Discussion about client-side modding

User avatar
Linuxdirk
Member
 
Posts: 1174
Joined: Wed Sep 17, 2014 11:21
Location: Germany
GitHub: 4w
In-game: Linuxdirk

Re: Client-side modding section

by Linuxdirk » Mon May 22, 2017 12:43

tjnenrtn wrote:Let me pose a question: what possibly could be any better for the state of Minetest security and exposing problems than CSM?!

You mean except a security based code audit, or a more detailed permissions system, or SSL connections to servers by default, or more server-side validity checks for client actions?
 

tjnenrtn
New member
 
Posts: 9
Joined: Fri May 19, 2017 23:49
GitHub: tjnenrtn
IRC: tjnenrtn
In-game: tjnenrtn

Re: Client-side modding section

by tjnenrtn » Tue May 23, 2017 02:44

  • security based code audit: this would be fantastic, but very expensive and certainly way beyond the scale of resources available to this volunteer-run project, maybe crowdfunding is an option?
  • more detailed permissions system: extra granularity here would be great, pretty sure I've seen improvements discussed over on git, but I'm not sure how much is actually gained from this in terms of server security posture
  • SSL by default: would be awesome and maybe this is possible now with Let's Encrypt, but as you know provides no protection whatsoever from client-side exploits which is the context of this discussion
  • server-side validity checks: this one! imho this is an argument for CSM, not against as it is now the very thing driving devs to focus on these concerns; already improvements are landing such as private meta, I'm sure more will follow

There are some valid concerns about CSM, sure, but the FUD and hostility are completely uncalled for (not to mention cringe-worthy) given the huge amount of free work done by volunteers to make this game.
 

User avatar
kaadmy
Member
 
Posts: 701
Joined: Thu Aug 27, 2015 23:07
GitHub: kaadmy
IRC: KaadmY
In-game: KaadmY kaadmy NeD

Re: Client-side modding section

by kaadmy » Tue May 23, 2017 14:41

Well...
Having more secure privilegess is pretty useless, since the client can just ignore specific privileges because they're all checked client-side.
I could literally add one line to the client give myself all movement/rendering privileges.
Never paint white stripes on roads near Zebra crossings.

Pixture
 

User avatar
Linuxdirk
Member
 
Posts: 1174
Joined: Wed Sep 17, 2014 11:21
Location: Germany
GitHub: 4w
In-game: Linuxdirk

Re: Client-side modding section

by Linuxdirk » Tue May 23, 2017 16:35

kaadmy wrote:Having more secure privilegess is pretty useless, since the client can just ignore specific privileges because they're all checked client-side.

Then on server side check all stuff a client does against a list of things a client could do and if it differs: kick.
 

User avatar
DS-minetest
Member
 
Posts: 969
Joined: Thu Jun 19, 2014 19:49
Location: in front of my pc (which is at home)
GitHub: DS-Minetest
In-game: DS

Re: Client-side modding section

by DS-minetest » Fri Jun 02, 2017 15:38

What to do with a mod that can be server- and client-side?
viewtopic.php?f=9&t=17780
Post it at both sections?
Do not call me -minetest.
Call me DS or DS-minetest.
I am German, so you don't have to pm me English if you are also German.
The background is a lie.
 

User avatar
GreenDimond
Member
 
Posts: 1033
Joined: Wed Oct 28, 2015 01:26
Location: A rip in the space-time continuum.
GitHub: GreenXenith
IRC: GreenDimond
In-game: GreenDimond

Re: Client-side modding section

by GreenDimond » Fri Jun 02, 2017 17:15

Doesn't the use of "." for CSM commands create problems for chat with things like
...

._.

.-.

or does it check for a command identical to the one qued and only send it as a command if a match is found?
My YouTube channel. I moderate the HOMETOWN Server. My Mods: Tac Nayn - Sandplus - Waffles - Pumpkin Spice - Christmas Decor ✂️- - - - -
 

paramat
Developer
 
Posts: 3014
Joined: Sun Oct 28, 2012 00:05
Location: UK
GitHub: paramat
IRC: paramat

Re: Client-side modding section

by paramat » Sat Jun 10, 2017 23:04

nrz wrote:For the ores, we are thinking about a better ore creation

Don't worry we're not, i wouldn't allow it and the ideas were ridiculous. Changing ore generation due to the cheat problem of CSM would have been a solution completely the wrong way around.

Anyway now many server owners and others are speaking up about other problems CSM causes, and restrictions on client-provided clientmods are being coded. Unfortunately this is being done too late, after a release that enables these problems to happen. There was discussion and strong objections raised long before release in this thread and the oredetect mod thread, so there is no excuse, the devs who were working on CSM ignored the concerns.

As a dev i am sorry i did not keep a close watch on what they were doing, i trusted them, but now wish i had made a fuss earlier. So here's my issue thread at Github https://github.com/minetest/minetest/issues/5915
Celeron55's post:
"Current CSM is bad.
The design of Minetest is to give all possible control to servers."

