04:14 <+bridge> https://cdn.discordapp.com/attachments/293493549758939136/1494883714541424731/image.png?ex=69e43a73&is=69e2e8f3&hm=fa451d3cf21f9bcbbfbb286bc6f2170b370918fd4bdc3c2a5aa0811a0ecbe98c& 04:14 <+bridge> https://cdn.discordapp.com/attachments/293493549758939136/1494883838986551479/image.png?ex=69e43a90&is=69e2e910&hm=b1ae37439e4ed2359fde3e3976c2ebba2637c1f40c21d99ee3880bf5bdf2488c& 06:16 <+bridge> OwO 06:40 <+bridge> @uq_alx on esteroids 08:22 <+bridge> mhh, yeah I guess the topbar menu could work out, should test that out, especially in mobile where width is more of a problem than desktop, left navigation looks too bad compared to the topbar which looks much more modern 08:22 <+bridge> but generally its not too far from my approach i'd say 08:22 <+bridge> 08:22 <+bridge> you save one layer in the container where the maps are, which i like, tho i use it to put all the filters (ofc the filters are currently a bit too much, need better sizing etc) 08:22 <+bridge> But except the topbar menu, i'd not directly say it has more soul, would you? and if so, why exactly? 08:22 <+bridge> The text under "Map releases" for example ofc sucks in my version, its what the current page uses i just copied pasted, that's defs in the range of change anyway 08:22 <+bridge> https://cdn.discordapp.com/attachments/293493549758939136/1016027360555958292/unknown.png?ex=69e45ef7&is=69e30d77&hm=e8846cec2fbcdd5be3b71d98165452739e511b2f64b670ce63b212e4966034df& 12:53 <+bridge> 🍿 12:56 <+bridge> Eh, he did say that he'd quit that one PR got merged, I respect that 12:56 <+bridge> Good luck in your future endeavors 12:56 <+bridge> im with kebs 12:56 <+bridge> losing valuable contributors as days go 12:57 <+bridge> ignoring this is a bad thing btw 12:57 <+bridge> but u do u 12:58 <+bridge> Nothing I can do, he made it pretty clear who he has a problem with 12:59 <+bridge> more like the same reason all other devs left, me included 13:00 <+bridge> also lot of ppl fear talking here out of being banned for anything 13:00 <+bridge> me included 13:00 <+bridge> but im reaching a point where im less and less attached to ddnet lately 13:00 <+bridge> so i care less 13:02 <+bridge> am I correct that https://github.com/ddnet/ddnet-discordbot hasn't been the active source for @DDNet in a while? Does someone else have the current repository? Or maybe it's completely private 13:02 <+bridge> Hm, I think murpi's fork is the running one right now, unless we are running anything experimental 13:04 <+bridge> Maybe not his fork also looks out of date, @murpi what are we running now? 13:05 <+bridge> A slightly older version of this: https://github.com/murpii/ddnet-discordbot-dev 13:05 <+bridge> That's a commit 😄 13:05 <+bridge> https://cdn.discordapp.com/attachments/293493549758939136/1495017437609853018/image.png?ex=69e4b6fd&is=69e3657d&hm=667dcc58fa8f9731c00d0048a1c308f3008e3b04d3beae6b4f34bfbab98a72cb& 13:05 <+bridge> what about the current one? 13:06 <+bridge> Can we get the main version back up to date and you can work on there? 13:07 <+bridge> FWIW you can talk about whatever, it's that these conversations always devolve into just namecalling and personal insults 13:08 <+bridge> With the way I worked on the current version of the bot, I'd need to push updates on a hourly basis 😄 13:09 <+bridge> That's fine, we can have a "rolling branch" that we keep deploying while you work on it 13:09 <+bridge> not rly, because u can frame something as making drama and its a easy way to end up discussions one might dislike 13:09 <+bridge> Then we can merge it into master when its stable 13:09 <+bridge> talking from xp 13:11 <+bridge> I used "slightly" to convey that the only diff is a minor fix here and there 13:11 <+bridge> chillerdragon, **jupstar**, kebs, ryozuki 13:11 <+bridge> these people did not leave because they didnt want to continue contributing to ddnet, but for another reason, which i wont explain to avoid namecalling 13:12 <+bridge> if u dont see the problem, its sad, because those are actually long time contributors, and im specially sad about jupstar leaving, he literally made the entire graphics backend, no easy feat 13:12 <+bridge> maybe there is more ppl out there i forgot but u get the gist 13:12 <+bridge> so so what you see on that page is pretty much what we run atm 13:13 <+bridge> Actually no I lied, the ticket system we currently run an even older version 13:14 <+bridge> The discord.py is very modular thanks to their extension system 13:14 <+bridge> ah, okay, thanks 13:16 <+bridge> Also also, you cannot run the bot yourself anyway, since it heavily depends on our specific database setup. The only reason it is public is to give others a rough idea of how it is structured ^^ 13:18 <+bridge> I remember trying to run it a couple of years ago, but got stuck right on the config 13:27 <+bridge> saying there is nothing that can be done about this is not quite the truth 13:55 <+bridge> @kebscs 💟 13:55 <+bridge> rip kebs 13:55 <+bridge> love ur work 13:56 <+bridge> https://tenor.com/view/salute-gif-8977961 13:56 <+bridge> thanks guys 13:58 <+bridge> sorry kebs, but you should have focused on adding more dependency on Rust or support for version 0.4.* or something, then your PR wouldn't be hanging for half a year. 14:00 <+bridge> even then it might wait half a year, i think the problem might be that my nickname doesnt start with "h" and end in "5991" :kek: 14:01 <+bridge> do you mean hprclosed5991 ? 14:02 <+bridge> and sorry that I had to close everything, but I dont have the willpower to deal with how the project is being ran :/ 14:03 <+bridge> it's understandable 14:03 <+bridge> i think the main problem is that players don't have a voice and most people don't even know what contributors do. need to run an advertising campaign for every PR to get support from players, I guess. 