00:04 < bridge> why is #8568 relevant? is `/dnd` not enough? 00:04 < bridge> https://github.com/ddnet/ddnet/pull/8568 00:10 < bridge> <0xdeen> dnd blocks everything, including public messages that moderators can react to. Some people only spam in whispers 02:55 < bridge> I would recommend some of jxsls discord tools. If using a discord bot is enough gui for you. 02:58 < bridge> https://github.com/jxsl13/TeeworldsEconDiscordModerationBot 06:43 < bridge> so, i made something 06:43 < bridge> https://cdn.discordapp.com/attachments/293493549758939136/1262268241699672135/image.png?ex=6695fa68&is=6694a8e8&hm=c2bd58a6413f62c94109017bf9c73b308dd76622023539593ee4573b803cab55& 06:44 < bridge> so, i made something 06:44 < bridge> https://cdn.discordapp.com/attachments/293493549758939136/1262268419240362055/image.png?ex=6695fa92&is=6694a912&hm=c5822f6f018b048a75bfba8e036ed26aaa741a52b1fa3d7928122af66599c504& 06:44 < bridge> toggle & value option aswell 06:44 < bridge> https://cdn.discordapp.com/attachments/293493549758939136/1262268622118715442/image.png?ex=6695fac3&is=6694a943&hm=28ebb6e2f3135dca44cd718c5fd40d908c2e2cc2cbb6d35ac4da3de8f4a94368& 06:49 < bridge> That thing is a class of EXACTLY 1000 lines LOL, took me like the last 2 days xd 06:51 < bridge> https://cdn.discordapp.com/attachments/293493549758939136/1262270364990308454/image.png?ex=6695fc62&is=6694aae2&hm=e150e4d07dab8b0736b6d5590831922fe167e72d83cb3258baf69641fcd04ce5& 06:51 < bridge> :huh: 07:08 < bridge> gm 07:08 < bridge> -# this user is currently on the watchlist for rust terrorists 07:08 < bridge> gm 07:08 < bridge> -# this user is currently on the watchlist for being a rust terrorist 07:16 < bridge> Sounds rusty 07:57 < bridge> gm 07:57 < bridge> what is a rust terrorist 08:14 < bridge> They force you to write everything in rust 08:21 < bridge> Gerdoe (zhn) who is doing the exact Same Thing at the Moment: 08:21 < bridge> https://cdn.discordapp.com/attachments/293493549758939136/1262293061170495528/image.png?ex=66961186&is=6694c006&hm=d4aa03ea1dd44cc86a68cba4dddfb10169b02a142c079cab161a17d60f0c8613& 08:21 < bridge> this ? 08:22 < bridge> Yurp 08:22 < bridge> ah 08:22 < bridge> Shit yourself is a valid Option for Blockworlds i must say 08:22 < bridge> xD 08:22 < bridge> my arms hurt from coding this 08:22 < bridge> spent too much time on it 08:23 < bridge> :KEKW: 08:24 < bridge> It's cool to have those different visions about how a vote menu will look like 08:27 < bridge> nice font 08:29 < bridge> I think it's the same one deen used for motd in ddnet 08:29 < bridge> but not sure 09:18 < bridge> This looks pretty clean tho 09:19 < bridge> thanks a lot:heartw: 09:21 < bridge> vote abuser 09:23 < bridge> in F-DDrace I abuse every feature of ddnet client 09:24 < bridge> but mostly it'll turn out to be smooth 09:45 < bridge> https://cdn.discordapp.com/attachments/293493549758939136/1262314180346904609/Screenshot_20240715-094541.png?ex=66962531&is=6694d3b1&hm=02bf64c0a69d0028c18101f4859528cecb3d4bd074ae866a05095069ed5e4fb2& 09:47 < bridge> true hackerman 10:19 < bridge> We were having some webhooks timeout because we were replying too slow. 99.7% of the request duration was spent within external api calls. 0.3% of the request was spent in a small internal call. 10:19 < bridge> Guess which one my very competent coworker decided to move into async 11:19 < bridge> So essentially, game state is fully update every tick? There are no partial updates? 11:35 < bridge> hey pls help me 11:40 < bridge> https://cdn.discordapp.com/attachments/293493549758939136/1262343012134948935/image.png?ex=6696400b&is=6694ee8b&hm=eefcedc79238525093e6dc4d010f7b505e11a70fb767eb6db52037f9d65649dc& 11:40 < bridge> im getting this prbolem 11:40 < bridge> whats this 11:42 < bridge> You can't join that server because they have their own client so you can only join with their client and I don't know why they register their servers in case that it's not possible to join with even ddnet client 😐 11:57 < bridge> ye it broadcasts you shit yourself now 11:58 < bridge> https://tenor.com/view/blm-gif-25815938 12:13 < bridge> i am more and more annoyed how ppl have to solve so many problems in tw multiple times 12:13 < bridge> every custom mod has to do everything from scratch :( 12:14 < bridge> when ui lib for tw 🤨 12:14 < bridge> there should be a better ecosystem of reusable components for tw mods 12:15 < bridge> there should be a lot of things in tw 12:17 < bridge> someone has to do it, chillerdragon 12:17 < bridge> saying "there should be X" is easy 12:25 < bridge> think the main thing is some sort of generic hud input 12:27 < bridge> @louis.place 12:28 < bridge> or alternatively 12:28 < bridge> have some way to toggle custom assets in real time in the map 12:29 < bridge> then you could hack your hud onto the screen too 12:30 < bridge> hmm robyte message is bugging on mobile i cant read exactly what it is 12:31 < bridge> but i feel like having some interface where >a list of hud elements is sent to client, client displays it all in a single column< would be best solution? 