays and score panels.

This sounds great on the surface, but there's a HUGE “but”.
But I am worried that Minetest pushes more and more responsibility from the engine to mods. The engine becomes dumber and dumber (read: It has less core features) and the mods must therefore become more and more complex.
Even standard game features like ambient sounds are not considered to be core features. Other examples:
- There is a relatively small amount of builtin chat commands
- There is no default player model
- There is no built-in help system
- The sound system is still rather weak
- There are no mobs. Instead, there are tons of laggy and incompatible mob mods
- Other things you just mentioned

I think it is a mistake to think that client-sided mods will become the “magic bullet” to solve all of these problems.
I think the answer to many (maybe not all) of these problems is not neccessarily adding more Lua scripts, but improving the core features of the engine. Pushing the responsiblity for even such basic features like sounds to the modder does not feel right to me.
Can you give me some examples for use cases which could ONLY be done by client-sided modding, meaning that an engine implementation would be actually the worse idea?

Also, the example “actual fog”. Seriously? Are you suggesting that mods now also have the responsibility for rendering? Lol, if this trend continues, Minetest will soon be nothing but Lua. xD

The GUI of Minetest is already pretty bare bones and the engine gives you almost nothing by default. Meaning, without mods, you only have a very crappy default GUI, you have to do almost everything by hand first.

You seem to be under the misunderstanding that "minetest_game" is supposed to be the end-all super duper multiplayer subgame. It's not. It's never meant to be, although some people want it to be, and some people don't want it to be. It'll never get solved, either, at any rate.

If you don't want to create a great game, why bother? This is a serious question. I still have not been able to understand the point behind Minetest Game.
Also, this argument is invalid because it ignores other subgames which actually want to be serious multiplayer games.



But at least now I take back the security concerns against client-sided modding, knowing that modifying the engine is not much harder either.
This means the real problem is that it is way too easy to cheat either way. Serious multiplayer subgames are not really possible when it is a key element that players are not allowed to know everything. If it is easy to reveal the positions of all ores, for example, it is impossible to make a “mining competition”-style game without it being flooded by cheaters which you can't even detect.

Then the “documentation”:
https://github.com/minetest/minetest/bl ... lua_api.md

Sorry, but this looks very very WIP and most of it looks just like copypasted from lua_api.md. Not even the introduction is correct:

Mods are contained and ran solely on the server side. Definitions and media files are automatically transferred to the client.

Also not much about the capabilities of this feature is explained, especially the difference from “normal” modding. Sorry, with this document you can't complain about users ignoring it, because it is not really useful at this stage. Linuxdirk was completely right in complaining about the lack of proper documentation.


Overall, to be honest, I remain rather skeptical about this client-sided modding thing. But I will wait and see how things will go.

[bell07]

I am not long at Minetest, and I do not know the client/server concept in detail, but I do not see any reason to fear the client sided modding, even not in security point of view. Minetest server and client are both Open Source. That means any "Hacker" was able to hack and cheat the game in the past too, using modified client version. So all threats are before client sided modding and Minetest developer did a great job to manage them.
New client sided modding leads to new ways and to more people are concerned about it, that leads usually to even more quality where possible in OS-projects

That was my 2 cent: client sided modding +1

[Wuzzy]

Oh, before people complain I was ignorant before this was merged:

I posted a discussion thread in October 2016 (!) to learn more about the rationale behind client-sided modding but it never really took off and I never got an helpful answer:
viewtopic.php?f=3&t=15803

:-(
So much for communication. I don't believe in malice here, it probably was just overlooked. Still:
:-(

[Nyarg]

CSM is a good idea. That allow the server free own time at least as a base feature.

More epic:
CSM may be used as cloud computation system in future that allow server wideself into cloud )

[red-001]

An announcement would just build unnecessary hype. Client-sided modding isn't meant to fix all issues minetest has just off load some of the graphics and ui stuff to the client. Yes the start of the doc is copied form the server documentation but the api list is accurate. You could also read the dev wiki about what csm is meant to achieve (it is a bit out of date) or just search github. All the information is publicly available. If someone doesn't want to do basic background research then there really isn't much that can be discussed. Of course the documentation could be improved and the wiki page updated to be more accurate but getting CSM to a state where it's useful is more important right now.

[burli]

CSM is not bad. Many things can be done.