14:03 <+bridge> youve got a good chunk of nice features in 14:04 <+bridge> click spectate especially is awesome 14:08 <+bridge> well, I've already tried that with spectator counter. It got like 200 votes on discord and yet it still wanted to be reverted, instead of fixing 1 issue :/ 14:50 <+bridge> with no kebs anymore who is gonna add these features which make the game more enjoyable :/ 14:51 <+bridge> you can donit 14:51 <+bridge> you can do it 14:52 <+bridge> cant 14:52 <+bridge> well i can 14:52 <+bridge> but i dont wanna deal with what kebs really dealt with 14:53 <+bridge> doesnt seem very enjoyable 14:54 <+bridge> why does every good game have to have some glaring problem that never gets resolved 14:55 <+bridge> Spec counter is great 14:55 <+bridge> It makes me lock in 14:58 <+bridge> I liked a lot of kebs features and new tile proposals, but I don't think "if this gets merged I'll leave" is a good attitude as well, meh 15:04 <+bridge> well its been multiple months of what it seems him getting frustrated of things that heinrich does that kebs doesnt like so it is understandable that he doesnt want to contribute anymore, and if he doesnt want to contribute anymore then his prs should be closed. it would be worse imo if he just went mia on his prs and never said a word as it would leave people thinking that the prs arent dead and he will come back soon 15:05 <+bridge> i think its alot more beneficial if they could just have a conversation with each other and sort their differences if they havent tried 15:06 <+bridge> i think its alot more beneficial if they could just have a conversation privately with each other and sort their differences if they havent tried 15:09 <+bridge> I agree 15:11 <+bridge> Take a look at the rust pr, every commenter got ignored and it got merged with no valid reasons 15:11 <+bridge> If there are rules on the repository it should apply to everyone or noone 18:31 <+bridge> <4er1kkk_666> bro 18:31 <+bridge> <4er1kkk_666> https://cdn.discordapp.com/attachments/293493549758939136/1495099524828364971/1.jpg?ex=69e50370&is=69e3b1f0&hm=1f49fd7a5038c9c281066a5f10de2c118bac03fdaed7735715c1749326b23908& 18:31 <+bridge> <4er1kkk_666> https://cdn.discordapp.com/attachments/293493549758939136/1495099525591863377/2.jpg?ex=69e50370&is=69e3b1f0&hm=33ebcbdf67f40c03b735aa7aebf83d2757b646d31c914725a4e3d060e59a044b& 18:31 <+bridge> <4er1kkk_666> https://cdn.discordapp.com/attachments/293493549758939136/1495099526900617257/3.jpg?ex=69e50370&is=69e3b1f0&hm=294d75437803164cc66428c9c32ea11b3963949c9a682d3a97d261388fd16d3d& 18:31 <+bridge> <4er1kkk_666> https://cdn.discordapp.com/attachments/293493549758939136/1495099527630422016/4.jpg?ex=69e50370&is=69e3b1f0&hm=f72b75e5b8451ec8089a49e0a614f0d1af1c82dddcaea78bb3aa9e7220dde76b& 19:12 <+bridge> yet another great dev gone 19:12 <+bridge> :feelsbadman: 20:20 <+bridge> so whats going on with heinrich 20:40 <+bridge> What now 20:44 <+bridge> we cry 20:45 <+bridge> I won't 20:45 <+bridge> I saw this coming long ago, old contributors and veterans leaving 20:46 <+bridge> we, except for Cellegen, cry 20:46 <+bridge> better now? 20:46 <+bridge> Tell me instead what happened 20:47 <+bridge> i dont really have the full story 20:47 <+bridge> Didn't check up here since March 20:47 <+bridge> but my best guess is that theres some pr from heinrich that got merged while ignoring others' comments on it 20:47 <+bridge> thats what i recall from all of this 20:48 <+bridge> Did Heinrich commented something about this after effect or full silence since then? 20:49 <+bridge> havent read anything mentioning it from his side but i mightve missed it 20:50 <+bridge> What pr was it even? 20:52 <+bridge> no clue tbh 20:52 <+bridge> This PR is wild btw 20:52 <+bridge> ive just been reading chats here and there 20:52 <+bridge> # check my bio 😁 20:52 <+bridge> ok 20:52 <+bridge> oh 20:52 <+bridge> wow 20:52 <+bridge> that was so fast 20:52 <+bridge> Anyways xd 20:53 <+bridge> take everything ive said with a grain of salt btw i have no real clue whats going on 20:54 <+bridge> Approving a change in the Rust build where an outdated version can cause problems, without having the slightest hing of red flag is nuts 20:54 <+bridge> Is this what he's doing rn as in that recent pr? 20:54 <+bridge> chiller the issue isnt that 20:55 <+bridge> i think its more that hein can get a pr merged without anyone agreeing to it 20:55 <+bridge> and others have to get Xperson specifically to get the pr merged 20:55 <+bridge> even if 100 ppl like it 20:55 <+bridge> even if other devs like it 20:55 <+bridge> oh, well idk what pr can be an example of this 20:55 <+bridge> I just got here 20:55 <+bridge> the pr rewriting delta to rust 20:55 <+bridge> https://github.com/ddnet/ddnet/pull/11957 20:56 <+bridge> https://cdn.discordapp.com/attachments/293493549758939136/1495135942627954698/image.png?ex=69e5255b&is=69e3d3db&hm=e6f1786c08b8cd1e26ae3d0b503d8b7c9f9596eec7366f188ab837adf360d3e8& 20:57 <+bridge> cellegen the issue isnt that 20:57 <+bridge> Well, I sorta understand moving to Rust, in case the environment for building is friendlier, 20:57 <+bridge> ur missing the point entirely xD i go back to slay the spire 2 20:57 <+bridge> Im reading it xdd 20:57 <+bridge> So this wasn't necessary 20:57 <+bridge> he just did it just cause? 