12:32 < bridge> input elements and displayed elements, so client could input things and server sends updates which re-displays the HUD 12:42 < bridge> please unban me somebody banned me 12:42 < bridge> #✉-create-a-ticket 12:42 < ws-client2> @heinrich5991 saying "there should be X" is step one. It doesnt have to be a technically complex thing. But if two people build the same thing like gerdoe and fokko it could also just be one doing it and sharing it with the other. 12:43 < bridge> or both working together, but one: blockworlds is currently closed source, and two: they didn't know about each other's impl 12:50 < bridge> is there any way the ddnet server can run inside the ddnet client? i don't like having two windows sometimes 😄 12:50 < bridge> or would that be easy to mod in 12:53 < bridge> err i guess that's equivalent to just hiding the server terminal 13:04 < bridge> i was about to make poc for server side render group sending but after learath posted his idea about small layout language i was like huh ye its better, we should have it and we should make it perfect 13:04 < bridge> and all about perfect: youll never try to do this if you think it should be perfect :p 13:25 < bridge> we could hide the window 13:28 < bridge> Then there's no way to obtain the rcon password from the console window unless you manually set one 13:30 < bridge> true… 13:30 < bridge> a local server console would be cool ^^ 13:32 < bridge> #3282 😗 13:32 < bridge> https://github.com/ddnet/ddnet/issues/3282 13:33 < bridge> (on linux (and I'd guess macos), that's already the case) 13:34 < bridge> Has been on my list for a long time, along with econ interface from the client, starting the current editor map on local server etc. 14:04 < bridge> i thought deen or heinrich implemented client econ support, it had this fancy blue background, had i dreamt? 14:04 < bridge> :justatest: 14:05 < bridge> Probably some other client 14:10 < ws-client2> senpai lerato! 14:10 < ws-client2> i used neverssl.com today!!! 14:12 < bridge> I think deen started with econ and probably also stopped at the annoying part, the econ client backend, same as me. Blue is a good background color though, I also picked that. :bluekitty: 14:12 < ws-client2> yes thats the OP thing about sharing code is that you can work together @meloƞ if bw would be open source fokko could have just yeeted the code and then potentially contribute improvements back 14:12 < ws-client2> all the time that is saved by not implementing again from scratch can be used to contribute stuff on top 14:12 < bridge> i am sadly not the one to decide for Blockworlds to go open source ^^ but i agree 14:13 < bridge> :Celebrate: 14:13 < bridge> Misconfigured hotspot? 14:13 < ws-client2> plus bugged device xd 14:17 < ws-client2> the fact that this very website neverssl.com does exist is not too exciting. I mean i used this very site but i could get my hands on a http site. But you mentioning the underlying problem helped a lot. I did not expect to use it so soon. 14:19 < ws-client2> @meloƞ there is just so many projects that do the same thing and also so many things that have been already done over the years. But realistically i know that just going open source does not magically get rid of all code duplication. 14:19 < ws-client2> working with others is time consuming and can cause drama 14:20 < ws-client2> everyone wants it down their way and people can get protective about their work and opinionated about certain things 14:21 < ws-client2> I used to yoink code snippets from the teeworlds friends forum a few years ago that was nice. They had some dev section with a few posts about how to code XYZ and this was nice to get your code base started. 