As for the usefullness of CSM, it seems to me that the most useful use of it is with server-provided clientmods, this is consistent with the design of MT being that the server provides and controls as much as possible.
It is strange then that this has been left to last, and has even been described as difficult to acheive. However apparently, originally this was considered the primary purpose of CSM.
So the implementation of CSM so far has been a disaster.

Unfortunately the new restrictions being coded will only be enforceable for new clients.
The thread for the restrictions PR is here https://github.com/minetest/minetest/pull/5930
Luckily for CSM 0.5.0 is coming up in 6 months and we were already planning to break backwards compatibility then, so this will allow servers to enforce restrictions on CSM by forcing all clients to upgrade to 0.5.0.
We might release a 'point release' 0.4.16.1 in 1-2 months after CSM restrictions are coded, but old clients will still be able to get around this.
 

User avatar
TumeniNodes
Member
 
Posts: 2199
Joined: Fri Feb 26, 2016 19:49
Location: in the dark recesses of the mind
GitHub: TumeniNodes
IRC: tumeninodes
In-game: TumeniNodes

Re: Client-side modding section

by TumeniNodes » Sat Jun 10, 2017 23:20

Is it possible to just wipe csm altogether in a point release?
It is still so new, that it has not been exploited much (aside from for hacking) and causing problems.

And possibly revisit the idea once it is more developed and tested?

mistakes happen, they are inevitable...
quality shows in how quickly they are addressed ; )
Reckless disregard for the truth -- will not be protected by a qualified privilege.
 

red-001
Member
 
Posts: 201
Joined: Tue Jan 26, 2016 20:15
GitHub: red-001
IRC: red-001 red-002 red-003 etc red-NaN red-999 Lord_Buckethead

Re: Client-side modding section

by red-001 » Sat Jun 10, 2017 23:27

Thank **** god that CSM mod sending hasn't been implemented for 0.4.16. I'm fairly certain considering the current state of CSM security that someone would have found an exploit in the sandbox that would allow them to attack the client. And once you have that sort of security exploit it's even harder to deal with then the current situation.
 

User avatar
GreenDimond
Member
 
Posts: 1033
Joined: Wed Oct 28, 2015 01:26
Location: A rip in the space-time continuum.
GitHub: GreenXenith
IRC: GreenDimond
In-game: GreenDimond

Re: Client-side modding section

by GreenDimond » Sat Jul 01, 2017 15:45

We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?
My YouTube channel. I moderate the HOMETOWN Server. My Mods: Tac Nayn - Sandplus - Waffles - Pumpkin Spice - Christmas Decor ✂️- - - - -
 

User avatar
harmony
Member
 
Posts: 400
Joined: Tue Jun 20, 2017 22:16
Location: Hometown of course! :P
IRC: ynomrah
In-game: ynomrah

Re: Client-side modding section

by harmony » Tue Jul 11, 2017 17:35

GreenDimond wrote:We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?

what are CSMs for?
I LOVE BTS!!! ARMYS Fighting!! *chants* Kim NamJoon, Kim SeokJin, Min YoonGi, Jung HoSeok, Park JiMin, Kim Taehyung, Jeon Jungkook, BTS!
I'm a dreamer and a believer.
Nothing is impossible because the word itself says "I'm possible"
There are no accidents, everything happens for a reason.
Love, Nom Nom.
 

User avatar
azekill_DIABLO
Member
 
Posts: 6968
Joined: Wed Oct 29, 2014 20:05
Location: Inside the Box
GitHub: azekillDIABLO
In-game: azekill_DIABLO

Re: Client-side modding section

by azekill_DIABLO » Wed Jul 12, 2017 11:06

they are mod that are only handled by client, they nearly don't interact with the server!
 

wilkgr76
Member
 
Posts: 829
Joined: Wed Feb 18, 2015 02:44

Re: Client-side modding section

by wilkgr76 » Thu Jul 27, 2017 05:56

EDIT: Whoops, wrong thread. My apologies! Message has been removed
"If you can't contribute code, contribute docs!" --wilkgr, 2017
 

User avatar
Lejo
Member
 
Posts: 240
Joined: Mon Oct 19, 2015 16:32
GitHub: Lejo1
In-game: Lejo

Re: Client-side modding section

by Lejo » Tue Aug 01, 2017 16:46

In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)
 

User avatar
DS-minetest
Member
 
Posts: 969
Joined: Thu Jun 19, 2014 19:49
Location: in front of my pc (which is at home)
GitHub: DS-Minetest
In-game: DS

Re: Client-side modding section

by DS-minetest » Tue Aug 01, 2017 17:35

Lejo wrote:In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)

The documentation is wrong here.
Do not call me -minetest.
Call me DS or DS-minetest.
I am German, so you don't have to pm me English if you are also German.
The background is a lie.
 