20:58 <+bridge> whether its necessary or not is besides the point 20:58 <+bridge> pr had ppl questioning it, if the pr was made by me, it would have dragged months or a year 20:58 <+bridge> but its by someone more privileged, it got merged in days 20:58 <+bridge> even if it had ppl questioning it 20:59 <+bridge> so i feel its only logical devs leave a place where they are barely welcomed, and a place where you see power discrepancies like this, even more when its a open source game, that had no obvious BDFL 20:59 <+bridge> Like Kebs with a reasonable amount of PRs close to that change being unresolved, right? 21:00 <+bridge> i wish forking would work but its hard to mimic the whole infra, which is what makes this game live 21:01 <+bridge> If only there was a good reason that it got pushed through after all the technical comments on it were handled 21:01 <+bridge> Hmmm, heinrich didn't comment on that further, Learath didn't bother too much, and I assume Kebs' work just got harder? 21:01 <+bridge> Alas, there obviously wasn't one. I'm just evil 21:01 <+bridge> If Im getting it right, idk 21:01 <+bridge> ? 21:01 <+bridge> You went to sleep no 21:02 <+bridge> sleep = evil xd 21:02 <+bridge> I said it, it's out there now, I'm just pure evil. I fan the flames of controversy to see ddnet burn down 21:02 <+bridge> this is the internet, we don't assume good faith here, what even is that? 21:02 <+bridge> idk, the evil argument and stuff, 21:02 <+bridge> if it was just one outliar dev ok, but its happening all the time, all devs leaving 21:02 <+bridge> tbh when jupstar left, it was kinda a bit over for me and ddnet 21:02 <+bridge> the guy is insane 21:02 <+bridge> he made a entire replica alone 21:02 <+bridge> I don't blame you bumbo, I just highlight what I see 21:03 <+bridge> Idk shit 21:03 <+bridge> He was veery good, hope he comes back sometime 21:03 <+bridge> this is just sad 21:03 <+bridge> he actually commented on the vulkan pr i made some time ago 21:03 <+bridge> which i closed anyway 21:04 <+bridge> One thing sure bothers me, that's an insane amount of prs, to just ignore 21:04 <+bridge> That PR just had to be merged so I can turn ddnet into Rust, so I can get people to hate Rust for my end goal of destroying Rust and putting C++ back on top 21:05 <+bridge> https://tenor.com/view/people-who-be-desperate-for-attention-kamedwards-kameron-edwards-sigh-annoying-gif-15490938148885036745 21:05 <+bridge> Would it make the game smell better if the same shit was under a different toilet? 21:05 <+bridge> it's almost like people review code in their free time 21:06 <+bridge> See this is the sort of stuff you get timed out for. Just can't keep civil 21:06 <+bridge> Eh? 21:06 <+bridge> I personally do not care, so feel free to go on if it helps you unwind 21:06 <+bridge> I hope I didn't hurt your feelings with a joke 21:07 <+bridge> Although I apologize, the game is not shit 21:07 <+bridge> It's a nuclear waste 🙂 21:08 <+bridge> dude is going to joke about "being evil" 3 times and then get angry for a meme 21:09 <+bridge> that sounds like someone that personally doesnt cares ngl 21:09 <+bridge> embracing the jonkler :kek: 21:09 <+bridge> Not angry, just pointing it out for Ryozuki who was wondering why people get banned for "speaking their minds" 21:09 <+bridge> although that fits me more 21:10 <+bridge> after being granted a new color from the above gods, all I can say is that we should really talk more with each other. 21:10 <+bridge> I hurt Jao's feelings, then Heinrich's feelings, now you buddy 21:11 <+bridge> 3rd ban is the charm 21:11 <+bridge> why the pr author doesnt talk with us :/ https://github.com/ddnet/ddnet/pull/11957 21:12 <+bridge> because this entire PR was handled badly, and your comments actually forced changes onto the PR 21:12 <+bridge> because this entire PR was handled badly, and your comments actually forced changes onto the PR, so you did good 21:12 <+bridge> This entire situation could've been handled with a single dm targeted towards you :justatest: 21:12 <+bridge> what changes? i got ignored, after I helped with the actual refactor 21:13 <+bridge> I would never get hurt by your extremely constructive criticism 21:14 <+bridge> Good 21:15 <+bridge> why towards me? all contributors got ingored in the pr 21:15 <+bridge> Back to Kebs, what now? He could go to Tater maybe 21:16 <+bridge> And let Heinrich's ignorance (not towards his dev works but) towards Kebs leaving is sad 21:17 <+bridge> because the "being ignored" part has a reason which could and IMO should've been disclosed. alas why I said the entire PR was handled poorly. 21:17 <+bridge> yeah it was handled poorly, and i dont want to be part of that 21:17 <+bridge> if an anon is more equal than others 21:18 <+bridge> thats why i closed all prs 21:18 <+bridge> Ik I'm not the person you want to hear this from, but all your work is appreciated, be it little or large. 21:19 <+bridge> That's the common stance in this community* 21:19 <+bridge> People look forward to you and your changes made, and it'd be sad to see history repeat itself 21:19 <+bridge> A PR that moves much faster than others, with some comments mysteriously not answered by the author 21:20 <+bridge> You can handle that part privately as adults 21:21 <+bridge> Right now, Kebs is leaving, and I hope he either forks all his progress to work on, or have other ddnet forks take right care for your work and criticism 21:22 <+bridge> I hope he comes back, but a fork is also always nice to have around, look at Tater's fork flourishing 21:22 <+bridge> tldr plz 21:22 <+bridge> you might want to share whats going on instead of trying to be funny 21:22 <+bridge> or you'll probably get a cortisol spike again 21:22 <+bridge> We can't, that's the point. 21:23 <+bridge> Not as of right now, at least. 