14:22 < ws-client2> yea idk i better be quiet im currently implementing zCatch for the 100th time xd 14:23 < bridge> sometimes to make something good you have to write it 99 times and throw it away :justatest: 14:24 < ws-client2> yes for sure 14:24 < ws-client2> if you iterate your own ideas in multiple implementations and learn from earlier mistakes 14:25 < ws-client2> but that is something else than a different person implementing the same zCatch every 3 years 14:25 < bridge> hi chiller im fan 14:25 < ws-client2> hi fan im chiller 14:26 < bridge> no way 14:26 < bridge> :OO 14:26 < bridge> hi chiller i'm melon 14:27 < ws-client2> its a solved problem for ddrace 14:27 < ws-client2> other than a few very inentional trols from the block scene BW and the sorts nobody implements their own freeze from scratch anymore these days 14:29 < bridge> It's surprisingly hard to find a plain http site off the top of your head stuck at an airport or something 14:30 < ws-client2> my own 14:30 < bridge> Ah, I guess that'd work, yeah I use mine too sometimes 14:32 < ws-client2> also i know another one which i never forget somehow because i was so bamboozled they have no SSL and its up since years and short to type 14:32 < ws-client2> sadly i can not reveal it without doxing my self xd 14:33 < ws-client2> but i would have NEVER tried going to that site if the hotspot would not work 14:34 < bridge> even neverssl.com supports TLS 😄 14:34 < bridge> http://example.com/ also works btw 14:40 < bridge> how does that even work? 14:40 < bridge> the website doesn't really explain how it works technically 14:40 < bridge> which? neverssl or example? 14:41 < bridge> neverssl 14:42 < bridge> There is nothing to explain? It just serves http 14:42 < bridge> captive portals in wifis can only intercept http requests, not https ones 14:42 < bridge> how does that fix facebook 14:42 < bridge> Ah that part 14:42 < bridge> because https is secure 14:43 < bridge> so by navigating to an http site, the captive portal can redirect you to the wifi login page 14:43 < bridge> (most sites are secure nowadays, so the wifi portal can't redirect you away from them. this is a good thing ^^) 14:44 < bridge> Browsers and OSs have their own version of neverssl normally, like `http://captive.apple.com/hotspot-detect.html` 14:44 < bridge> but the login page for facebook/google still uses https no? 14:44 < bridge> yes. the captive portal stops the connection from working, but it can't redirect your browser to the wifi login page 14:44 < bridge> okay 14:45 < bridge> i see yeah ig i've never had to use it, i always get the captive apple http 14:45 < bridge> Some combination of configuration options on the hotspot side that I never bothered to debug on the spot can lead to your browser/os not going to their captive portal check url 14:46 < bridge> Then you get stuck with a dud connection that you can't get to the login page of 14:46 < bridge> yea. http://connectivitycheck.gstatic.com/generate_204, http://www.msftconnecttest.com/connecttest.txt, http://detectportal.firefox.com/canonical.html plus a couple more 14:47 < bridge> http://nmcheck.gnome.org/check_network_status.txt 14:47 < bridge> that seems kinda hacky 14:47 < bridge> only being able to redirect on http 14:49 < bridge> the whole captive portal thing is a giant hack, because we don't have a protocol for that 14:49 < bridge> It's good, you don't want Amsterdam Airport Wifi redirecting you to fake facebook and stealing your credentials for the Dutch Secret Service 14:50 < bridge> not being able to hijack https is the same as them not being able to read your https traffic. thankfully, most of the web is https nowadays 🙂 14:50 < bridge> We should perhaps get a protocol for it 😄 14:50 < bridge> hard to bootstrap, the current one works good enough™ 14:50 < bridge> but yea, would be nice if the dhcp server could include a response that you need to visit the following https URL before internet access is available 14:51 < bridge> thinking about it, I guess someone has already written something like this down 14:51 < bridge> i thought the nsa could read whatever they wanted anyways 😦 14:51 < bridge> idk how extensible the dhcp protocol is, so idk how hard that would be, but it would be nice 14:51 < bridge> it's extensible like that AFAIK 14:52 < bridge> the NSA can read the stuff that is decrypted on USA servers. which is most of the internet. even ddnet uses cloudflare, which decrypts the ddnet traffic on cloudflare servers 14:53 < bridge> to be fair, we do kinda trust that the trust roots are trustworthy, they could be working with the NSA issuing them MITM certificates, so any site without HPKP is technically unsafe 14:54 < bridge> nah, there's certificate transparency 14:54 < bridge> which makes such certificates publicly viewable 14:54 < bridge> aint that what web3 is for :troll: 14:54 < bridge> no, web3 is unrelated to that 14:55 < bridge> Isn't that voluntary participation? 