You mean except a security based code audit, or a more detailed permissions system, or SSL connections to servers by default, or more server-side validity checks for client actions?tjnenrtn wrote:Let me pose a question: what possibly could be any better for the state of Minetest security and exposing problems than CSM?!
Discussion about client-side modding
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: Client-side modding section
-
- Member
- Posts: 12
- Joined: Fri May 19, 2017 23:49
- GitHub: tjnenrtn
- IRC: tjnenrtn
- In-game: tjnenrtn
Re: Client-side modding section
- security based code audit: this would be fantastic, but very expensive and certainly way beyond the scale of resources available to this volunteer-run project, maybe crowdfunding is an option?
- more detailed permissions system: extra granularity here would be great, pretty sure I've seen improvements discussed over on git, but I'm not sure how much is actually gained from this in terms of server security posture
- SSL by default: would be awesome and maybe this is possible now with Let's Encrypt, but as you know provides no protection whatsoever from client-side exploits which is the context of this discussion
- server-side validity checks: this one! imho this is an argument for CSM, not against as it is now the very thing driving devs to focus on these concerns; already improvements are landing such as private meta, I'm sure more will follow
- kaadmy
- Member
- Posts: 706
- Joined: Thu Aug 27, 2015 23:07
- GitHub: kaadmy
- IRC: KaadmY
- In-game: KaadmY kaadmy NeD
Re: Client-side modding section
Well...
Having more secure privilegess is pretty useless, since the client can just ignore specific privileges because they're all checked client-side.
I could literally add one line to the client give myself all movement/rendering privileges.
Having more secure privilegess is pretty useless, since the client can just ignore specific privileges because they're all checked client-side.
I could literally add one line to the client give myself all movement/rendering privileges.
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: Client-side modding section
Then on server side check all stuff a client does against a list of things a client could do and if it differs: kick.kaadmy wrote:Having more secure privilegess is pretty useless, since the client can just ignore specific privileges because they're all checked client-side.
- Desour
- Member
- Posts: 1473
- Joined: Thu Jun 19, 2014 19:49
- GitHub: Desour
- IRC: Desour
- In-game: DS
- Location: I'm scared that if this is too exact, I will be unable to use my keyboard.
Re: Client-side modding section
What to do with a mod that can be server- and client-side?
viewtopic.php?f=9&t=17780
Post it at both sections?
viewtopic.php?f=9&t=17780
Post it at both sections?
he/him; Codeberg; GitHub; ContentDB; public personal TODO list; "DS" is preferred (but often too short)
- GreenXenith
- Member
- Posts: 1356
- Joined: Wed Oct 28, 2015 01:26
- GitHub: GreenXenith
- Location: UTC-8:00
- Contact:
Re: Client-side modding section
Doesn't the use of "." for CSM commands create problems for chat with things like
...
._.
or does it check for a command identical to the one qued and only send it as a command if a match is found?.-.
YouTube | Mods | Patreon | Minetest Discord @greenxenith
You should not be able to read this message.
You should not be able to read this message.
- paramat
- Developer
- Posts: 3700
- Joined: Sun Oct 28, 2012 00:05
- GitHub: paramat
- IRC: paramat
- Location: UK
Re: Client-side modding section
Don't worry we're not, i wouldn't allow it and the ideas were ridiculous. Changing ore generation due to the cheat problem of CSM would have been a solution completely the wrong way around.nrz wrote:For the ores, we are thinking about a better ore creation
Anyway now many server owners and others are speaking up about other problems CSM causes, and restrictions on client-provided clientmods are being coded. Unfortunately this is being done too late, after a release that enables these problems to happen. There was discussion and strong objections raised long before release in this thread and the oredetect mod thread, so there is no excuse, the devs who were working on CSM ignored the concerns.
As a dev i am sorry i did not keep a close watch on what they were doing, i trusted them, but now wish i had made a fuss earlier. So here's my issue thread at Github https://github.com/minetest/minetest/issues/5915
Celeron55's post:
"Current CSM is bad.
The design of Minetest is to give all possible control to servers."
As for the usefullness of CSM, it seems to me that the most useful use of it is with server-provided clientmods, this is consistent with the design of MT being that the server provides and controls as much as possible.
