Linuxdirk wrote:The lack of communication to the users about CSM.
sofar wrote: We didn't communicate less than normal. All development and discussion is done in the open. Blame yourself instead.
sofar wrote:CSM has the potential to massively offload visual and audio features to the client to make the game much more visually and soundwise appealing (ambiance, particles, special effects) to the players. This is good. Minetest is really bleak without many sounds. More particles will make things like fire and torches nicer. We can finally get better fire sounds and not bring the server down with sound packets. Actual Fog. Better footsteps and water splashing, etc.. A lot of the UI can stop relying on the server and we can make better HUD bars, enhance the minimap, make game screen overlays and score panels.
sofar wrote:You seem to be under the misunderstanding that "minetest_game" is supposed to be the end-all super duper multiplayer subgame. It's not. It's never meant to be, although some people want it to be, and some people don't want it to be. It'll never get solved, either, at any rate.
Mods are contained and ran solely on the server side. Definitions and media files are automatically transferred to the client.
when false client is prevented from running its own scripts, only those provided by server are allowed.
bell07 wrote:The server cannot prevent anything on the client.
patched clients.
no security by obscurity.
If the CSM are implemented it will be simpler to get a "cheater client".
If the CSM are implemented it will be simpler to get a "cheater client".
I seen it, and I seen the first cheater-mod [oredetect] is already developed. It is just I like to talk in general and/or abstract. ;)It IS already implemented
Hmm, we need full list of potential way of cheating.bell07 wrote: I seen the first cheater-mod [oredetect] is already developed.
minetest.register_alias()
formspec list[context;main;0,0;8,4;]
minetest.register_on_punchnode()
core.find_node_near()
core.get_node()
bell07 wrote:I readed the client_lua_api.md, some brainstorming for itYour phone or window isn't wide enough to display the code box. If it's a phone, try rotating it to landscape mode.Really? Could client site aliases be useful? Oj, I need just to set an alias for dirt to mese !
- Code: Select all
minetest.register_alias()
Your phone or window isn't wide enough to display the code box. If it's a phone, try rotating it to landscape mode.The context could be other players inventory, locked chests and so one. Is this feature secured already?
- Code: Select all
formspec list[context;main;0,0;8,4;]
At the other site I did not found the methods used in [oredetect]Your phone or window isn't wide enough to display the code box. If it's a phone, try rotating it to landscape mode.Is the mod really for the client? After short code inspection it should work on server. By the way, in the folder structure I cannot see any difference if it is a client- or server mod. Maybe "clientmod.conf" should be used instead "mod.conf" to get a difference?
- Code: Select all
minetest.register_on_punchnode()
core.find_node_near()
core.get_node()
Next question: Is a protocol implemented for Mod2Mod communication? That will be the next insecurity-vector, a buggy mod could open backdoors on server. :/
I realize the CSM should be just an "Enhanced texturepack framework" in first step. That means lua enabled way to modify some visual effects on the client site according to players taste. But it should be clear the most enhancements and features should be still written to the client framework in C++.
A client mod should never be able to do something gameplay relevant because the gameplay is on the server.
Is any documentation available about the visions, goals, concepts and design of currently implemented CSM? Or does it just exists in developer's head?
[/Brainstorm off]
burli wrote:But you can't install these mods on the client. You have to load them from the server. Or did I miss something?
Linuxdirk wrote:You download an "X-ray mod" like [oredetect] and install it as client-side mod.
A client<->server / mod <-> mod messaging presupposes a mod at the server site provide an additional sender/receiver. Such sender/receiver is always an additional risk like an open TCP-port.I don't see any issue with gameplay-relevant client<->server messaging since players can already send bad formspec submissions
burli wrote:Linuxdirk wrote:You download an "X-ray mod" like [oredetect] and install it as client-side mod.
Really? Really really? That's ridiculous, if that is true.
burli wrote:But I cant believe that the devs are that dumb
Linuxdirk wrote:It is. As I was told client-side mods can see anything that the client can already see. And since the client can see all ores client-side mods can see them, too.
bell07 wrote:A client<->server / mod <-> mod messaging presupposes a mod at the server site provide an additional sender/receiver. Such sender/receiver is always an additional risk like an open TCP-port.I don't see any issue with gameplay-relevant client<->server messaging since players can already send bad formspec submissions
The most mods are not under control of minetest_mods or minetest_game and do not follow any security guidelines (not needed before). But if I provide an eye-catcher mod with not secured message channel any server owner installs a backdoor by installing such mod. I thing many people does look to screenshots only but not to the code before installing a mod. Of course such issue will be reported and fixed soon, but the area for possible attacks will grow with each additional mod that provides a sender/receiver server site.
Byakuren wrote:Yes, a cheater could compile a modified client, but I think having client mods loaded from the client makes the barrier to cheating too low, compared to if the player had to recompile Minetest with cheats or seek out a modified build from someone else.
Byakuren wrote:Could you please:
A) Demonstrate that mod message channels are significantly more dangerous than formspecs
B) Separately, give an example of an exploit enabled by message channels (or formspecs) that does not rely on the server-side mod using loadstring or similar functions, and
red-001 wrote:send the surface nodes is possible but you have to ask yourself is the extra load on the server .
red-001 wrote:Anyway since you asked for a full list of cheats possible in minetest in general, here is one:
red-001 wrote:fast & fly
red-001 wrote:xray & noclip & wireframe
red-001 wrote:drowning/lava damage
red-001 wrote:fall damage
red-001 wrote:full bright
Users browsing this forum: No registered users and 8 guests