User avatar
ManElevation
Member
 
Posts: 752
Joined: Tue Aug 02, 2016 22:04
Location: Madrid,Spain
GitHub: ManElevation
IRC: ManElevation
In-game: ManElevation

Re: Client-side modding section

by ManElevation » Thu Aug 03, 2017 23:43

DS-minetest wrote:
Lejo wrote:In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)

The documentation is wrong here.

:/
 

User avatar
azekill_DIABLO
Member
 
Posts: 6968
Joined: Wed Oct 29, 2014 20:05
Location: Inside the Box
GitHub: azekillDIABLO
In-game: azekill_DIABLO

Re: Client-side modding section

by azekill_DIABLO » Fri Aug 18, 2017 10:10

Is CSM dead right now? All features and possible mods seem to have been realized... I can't wait for a better API to come...
 

User avatar
Linuxdirk
Member
 
Posts: 1174
Joined: Wed Sep 17, 2014 11:21
Location: Germany
GitHub: 4w
In-game: Linuxdirk

Re: Client-side modding section

by Linuxdirk » Fri Aug 18, 2017 12:25

azekill_DIABLO wrote:Is CSM dead right now? All features and possible mods seem to have been realized... I can't wait for a better API to come...

paramat contacted some of the authors and asked them to remove their mods from the forums because of security reasons.

CSM was rushed into release anyways and I hope that it will be completely re-implemented using a feature-based whitelist.
 

User avatar
azekill_DIABLO
Member
 
Posts: 6968
Joined: Wed Oct 29, 2014 20:05
Location: Inside the Box
GitHub: azekillDIABLO
In-game: azekill_DIABLO
 

User avatar
jordan4ibanez
Member
 
Posts: 1885
Joined: Tue Sep 27, 2011 18:44
Location: Rhode Island, USA
GitHub: jordan4ibanez
IRC: jordan4ibanez
In-game: jordan4ibanez

Re: Client-side modding section

by jordan4ibanez » Mon Sep 18, 2017 00:30

Client side hud would be fantastic
If you can think it, you can make it.
Save net neutrality
 

User avatar
azekill_DIABLO
Member
 
Posts: 6968
Joined: Wed Oct 29, 2014 20:05
Location: Inside the Box
GitHub: azekillDIABLO
In-game: azekill_DIABLO

Re: Client-side modding section

by azekill_DIABLO » Mon Sep 18, 2017 18:17

jordan4ibanez wrote:Client side hud would be fantastic

yes! it can do formspec! why not hud?
 

User avatar
Linuxdirk
Member
 
Posts: 1174
Joined: Wed Sep 17, 2014 11:21
Location: Germany
GitHub: 4w
In-game: Linuxdirk

Re: Client-side modding section

by Linuxdirk » Mon Sep 18, 2017 18:48

azekill_DIABLO wrote:
jordan4ibanez wrote:Client side hud would be fantastic

yes! it can do formspec! why not hud?

Because it was rushed into release and a lot of important features and the whole “security stack” are missing.
 

User avatar
azekill_DIABLO
Member
 
Posts: 6968
Joined: Wed Oct 29, 2014 20:05
Location: Inside the Box
GitHub: azekillDIABLO
In-game: azekill_DIABLO

Re: Client-side modding section

by azekill_DIABLO » Tue Sep 19, 2017 16:46

oh. i suspected things like that. CSM is still a 'baby'
 

User avatar
Inocudom
Member
 
Posts: 2959
Joined: Sat Sep 29, 2012 01:14
IRC: Inocudom
In-game: Inocudom

Re: Client-side modding section

by Inocudom » Sat Nov 25, 2017 04:03

How about client-side mods that can increase color saturation and add depth-of-field?
 

Sires
Member
 
Posts: 108
Joined: Mon Jan 02, 2017 21:00
Location: Hue knows...
IRC: Sires
In-game: Sires

Re: Client-side modding section

by Sires » Sun Nov 26, 2017 15:11

GreenDimond wrote:We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?


In my opinion, I hope some dev consider it but ik I won't :P
Welp, I think that the server should have something like "Disable undocumented clientmods", each CSM could have some pretty spefic tags about what is adds, like a documentation.txt that contains:
weather
rain
snow
Then the server can choose to disable certain CSMs with the "rain" tag and send it's own CSM for rain for example.
Example 2: In some CSM for fire particles in torches, in the documentation.txt there is:
particles
fire
Then the server disables every client mod with the "fire" and "particles" tag because it already have it's own CSM for that.
That's my idea :)

Also sory bay may anglish, iti is kainda bed
Working in a new mod

Also, Sires is not pronouncied like Siri, it's from Sir, use he not she(also not it, I'm not a thing :P).

**SORY MAY BADDY ANGLISH**
 

Previous

Return to Client-side modding



Who is online

Users browsing this forum: No registered users and 1 guest