21:23 <+bridge> Heinrich Rust build pr, kebs points things out, heinrich merges without looking at kebs note, kebs leaving as a result, we cry 21:23 <+bridge> entirety of ddnet is ran by community but we cant know why 12k loc of rust slop is pushed into the repo 21:24 <+bridge> Technically I merged it, so you can distribute the blame a little 21:24 <+bridge> thats why i dont want to be part of it 21:24 <+bridge> no, you had to deal with heinrich first, so it's fair that you didn't do it under your only intuition 21:25 <+bridge> After all, heinrich made the pr 21:25 <+bridge> he is responsible 21:25 <+bridge> he is responsible (he could've reverted the merge otherwise ) 21:27 <+bridge> Anyway, no point discussing this right now with you having half the story. Give it a day or two, if seeing the explanation you still feel the way you feel then we can talk 21:27 <+bridge> You can even DM me all the gamer words you want and I won't tell anyone, pinky promise 21:27 <+bridge> alr, I'm up anytime if you finally wish to share your side 21:28 <+bridge> This situation was very predictable imo 21:28 <+bridge> All of the ohio skibidi toil- uuugh 🤮 21:28 <+bridge> ahh yes the transparency you'd expect of a open source project 21:29 <+bridge> open forked more like 21:29 <+bridge> technically open source doesnt imply transparency 🤓 21:29 <+bridge> Yeah disgusting isn't it, how they merged a PR completely in the open that was fully technically reviewed 21:30 <+bridge> We all know that isn't what is meant. 21:31 <+bridge> dw, if you make that joke the 6th time, someone will have to finally laugh 21:31 <+bridge> 6th time the charm they say 21:31 <+bridge> ... I think he was talking about melon saying you all should've settled it under pms, would make some sense 21:32 <+bridge> Idk guys, I only have sus on heinrich rn 21:32 <+bridge> it's really not that hard to think of a reason why this was handled the way it was if you just assume good faith 21:32 <+bridge> i dont assume good faith when the pr is submitted by a toxic anon 21:33 <+bridge> I mean, we talk about this right now, it's good 21:33 <+bridge> and there you have it 21:33 <+bridge> who exactly? 21:34 <+bridge> oh heinrich, right 21:34 <+bridge> Eh, idk him being toxic, but rather forcing thing his way, yeah that. 21:34 <+bridge> Eh, idk him being toxic, but rather forcing things his way, yeah that. 21:35 <+bridge> In moderation and care, it's fine ig 21:35 <+bridge> but him not disclosing this with you Kebs, feel more of an asshole move to me 21:37 <+bridge> id expect the project to be transparent when its mainly ran by contributors 21:37 <+bridge> And I fully agree, as a council of the most experienced contributors should work together, not against 21:38 <+bridge> and i dont see a great reason for this change to be in rust specifically, teeworlds been around for 20 years without it 21:38 <+bridge> I agree this was handled poorly, no way around it. But this case wasn't something that should've been disclosed publicly at all. You are being ignored simply because "the PR wasn't set to private" in a theoretical sense 21:38 <+bridge> that's a great idea 21:38 <+bridge> maybe those most experienced contributors could also get a special color on discord 21:38 <+bridge> green could work 21:39 <+bridge> I know this is a weird statement, but do you think you could've written the provided changes cleanly with no UB and no memory issues in C++? 21:39 <+bridge> Then why do I see Kebs being fully ignored by the founder? 21:39 <+bridge> ofc 21:40 <+bridge> i see the only reason for rust being chosen for this is that hein is a vigorous poster on /r/rust reddit 21:41 <+bridge> is the language of choice the reason to go fully crashout on someone publicly? 21:41 <+bridge> im not crashing out though 21:42 <+bridge> im saying rust is the not right choice, when there are 0 rust developers on the project 21:42 <+bridge> I may get that you don't like mixing multiple languages into one giant spaghetti (I hate that too xd) 21:42 <+bridge> but I don't think that the first thing to do is hate him specifically for posting a PR about that, 21:42 <+bridge> but rather that your opinion didn't matter to him 21:42 <+bridge> valid kebs crashout 21:42 <+bridge> Kinda 21:43 <+bridge> if there was a great reason for it in rust i dont mind 21:43 <+bridge> I didn’t read anything just saw the comment on gh not here for the drama actually 21:43 <+bridge> i even helped reviewing the snap refactor pr 21:43 <+bridge> Then I'll gladly ask for patience until we can disclose this further 21:43 <+bridge> Which you mentioned to him yee, and got completely ignored 21:43 <+bridge> @avolicious: is there a way to put in a word for someone banned without having discord? 21:43 <+bridge> Currently we're screeching at different topics 21:44 <+bridge> hmmmm 21:44 <+bridge> Currently we're screeching at different topics from different PoVs with a different base of knowledge 21:44 <+bridge> tl dr, kebs is leaving 21:45 <+bridge> seems like a pretext for having more rust 21:45 <+bridge> @avolicious: a Moderator of mine who I trust quite a lot got banned on kog for botting because he sent a suspicious chat message. His discord ticket got deleted. He does not cheat. We just like to mock cheaters on fng by imitating them. You know the good old „checkout this client“ joke 21:45 <+bridge> oh no, are you vouching on a "trust me bro" player? 