But what Minetest really needs is a better multicore support, better mapgens, better GPU support and better support for mobs. This has to be done in C++

[Byakuren]

One use case for client side modding is GUI with fast response time and mod-defined behavior. Current GUI (formspecs) have a slow response time since the input has to travel to the server and back, but if GUI stuff could run on the client side then you would only need to send a message to the server when something needs to affect the server. For example, you could have a multiple-page dialog setting up some protection area, and the client would only need to communicate with the server once the player was done inputting all the settings.

[rnd]

FEATURE REQUEST:
server setting : enable_local_scripts = true/false

when false client is prevented from running its own scripts, only those provided by server are allowed.

EDIT: don't reply with how client can do what it wants.. ofc it can if you compile it and change. That's not the point. Point is to prevent "cheat client" being same as game you get when you download minetest from minetest website - "zero effort" cheating, "user friendly" cheating, "cheating in a package"...

[bell07]

when false client is prevented from running its own scripts, only those provided by server are allowed.

The server cannot prevent anything on the client. This fact is independent if client sided mods are implemented or not. In the past it was possible to run own code on client using patched clients. It is open source, so no security by obscurity. If the CSM are implemented it will be simpler to get a "cheater client".

So the main challenge for CSM is to implement the suspicion. The server should never thrust client functionality (vice versa). That means the data sent to client needs to be filtered if the player is allowed to see them (Do not trust the client concealed received data). And all received data back to the server needs to be checked for plausibility.
So the "Jump-functionality" for example needs to be implemented on both sites: On client how the jump is visible and on the server if the player is going up or not.

Now I agree there is a lot to do before MT is ready for CSM.
Pls note the wording: "Mod" means "Modification of existing" not "Adding new". The base needs to be there that could be modified by mods.

[Desour]

@Wuzzy: Suggestion: Open a poll (good or bad) to see how many people are there that still think, there would be a problem.

[Nyarg]

The server cannot prevent anything on the client.
patched clients.
no security by obscurity.
If the CSM are implemented it will be simpler to get a "cheater client".

Yes but it's not problem because server may prevent most cheats in case:
1. Server is End point and control a protocol flow.
2. At end only Server cover and allow change a world data
In other word server is Owner and Supervisor.

[Wuzzy]

Poll added. But please remember this is still a discussion thread.

If the CSM are implemented it will be simpler to get a "cheater client".

It IS already implemented, in case you haven't noticed. Not in version 0.4.15, but in the developer version.

[bell07]

It IS already implemented

I seen it, and I seen the first cheater-mod [oredetect] is already developed. It is just I like to talk in general and/or abstract. ;)

About the "Good" or "Bad" poll, I do not have an answer. In general: yes, In fact: I do'nt know. I have doubts about the minetest sends currently more data to the clients as needed (invisible nodes and nodes metadata, like chests content for them). If before I need a modified client to use them now I just need to install a mod. Cheating will be user friendly now.

[burli]

But you can't install these mods on the client. You have to load them from the server. Or did I miss something?

[Nyarg]

I seen the first cheater-mod [oredetect] is already developed.

Hmm, we need full list of potential way of cheating.
May be somebody create that topic (my english isn't well for it).

For like 'oredetect' mod server may transfer only surface.

[red-001]

Making minetest only send the surface nodes is possible but you have to ask yourself is the extra load on the server and the time it will that to add that worth stopping a few cheaters? It is also likely to make the experience worse for honest players that just have a bad connection.

[red-001]

Anyway since you asked for a full list of cheats possible in minetest in general, here is one:
fly (requires making a single function return true, iirc there is an open PR that is meant to stop it)
noclip (same as above, iirc there is an open PR that is meant to stop it)
wireframe (same as above, close to impossible to detect, impossible to fix)
fast (same as above) can be stopped by the built in anticheat
No drowning/lava/fall damage (can be achieved just by removing a few checks, there is an WIP pr that is meant to fix this)
xray (can be achieved in lot of ways, with the most basic version only requiring a texture pack or a client-sided mod, but more advance versions requiring a modified client, hard to detect, difficult to counter-act)
full bright (requires basic c++ modification, close to impossible to detect, most likely impossible to stop)

[bell07]

I readed the client_lua_api.md, some brainstorming for it

Code: Select all

minetest.register_alias()

Really? Could client site aliases be useful? Oj, I need just to set an alias for dirt to mese !

Code: Select all

formspec list[context;main;0,0;8,4;]

The context could be other players inventory, locked chests and so one. Is this feature secured already?

At the other site I did not found the methods used in [oredetect]

Code: Select all

minetest.register_on_punchnode()
core.find_node_near()
core.get_node()

Is the mod really for the client? After short code inspection it should work on server. By the way, in the folder structure I cannot see any difference if it is a client- or server mod. Maybe "clientmod.conf" should be used instead "mod.conf" to get a difference?