It is strange then that this has been left to last, and has even been described as difficult to acheive. However apparently, originally this was considered the primary purpose of CSM.
So the implementation of CSM so far has been a disaster.
Unfortunately the new restrictions being coded will only be enforceable for new clients.
The thread for the restrictions PR is here https://github.com/minetest/minetest/pull/5930
Luckily for CSM 0.5.0 is coming up in 6 months and we were already planning to break backwards compatibility then, so this will allow servers to enforce restrictions on CSM by forcing all clients to upgrade to 0.5.0.
We might release a 'point release' 0.4.16.1 in 1-2 months after CSM restrictions are coded, but old clients will still be able to get around this.
- TumeniNodes
- Member
- Posts: 2943
- Joined: Fri Feb 26, 2016 19:49
- GitHub: TumeniNodes
- IRC: tumeninodes
- In-game: TumeniNodes
- Location: in the dark recesses of the mind
- Contact:
Re: Client-side modding section
Is it possible to just wipe csm altogether in a point release?
It is still so new, that it has not been exploited much (aside from for hacking) and causing problems.
And possibly revisit the idea once it is more developed and tested?
mistakes happen, they are inevitable...
quality shows in how quickly they are addressed ; )
It is still so new, that it has not been exploited much (aside from for hacking) and causing problems.
And possibly revisit the idea once it is more developed and tested?
mistakes happen, they are inevitable...
quality shows in how quickly they are addressed ; )
A Wonderful World
Re: Client-side modding section
Thank **** god that CSM mod sending hasn't been implemented for 0.4.16. I'm fairly certain considering the current state of CSM security that someone would have found an exploit in the sandbox that would allow them to attack the client. And once you have that sort of security exploit it's even harder to deal with then the current situation.
My mods: Mute, Extra TNT blast effectsnyancats_plus and More charcommands
Example CSM mods:Chatlog and Formspec editor
Example CSM mods:Chatlog and Formspec editor
- GreenXenith
- Member
- Posts: 1356
- Joined: Wed Oct 28, 2015 01:26
- GitHub: GreenXenith
- Location: UTC-8:00
- Contact:
Re: Client-side modding section
We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?
YouTube | Mods | Patreon | Minetest Discord @greenxenith
You should not be able to read this message.
You should not be able to read this message.
- harmony
- Member
- Posts: 410
- Joined: Tue Jun 20, 2017 22:16
- IRC: ynomrah
- In-game: ynomrah
- Location: 고향 ^-^
Re: Client-side modding section
what are CSMs for?GreenDimond wrote:We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?
저는 방탄소년단 를 사랑해요!!! 아미!! 김남준,김석진,민윤기,정호석,박지민,김태형,전정국,방탄소년단!
저는 블랙핑크 를 사랑해요!!! 블링크!! 김지수,김제니,박채영,리사(ปราณ ปริ ยา มโน บาล)
저는 블랙핑크 를 사랑해요!!! 블링크!! 김지수,김제니,박채영,리사(ปราณ ปริ ยา มโน บาล)
- azekill_DIABLO
- Member
- Posts: 7507
- Joined: Wed Oct 29, 2014 20:05
- GitHub: azekillDIABLO
- In-game: azekill_DIABLO
- Location: OMICRON
- Contact:
Re: Client-side modding section
they are mod that are only handled by client, they nearly don't interact with the server!
Gone, but not dead. Contact me on discord: azekill_DIABLO#6565
DMs are always open if you want to get in touch!
DMs are always open if you want to get in touch!
Re: Client-side modding section
EDIT: Whoops, wrong thread. My apologies! Message has been removed
N/A
Re: Client-side modding section
In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)
It says: attempt to call global "set" (a nil value)
- Desour
- Member
- Posts: 1473
- Joined: Thu Jun 19, 2014 19:49
- GitHub: Desour
- IRC: Desour
- In-game: DS
- Location: I'm scared that if this is too exact, I will be unable to use my keyboard.