21:46 <+bridge> No I am not 21:46 <+bridge> or it's a joke and im a retard 21:46 <+bridge> He helped me a lot to develop my antibot 21:46 <+bridge> And it’s a joke to imitate cheaters spam messages 21:46 <+bridge> He had a bind from fng 21:46 <+bridge> hi chiller, 21:47 <+bridge> Kinda intense that his ticket got deleted because of sending a harmless chat message 21:47 <+bridge> Yo ryo 21:47 <+bridge> so Im a retard, big 💪 21:48 <+bridge> permbanning for a chat message seems over the top for an anticheat :kek: 21:48 <+bridge> Maybe it was a manual ban idk 21:48 <+bridge> It’s just his appeal got deleted which is why I am trying to vouch 21:48 <+bridge> ..wat 21:48 <+bridge> 21:48 <+bridge> No, and I'll dip here as well - hope to see you around in the next few days when we're able to provide more details 21:48 <+bridge> But tricky without discord maybe avo sees it 21:49 <+bridge> There's an entirely different repo on ddnet client in Rust no? 21:49 <+bridge> I figured as someone that has been banned from kog multiple times I am a creditable player 21:49 <+bridge> i dont like whatever youre doing being kept secret in a community ran project. This and toxicity from hein, im not keen on contributing more 21:49 <+bridge> When I find some time I gotta read up on the kebs situation. 21:50 <+bridge> @kebscs: hang in there c: you know I love you right 21:50 <+bridge> ofc @chillerdragon love you too 21:50 <+bridge> owo 21:50 <+bridge> gl reading at least 200 msgs from "adults" xd 21:51 <+bridge> I'm more familiar with the "secrets" part, I can relate 21:52 <+bridge> I really don't understand how we all assume bad faith when something isnt publicly disclosed 21:53 <+bridge> If that discussion is as important, then you bet your sweet bibby it needs to be discussed 21:54 <+bridge> any form of disclosure would've been nice. We don't need the full picture. A simple: security reasons, money reasons or whatever it the least informative form would've been enough honestly 21:54 <+bridge> Like a long-time contributor leaving 21:54 <+bridge> The fuck is a sweet bibby? 21:54 <+bridge> like, that's important shit 21:54 <+bridge> https://tenor.com/view/ed-edd-eddy-bet-gif-19216515 21:54 <+bridge> oh bippy :troll: 21:55 <+bridge> Ah sounds like brainrot 21:55 <+bridge> i dont think i assumed bad faith before, just the point that its unmainatable code and goes against all rules 21:55 <+bridge> good old 2010 brainrot 21:56 <+bridge> we have 3 admins in our staff team that can read and write rust, calling it unmaintainable makes as much sense as saying every python script is, because the core project is written in C++ 21:56 <+bridge> Idk about the "all rules" part, where it's still dependent on what the founder wishes at the end of the day 21:57 <+bridge> which of those are maintainers? 21:57 <+bridge> From what I've read so far, it will be disclosed on the next release. Not earlier than that. 21:57 <+bridge> 2/3 21:57 <+bridge> One of them has just started learning Rust, what a developer 21:57 <+bridge> let me know who are the 3 admins, ill check out commits to the repo 21:58 <+bridge> contribution != Knowledge 21:58 <+bridge> Well then that could've been said so 21:58 <+bridge> knowledge != activity 21:58 <+bridge> (I just did 👀) 21:58 <+bridge> in that moment when it was asked why its done 21:58 <+bridge> knowledge doesn't matter if they don't contribute 21:58 <+bridge> why u talk like corpospeak, are u bound by a nda to not say stuff? 21:58 <+bridge> 🐴 21:58 <+bridge> Obviously too late tho 21:59 <+bridge> imo, Rust is still new and might cause trouble in the future, I get that point on why not use Rust in production yet 21:59 <+bridge> Yes, I've talked about it as well, and I fully agree. 21:59 <+bridge> uh hiding dev related things seems like a new low ball 21:59 <+bridge> i didnt expect that 21:59 <+bridge> also if its some thing like announing accounts its even worse 22:00 <+bridge> So all people close to heinrich scatter, ironic 22:00 <+bridge> https://discord.com/channels/252358080522747904/293493549758939136/1495150110043017377 22:00 <+bridge> also if it was a security issue there are better ways 22:00 <+bridge> I would like at least the man himself commenting on the issue 22:00 <+bridge> whats astonishing is how u assume we will assume keeping things secrets when this was never done before would be accepted blindly 22:00 <+bridge> I doubt that xd If its that thats I'd jump off a mountain (in minecraft) 22:01 <+bridge> im sorry but dont expect to treat us like dumb lol 22:01 <+bridge> big :f3: 22:01 <+bridge> whats worse is u not sharing this then with usual devs 22:01 <+bridge> like kebs? 22:01 <+bridge> im rly confused now 22:01 <+bridge> finally a developer in this space who says the fckin obvious 22:01 <+bridge> . 22:02 <+bridge> Well I did say there is a good reason for it, even said we can talk about it afterwards if the reason felt unsatisfactory, a month ago when the PR was initially made 22:02 <+bridge> this is not how u do things in a project like this, atleast there is no previous thign alike, and imho its rly unfaithful to other devs 22:03 <+bridge> Learath, melon, any admin, can we get heinrich to talk with us here? 22:03 <+bridge> i mean everywhere gatekeeping is never seen in good sight 22:03 <+bridge> At least to have him talk to Kebs, properly 22:03 <+bridge> And not ghost him 22:04 <+bridge> Its not a "Voxel" situation again, Kebs is normal 22:04 <+bridge> @fokkonaut got timed out for speaking about the pr 2 days ago, you guys didnt even try to handle it not poorly 22:04 <+bridge> and hes still timed out btw, if you could remove that :) 22:04 <+bridge> Its not a "Voxel" situation again, Kebs is normal, you can talk to him 22:05 <+bridge> https://cdn.discordapp.com/attachments/293493549758939136/1495153357340545174/image.png?ex=69e53592&is=69e3e412&hm=0fda52efb37d1755a8e8a1b706cc318547b2d6dd15ed1038f137a08760b50d47& 22:05 <+bridge> okay i guess there is a big security issue related to snaps somewhere 22:05 <+bridge> but u should explain this to trusted devs 22:06 <+bridge> which at this point 22:06 <+bridge> How would you define a trusted dev? 22:06 <+bridge> im gonna check this stuff 22:06 <+bridge> this was pulled out of the rust pr on request of roby, and i helped review these changes 22:06 <+bridge> (I'm just curious, because I'd only trust very close friends with an exploit) 22:07 <+bridge> A dev who you can trust on reviewing, arguing and coming to a reasonable conclusion 22:07 <+bridge> duh 22:07 <+bridge> https://cdn.discordapp.com/attachments/293493549758939136/1495153756671578353/image.png?ex=69e535f2&is=69e3e472&hm=00383c30b6fc6fe47ab31f618fc1e507906995049220e326164616cbd5d0926e& 22:07 <+bridge> So you guys would trust people who just contribute to a code base a lot? 22:08 <+bridge> id trust them more than someone that wasnt active on discord for years and then comes back to spin up drama 22:08 <+bridge> Plot twist: heinrich abandons all community media, just to do whatever 22:08 <+bridge> kinda yes kebs been around for long 22:08 <+bridge> hi tater 22:09 <+bridge> so this is all hiding a security release 22:09 <+bridge> that was kinda obvious 22:09 <+bridge> He never was an asshole or entitled to me 22:10 <+bridge> Which is kinda weird 22:10 <+bridge> but still true 22:10 <+bridge> ok so this is all about a rce 22:11 <+bridge> that is also pretty stupid. let the server owners know first so they can update their mods to not be vulnerable. unless it's not a security related issue. 22:11 <+bridge> depends on what exactly the issue is but yes agreed 22:11 <+bridge> avo won't merge upstream in 100 years if you don't tell him 22:12 <+bridge> I don't know how I feel about that. I recently watched a video about the xz utils case, where a contributor built up trust over time by contributing a lot, became a maintainer, and then slipped a backdoor into the project. There are likely more examples like this, so I find it hard to agree with that idea. 22:12 <+bridge> Also I trust long time developers more, than you climbing the ladder to admin, only to not have anything important to be discussed cuz someone in the admin team said so 22:12 <+bridge> xz is used worldwide and u can target big targets with it, ddnet is a game 22:13 <+bridge> Thats not relevant to my question though. 22:13 <+bridge> how can we tell you arent slipping a backdoor? 22:13 <+bridge> at least contributor's prs are reviewd 22:13 <+bridge> your argument is invalid though 22:13 <+bridge> I mean that is not relevant at all to this conversation, this PR went through technical review. What was unsettled was other concerns 22:14 <+bridge> less than a day omfg 22:14 <+bridge> It was just an example to show that "someone who contributes a lot can be trusted" is not a reliable assumption, at least not if that is the only factor considered 22:14 <+bridge> ye looks like less than a day since last commit 22:14 <+bridge> A month, the PR was made exactly 1 month ago today 22:14 <+bridge> (Yes, pretty off-topic, I was just curious 😄) 22:14 <+bridge> nvm 22:14 <+bridge> wrong time format 22:15 <+bridge> What argument? 22:15 <+bridge> so why cant a maintainer go rogue? 22:15 <+bridge> in 99.9999% of the cases and especially for a game with only a few thousand players. anyone that spends thousands of hours of contributing can definitely be trusted 22:15 <+bridge> That can happen, of course 22:15 <+bridge> example to show? Shaming a long time contributor??? 22:16 <+bridge> Dare 22:16 <+bridge> you'll never be able to get in front of this, there are cases of fully open source software getting backdoored by very long term contributors 22:16 <+bridge> yea im seeing this happening rn on ddnet repo 22:16 <+bridge> That doesn't mean you should 22:16 <+bridge> pr against the community 22:17 <+bridge> even if its not a literal backdoor its still not what communtiy wants to see 22:17 <+bridge> While you were chatting here, Fox reworked MomentCap for 0XF :) 22:17 <+bridge> 22:17 <+bridge> I'm just sharing my little achievement in this matter. 22:17 <+bridge> https://cdn.discordapp.com/attachments/293493549758939136/1495156328019001374/image.png?ex=69e53857&is=69e3e6d7&hm=74c0cc93e5ca56309e9bdf4d82d7952c47c56f5fa876d3bca158321421427f8c& 22:17 <+bridge> that someone is going to intentionally gain your trust over years and then backdooring or exploiting things. there are already multiple exploits around the codebase that 0 people are using because no one gives a shit 22:17 <+bridge> sadly it's still a small close group 22:17 <+bridge> Do you really think if the maintainers wanted to add a secret backdoor they'd do it with a public PR? 22:17 <+bridge> youre blindly trusting him so does it matter? 22:17 <+bridge> yes, why not think it 22:18 <+bridge> If you don't trust us then you just can't use anything we ship. So this discussion as a whole is pointless 22:18 <+bridge> No one is trustful 22:18 <+bridge> it seems 22:18 <+bridge> I'm not sure how that relates to my initial question? 22:18 <+bridge> Running 3rd party software is always trust. You have to trust the person that wrote the code that produced the binaries. If you don't there is no recovering from that 22:19 <+bridge> this argument 22:19 <+bridge> is not valid for ddnet 22:19 <+bridge> ok, ok! Lets hypothetically say that a backdoor is found. Who would be responsible then? 22:20 <+bridge> The client did not really require rust to build before this PR. Adding rust as a requirement for the client without any discussion should have been very predictable backlash. I was/am very strongly considering hard forking ddnet to avoid this patch. 