Next question: Is a protocol implemented for Mod2Mod communication? That will be the next insecurity-vector, a buggy mod could open backdoors on server. :/

I realize the CSM should be just an "Enhanced texturepack framework" in first step. That means lua enabled way to modify some visual effects on the client site according to players taste. But it should be clear the most enhancements and features should be still written to the client framework in C++.
A client mod should never be able to do something gameplay relevant because the gameplay is on the server.

Is any documentation available about the visions, goals, concepts and design of currently implemented CSM? Or does it just exists in developer's head?

[/Brainstorm off]

[red-001]

The document is based of the server scripting api doc. The register alias section should be removed. Formspecs created on the client are separated from formspecs sent to the client by the server. However you shouldn't trust formspec data sent to the server by the client, Minetest Games doesn't and if your code does you should change it as someone with a modified with client could send back fake data. The folder data section is closer to an end goal then the current state. Communication between the client and the server hasn't been added yet. I don't know why you think that's a attack vector.
https://github.com/minetest/minetest/issues/5394 is the current issue for tracking bugs and features that should be added to CSM soon there is also a wiki page that is a bit outdated but does cover most of the basics.

[Byakuren]

I readed the client_lua_api.md, some brainstorming for it

Code: Select all

minetest.register_alias()

Really? Could client site aliases be useful? Oj, I need just to set an alias for dirt to mese !

Code: Select all

formspec list[context;main;0,0;8,4;]

The context could be other players inventory, locked chests and so one. Is this feature secured already?

At the other site I did not found the methods used in [oredetect]

Code: Select all

minetest.register_on_punchnode()
core.find_node_near()
core.get_node()

Is the mod really for the client? After short code inspection it should work on server. By the way, in the folder structure I cannot see any difference if it is a client- or server mod. Maybe "clientmod.conf" should be used instead "mod.conf" to get a difference?

Next question: Is a protocol implemented for Mod2Mod communication? That will be the next insecurity-vector, a buggy mod could open backdoors on server. :/

I realize the CSM should be just an "Enhanced texturepack framework" in first step. That means lua enabled way to modify some visual effects on the client site according to players taste. But it should be clear the most enhancements and features should be still written to the client framework in C++.
A client mod should never be able to do something gameplay relevant because the gameplay is on the server.

Is any documentation available about the visions, goals, concepts and design of currently implemented CSM? Or does it just exists in developer's head?

[/Brainstorm off]

I don't see any issue with gameplay-relevant client<->server messaging since players can already send bad formspec submissions (as red-001 said), and formspec submissions can be gameplay relevant (for example, clicking buttons on some machine). It just means that the server needs to do validation of messages from client mods like they already should be doing with formspecs.

[Linuxdirk]

But you can't install these mods on the client. You have to load them from the server. Or did I miss something?

That's the point here. You download an "X-ray mod" like [oredetect] and install it as client-side mod. Now you can use the mod on every server you want without the server knowing that you have X-ray capabilities. Server owners can't even disable it properly.

In it's current state it is not ready for wide use. Currently it is in the development version only yes, but I hope it will stay there at least as long as it would take to add a server option to disable "convenient cheating" in the client.

[burli]

You download an "X-ray mod" like [oredetect] and install it as client-side mod.

Really? Really really? That's ridiculous, if that is true. But I cant believe that the devs are that dumb

[bell07]

I don't see any issue with gameplay-relevant client<->server messaging since players can already send bad formspec submissions

A client<->server / mod <-> mod messaging presupposes a mod at the server site provide an additional sender/receiver. Such sender/receiver is always an additional risk like an open TCP-port.
The most mods are not under control of minetest_mods or minetest_game and do not follow any security guidelines (not needed before). But if I provide an eye-catcher mod with not secured message channel any server owner installs a backdoor by installing such mod. I thing many people does look to screenshots only but not to the code before installing a mod. Of course such issue will be reported and fixed soon, but the area for possible attacks will grow with each additional mod that provides a sender/receiver server site.

[Linuxdirk]

You download an "X-ray mod" like [oredetect] and install it as client-side mod.

Really? Really really? That's ridiculous, if that is true.

It is. As I was told client-side mods can see anything that the client can already see. And since the client can see all ores client-side mods can see them, too.

But I cant believe that the devs are that dumb

Professionally blinkered maybe. Living in an ivory tower at most. But I totally won't call them dumb.