14:56 < bridge> Ah, they do have client side logging and monitoring too 14:56 < bridge> depending on the CA, the CA must get certificates logged to get them trusted. we're getting there and a greater fraction is getting that requirement 14:56 < bridge> but chrome/chromium send all certificates not already logged to CT 14:56 < bridge> so if you MITM'ing someone using chrome, your certificate will end up in CT 14:57 < bridge> Would it alert on a non logging CA issuing a certificate for a website that a logging CA issued a certificate for? 14:57 < bridge> no, it does not alert the user 14:58 < bridge> but from the fact that the certificates are public, we know that there are no secret large-scale MITM actions going on, at least not via this method 14:59 < bridge> Well that's one downside, so the NSA gets to do an extremely targeted attack on a couple people until someone or some system spots it in the logs 14:59 < bridge> Then I'm guessing that root gets untrusted? 14:59 < bridge> yes 14:59 < bridge> unlikely that the NSA would do that to a domestic CA 14:59 < bridge> because it hurts their economy 15:00 < bridge> more likely to try to hack a foreign CA, I guess 15:00 < bridge> Just ask a CIA client state to "accidentally" leak their root CA 15:00 < bridge> then their CA gets distrusted, not so hard 15:01 < bridge> Then they say, oh we make big mistake, add us back or we ban your browser in our country, we promise, we keep new root very safe 15:01 < bridge> you seem to have a wrong impression of how the CA/B forum works 15:01 < bridge> this CA is not going to get added again 15:02 < bridge> a CA root certificate is not something that should be able to get leaked 15:02 < bridge> it should be on an HSM 15:02 < bridge> (CAs have been permanently removed from root stores for way less than blatant certificate misissuance) 15:03 < bridge> Well don't need to give out the root, just leak an intermediate, those happened before without CA's getting deleted 15:04 < bridge> anyway, we don't really see that happening in practice 15:04 < bridge> there are better methods to attack this system 15:05 < bridge> this particular issue doesn't seem like a weak point 15:06 < bridge> e.g. no need to hijack a CA when you can get a legitimate certificate from almost any CA 15:06 < bridge> because you can hijack the methods used to verify people's ownership of domains 15:07 < bridge> You are probably not getting any CA to issue you a certificate for facebook.com 15:12 < bridge> btw, some countries have laws requiring "providers of web-browsers" to ship certain trust roots, I'm unsure what the CA/B forum would be able to do about that 15:13 < bridge> (iirc even EU had something similar which all the browser vendors made noise about, though idk if it ended up being passed as initially worded) 15:17 < bridge> I haven't heard of such a law having an effect so far. I'd be interested in whether that exists 15:18 < bridge> Well some form of eidas 2 passed, with article 45 still in there, idk if they reworded it differently though 15:18 < bridge> morning 15:21 < bridge> I'd be interested to know whether these kind of laws have any effect ^^ 15:22 < bridge> Probably not, I already don't believe any of these parties would actually have the balls to remove a root certificate that belongs to a western government 15:23 < bridge> Usa #1 🦅 15:24 < bridge> I can't figure out quickly if that is even law yet. do you know? 15:24 < bridge> https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183 15:26 < bridge> oof 15:26 < bridge> Again idk if they changed the wording after the browser vendors raised concerns, but I do also remember a smear document signed by some legislators "disproving" mozillas claim in their open letter 15:26 < bridge> that text sounds bad 15:26 < bridge> > Qualified certificates for website authentication issued in accordance with paragraph 1 of this Article shall be recognised by providers of web-browsers. Providers of web-browsers shall ensure that the identity data attested in the certificate and additional attested attributes are displayed in a user-friendly manner. Providers of web-browsers shall ensure support and interoperability with qualified certificates for website authentication r 15:26 < bridge> article 45, 1a 15:27 < bridge> https://securityriskahead.eu/ 15:27 < bridge> Apparently some changes were approved that makes it fine 15:30 < bridge> CT does sound nice, but I don't get why it was implemented on the CA and domain owner side 15:31 < bridge> A similar scheme could be built on the client side, to watch for suspicious certificates without the CAs having to submit logs 15:32 < bridge> a global log sounds better than a client-specific one 15:32 < bridge> because that means we get to