22:21 <+bridge> How would you know, though? It is clear we are dealing with a security vulnerability, but assuming that anyone who has contributed a lot should automatically be trusted with that information is not the right approach (as shown by real-world examples). 22:21 <+bridge> I kinda see why some devs from this community wanted TeeGalaxy to be real 22:22 <+bridge> real world examples that are picked from world headlines ye xd 22:22 <+bridge> It doesn't even matter how big the project is, thats just sound judgement 22:22 <+bridge> What about the "if it works don't fix it" principle 22:22 <+bridge> i bet you could make a groupchat will all active developers and nothing would ever leak out of that chat 22:22 <+bridge> Does that matter? It happend, its a fact, and not the only occurance that has happened. 22:22 <+bridge> i bet you could make a groupchat with all active developers and nothing would ever leak out of that chat 22:23 <+bridge> well... uh no. 22:23 <+bridge> I have gotten screenshots from secret dev cabals before, so I'd say a firm no to that 22:23 <+bridge> This... ^^ 22:23 <+bridge> ok, someone will have to take blaim when it all goes wrong tho 22:24 <+bridge> And so far the closest being Heinrich is avoiding us 22:24 <+bridge> So what then? Can we trust Heinrich 22:24 <+bridge> i bet this is like 2 lines c++ fix instead of full rust rewrite 22:25 <+bridge> Did that change break things? 22:25 <+bridge> jupstar isn't here anymore, i said active 22:26 <+bridge> if so, they have to fix it **immediately** 22:26 <+bridge> I mean he had reached the highest level of trust you can reach within this project before you become green 22:26 <+bridge> true 22:27 <+bridge> doing it in rust brought more attention to the matterthan simply fixing it 22:27 <+bridge> ill just say that 22:27 <+bridge> (and im a rust profet) 22:29 <+bridge> was there a reason for it being fixed in rust? 22:31 <+bridge> 🤨 22:32 <+bridge> Someone leaked me how several block servers were doing client detection looong ago 22:32 <+bridge> Ai says: 22:32 <+bridge> Vulnerability 1: Stack buffer overflow via UndiffItem size mismatch 22:32 <+bridge> Vulnerability 2: CreateDelta unbounded output buffer 22:32 <+bridge> Vulnerability 3: Missing minimum size check in UnpackDelta 22:33 <+bridge> Vulnerability 4: Pointer arithmetic UB enabling check bypass 22:33 <+bridge> 22:33 <+bridge> seems all are easily fixable in c++ 22:33 <+bridge> Ai says about the old c++ code in pr: 22:33 <+bridge> Vulnerability 1: Stack buffer overflow via UndiffItem size mismatch 22:33 <+bridge> Vulnerability 2: CreateDelta unbounded output buffer 22:33 <+bridge> Vulnerability 3: Missing minimum size check in UnpackDelta 22:33 <+bridge> Vulnerability 4: Pointer arithmetic UB enabling check bypass 22:33 <+bridge> 22:33 <+bridge> seems all are easily fixable in c++ 22:33 <+bridge> Very nice that you are all very responsibly dragging this out into the public before the release 22:34 <+bridge> Crazy 22:34 <+bridge> :bruh: 22:34 <+bridge> well release then, or you cant because you didnt review the code and the build is broken? 22:34 <+bridge> I think you should write a quick PoC to make it easier 22:35 <+bridge> sure, which one of the 4 is it 22:35 <+bridge> 🦆 22:35 <+bridge> or smth else? 22:35 <+bridge> are we going to pretend AI doesn't exist, anyone looking at the "rewrite random code in rust" PR can get a pretty good clue and find it without any knowledge 22:35 <+bridge> are we going to pretend AI doesn't exist? anyone looking at the "rewrite random code in rust" PR can get a pretty good clue and find it without any knowledge 22:36 <+bridge> hes assuming everyone here is dumb i guess 22:36 <+bridge> You didn't even figure out it was a security issue, even after two people figured it out and said it right here 22:37 <+bridge> Anyway, I'm not saying anything else. Yes it is a security issue, yes it'll be disclosed with the release 22:37 <+bridge> who cares its a security issue? 22:37 <+bridge> :justatest: 💀 22:37 <+bridge> Kinda funny, I was about to send "Once the exploit is public, someone could probably reimplement a fix in pure C++ if they're willing to put in the work. If that works out, the Rust dependency could always be dropped again later.", but oh well 22:37 <+bridge> I thought everyone understood it was a security issue without saying anything 22:38 <+bridge> mhm i wonder how that'll go with the rust code being heinrich's 22:38 <+bridge> the people with an AI able to abuse it :BRUHH: 22:38 <+bridge> I knew it was a communication issue 22:38 <+bridge> heinrich tried fixing it in C++ initially, but unsuccessfully. 22:38 <+bridge> shocker 😂 22:38 <+bridge> except some people are incapable of shutting the fuck up so 22:38 <+bridge> So it was a skill issue after all 22:39 <+bridge> that ship has sailed 22:39 <+bridge> It's not even that hard to understand. A PR that is getting through quicker than usual, some comments not being replied to. Wow I wonder what it could be 22:40 <+bridge> I think it's naive to think that this would get through without it being uncovered 22:40 <+bridge> Do you all do this on security REWRITES 22:40 <+bridge> It's just common courtesy to not randomly air out stuff like this that you find. You want a gold medal for figuring out the obvious? Just DM me next time and I'll praise you 22:40 <+bridge> if its obvious, whats the point of ignoring the community? 22:40 <+bridge> That.. 22:40 <+bridge> What 22:40 <+bridge> Thats 22:40 <+bridge> ok no 22:40 <+bridge> murp, we go back mhw 22:40 <+bridge> yes 22:40 <+bridge> gl frens! 22:41 <+bridge> kebs was threatening to delete all his PRs before it was merged and you did not message him privately to ensure he understood? 