Re: Client-side modding section
The documentation is wrong here.Lejo wrote:In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)
he/him; Codeberg; GitHub; ContentDB; public personal TODO list; "DS" is preferred (but often too short)
- ManElevation
- Member
- Posts: 896
- Joined: Tue Aug 02, 2016 22:04
- GitHub: ManElevation
- IRC: ManElevation
- In-game: ManElevation
- Location: Madrid,Spain
Re: Client-side modding section
:/DS-minetest wrote:The documentation is wrong here.Lejo wrote:In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)
My Public Mods! Discord: Rottweiler Games#3368
- azekill_DIABLO
- Member
- Posts: 7507
- Joined: Wed Oct 29, 2014 20:05
- GitHub: azekillDIABLO
- In-game: azekill_DIABLO
- Location: OMICRON
- Contact:
Re: Client-side modding section
Is CSM dead right now? All features and possible mods seem to have been realized... I can't wait for a better API to come...
Gone, but not dead. Contact me on discord: azekill_DIABLO#6565
DMs are always open if you want to get in touch!
DMs are always open if you want to get in touch!
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: Client-side modding section
paramat contacted some of the authors and asked them to remove their mods from the forums because of security reasons.azekill_DIABLO wrote:Is CSM dead right now? All features and possible mods seem to have been realized... I can't wait for a better API to come...
CSM was rushed into release anyways and I hope that it will be completely re-implemented using a feature-based whitelist.
- azekill_DIABLO
- Member
- Posts: 7507
- Joined: Wed Oct 29, 2014 20:05
- GitHub: azekillDIABLO
- In-game: azekill_DIABLO
- Location: OMICRON
- Contact:
Re: Client-side modding section
I hope so :)
Gone, but not dead. Contact me on discord: azekill_DIABLO#6565
DMs are always open if you want to get in touch!
DMs are always open if you want to get in touch!
- jordan4ibanez
- Member
- Posts: 1923
- Joined: Tue Sep 27, 2011 18:44
- GitHub: jordan4ibanez
- IRC: jordan4ibanez
- In-game: jordan4ibanez
Re: Client-side modding section
Client side hud would be fantastic
hello, am program. do language in rust. make computer do. okay i go now.
- azekill_DIABLO
- Member
- Posts: 7507
- Joined: Wed Oct 29, 2014 20:05
- GitHub: azekillDIABLO
- In-game: azekill_DIABLO
- Location: OMICRON
- Contact:
Re: Client-side modding section
yes! it can do formspec! why not hud?jordan4ibanez wrote:Client side hud would be fantastic
Gone, but not dead. Contact me on discord: azekill_DIABLO#6565
DMs are always open if you want to get in touch!
DMs are always open if you want to get in touch!
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: Client-side modding section
Because it was rushed into release and a lot of important features and the whole “security stack” are missing.azekill_DIABLO wrote:yes! it can do formspec! why not hud?jordan4ibanez wrote:Client side hud would be fantastic
- azekill_DIABLO
- Member
- Posts: 7507
- Joined: Wed Oct 29, 2014 20:05
- GitHub: azekillDIABLO
- In-game: azekill_DIABLO
- Location: OMICRON
- Contact:
Re: Client-side modding section
oh. i suspected things like that. CSM is still a 'baby'
Gone, but not dead. Contact me on discord: azekill_DIABLO#6565
DMs are always open if you want to get in touch!
DMs are always open if you want to get in touch!
Re: Client-side modding section
How about client-side mods that can increase color saturation and add depth-of-field?
[BitChute: https://www.bitchute.com/channel/fCcBQxrYQjNX/] [Rumble: https://rumble.com/user/HPoorHMagentaHChildH]
-
- Member
- Posts: 190
- Joined: Mon Jan 02, 2017 21:00
- GitHub: Sires0
- IRC: Sires
- In-game: Sires Sores Siri Seris or anything ppl call me
- Location: :noitacoL
Re: Client-side modding section
In my opinion, I hope some dev consider it but ik I won't :PGreenDimond wrote:We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?
Welp, I think that the server should have something like "Disable undocumented clientmods", each CSM could have some pretty spefic tags about what is adds, like a documentation.txt that contains:
weather
rain
snow
Then the server can choose to disable certain CSMs with the "rain" tag and send it's own CSM for rain for example.
Example 2: In some CSM for fire particles in torches, in the documentation.txt there is:
particles
fire
Then the server disables every client mod with the "fire" and "particles" tag because it already have it's own CSM for that.
That's my idea :)
Also sory bay may anglish, iti is kainda bed
I don't have anything important to say.
Who is online
Users browsing this forum: No registered users and 1 guest