analyze all the data 15:32 < bridge> I meant a global log where all clients submit all certificates they encounter 15:32 < bridge> even if it was the first time for the client to connect to that website 15:33 < bridge> we do have that ^^ in addition to most, hopefully soon all CAs being required to submit it by themselves 15:33 < bridge> with the CAs being required to submit them, we don't have to wait for a client to find the certificate 15:34 < bridge> but it doesn't alert the user to a suspicious certificate 15:34 < bridge> it alerts the CAs and the server owner 15:34 < bridge> (for CAs that are required to submit, the certificates include a proof that they're logged to CT) 15:34 < bridge> meanwhile my data has already been stolen 15:34 < bridge> idk, let's address that problem once it becomes one? 15:35 < bridge> We'll never know if it becomes one if the entity doing the attacks is careful to target only firefox and old browsers 15:35 < bridge> well, firefox is planning to implement CT, too 15:36 < bridge> you're not showing a weakness of the system, but a weakness of firefox 15:36 < bridge> because it's not doing the thing that chrome does, here 15:36 < bridge> https://bugzilla.mozilla.org/show_bug.cgi?id=1281469 15:37 < bridge> Technically chrome doesn't save you from the attack either, it just is proof that it's not happening (widely enough? I didn't read how the global log is scrutinized) to chrome or safari users 15:37 < bridge> hmmm. let's talk about the client-side of things. what do you propose to tackle client-side? 15:38 < bridge> Check the global log, if for some measure of suspicious, this cert I've been handed is suspicious, alert me 15:39 < bridge> hmmm. that sounds like a power user feature 15:39 < bridge> I guess one could build that in addition to the current system 15:39 < bridge> (also, this only works for interactive cases) 15:40 < bridge> also needs a bit of thinking to make it anonymous, so you're not sending your browsing history to the CT log 15:46 < bridge> I was about to create a github issue about downloading maps from maps.ddnet.org whenever a demo is opened without the necessary map file, but a bit hesitant because this is probably not be a widespread issue. 15:47 < bridge> > Chrome requires all publicly-trusted TLS certificates issued after April 30, 2018 to support CT in order to be recognized as valid 15:47 < bridge> This is pretty good 15:50 < bridge> I was about to create a github issue about downloading maps from maps.ddnet.org whenever a demo is opened without the necessary map file, but a bit hesitant because this is probably not a widespread issue. 15:50 < bridge> I'm pretty sure there is already an issue about that 15:51 < bridge> Hmmm. right: #2267 15:51 < bridge> https://github.com/ddnet/ddnet/issues/2267 15:55 < bridge> ah, didn't know it was this far already 15:55 < bridge> so when mozilla? ^^ 15:56 < bridge> eh, they have always been on the slower side 15:57 < bridge> understandable, they have many less millions and billions but are expected to implement the exact same set of things chromium browsers implement 17:18 < bridge> @jupeyy_keks are you able to have the SkinDB bot automatically dilate skins before uploading them to the ddnet db? 17:48 < bridge> please unban me i blocked in multeasymap i got fucked out for a day :((( 17:48 < bridge> <_gwendal> #✉-create-a-ticket 17:52 < bridge> i dont know my ip 17:54 < bridge> ye they can 17:55 < bridge> don't worry :p 17:57 < bridge> ok i did 17:57 < bridge> when unban? 17:58 < bridge> im still banned 18:06 < bridge> alternatively something that also mass-dilates the existing skins in the DB somehow 18:10 < bridge> **Ban Expires** , (2024-07-16 09:00 UTC) 19:12 < bridge> i know 19:12 < bridge> whats the point of ban appeal then? 19:17 < bridge> It's for moderation mistakes mostly, and some mods do show leniency for people banned for their first time or so 19:18 < bridge> i can play maps. I dont block i promise 19:18 < bridge> cant* 19:38 < bridge> Own your mistakes if it's righteous. 19:58 < bridge> Dear diary, I can't find words to describe the pain and humiliation I experienced during debugging my code, it was generating correct output 50% of the time. I couldn't understand why but after starting at it like an idiot I realized I was interating over a map and because of it the order was wrong sometimes 20:00 < bridge> 🙃 20:03 < bridge> And it was working correctly exactly when I was changing the values in my language source code :pepeW: 20:39 < bridge> rust? 20:39 < bridge> use btree for guaranteed order 21:02 < bridge> I don't need anything except vector