22:41 <+bridge> maybe get some sleep, youre suprisingly angry today 22:41 <+bridge> That kind of rabbit hole I went through already, 5 stages of grief and all that 22:41 <+bridge> were just discussing and youre trying to be funny but getting angry instead 22:42 <+bridge> i guess that was his intention and now hes trying to save face 22:43 <+bridge> I did tell him the very first day that there is a very good reason for it. Why do you think I should have disclosed it any further to him? No offense but all I know about him is that he is a very active contributor. I don't know who he is, what he does, what his ethics are, who he might further disclose it to 22:44 <+bridge> after 200 prs you cant even mention its a security issue 22:44 <+bridge> if he threatens to delete work and leave then I think you have enough context to understand that "a very good reason" will not be enough 22:44 <+bridge> hostile community 22:44 <+bridge> after mine 200 prs you cant even mention its a security issue 22:46 <+bridge> People dont build trust in others just due to the amount of code you write 22:46 <+bridge> I'm sorry but the most I could have told him extra is that it's about security, as you mentioned that is obvious information, so I don't see what that would have done. 22:46 <+bridge> yep thats why im also active here :D 22:47 <+bridge> I like your work, that's all I can say about you. That's pretty much all I know about you, you commit good code 22:48 <+bridge> If it's so obvious why can't you just say that it's a security issue, the risk of explaining it to someone who doesn't understand what's happening and also wants the best for the project is so much lower than being secret 22:50 <+bridge> you don't even need the PR in the first place if someone wants to be malicous, you can literally just point AI at the ddnet codebase and say "find vulnerability" and it will probably find it 22:50 <+bridge> Hindsight is 20/20. I did not expect this to blow up into such a huge drama. It went much better in my mind, we make the PR, it gets a technical review, we merge it, we make a release, it's disclosed and everyone just says "OH, I guess it makes sense that this PR got merged so quickly" 22:50 <+bridge> it wasnt quick and i was the one that reviewed the technical part 22:50 <+bridge> u did not do any reviewing 22:51 <+bridge> and it instantly broke the build after getting merged 22:51 <+bridge> is it catastrophically bad to state in the 10,000loc PR that it's a security patch? 22:52 <+bridge> I have two reviews in there that are completely public and that is assuming we didn't talk at all about it by any other means 22:52 <+bridge> yeah and ur reviews arent adressed 22:52 <+bridge> i dont want rust::slice in server code either 22:53 <+bridge> this game of "ship the security patch into open source project without anyone noticing" isn't new, other projects have protocols for this 22:53 <+bridge> that's pretty sad to say after 10k messages in #developer 22:53 <+bridge> @learath2 the 200 iq move is u should have robyt made the pr, and in c++ 22:53 <+bridge> everyone trusts robyt 22:53 <+bridge> Does the protocol involve announcing to all contributors that there is a significant security issue without having a patch or a release? 22:54 <+bridge> Yeah, no one would have bat an eye. I just didn't expect there to be such a huge amount of distaste towards Rust 22:54 <+bridge> its no surprise hein is seen in a special way by lot of ppl here 22:54 <+bridge> Robyt3 reworking stuff is just another tuesday 22:54 <+bridge> he was the worse to do it 22:54 <+bridge> its a combo of rust and hein 22:55 <+bridge> there was a 5 thumbs up comment about hating on rust in the PR before it was merged .-. 22:55 <+bridge> I agree on having someone more competent to implement it in c++, if not heinrich 22:55 <+bridge> cmon cellegen 22:55 <+bridge> stop xD 22:55 <+bridge> what 22:56 <+bridge> ur rando mcomments make no sense, 22:56 <+bridge> heinrich is rly competent in c++ 22:56 <+bridge> I think we all should have recalled our previous lives as open source devs and chosen the path of least dissatisfaction from the first place. 22:56 <+bridge> if you do not tell anyone, but someone malicous finds out then you put all users are risk because they don't know they are running vunerable software. so most prefer to be public 22:56 <+bridge> Then why did he wrote it in rust 22:57 <+bridge> if you do not tell anyone, but someone malicous finds out then you put all users at risk because they don't know they are running vunerable software. so most prefer to be public 22:57 <+bridge> I mean yeah there are things I can say about his personality from those messages, but that's mostly irrelevant here. Honestly, I'd trust about 10 people with this one, if it was more critical I would trust like 3-4 people total 23:00 <+bridge> I seriously do not get why you'd want us to be more transparent with security vulnerabilities of all things, especially before there is a fix in place for them. I don't think you expect anyone else to operate this way. Surely you wouldn't want Postgres airing out critical vulnerabilities to the dozens of active contributors they have 23:01 <+bridge> if it's so critical that no one can know then you should ship a release before opening the PR 23:01 <+bridge> We thought this was more transparent... 23:01 <+bridge> There was one other viable option IMHO, the fix could have been explicit. The PR could be named "fix security vulnerability in ...". Would have been immediately merged and released, perhaps that would be better 23:02 <+bridge> 10k loc rust rewrite >>>> accounts 23:02 <+bridge> its still 10k of rust 23:02 <+bridge> you guys do know most of it is generated code, right(?) 23:03 <+bridge> time to step down then 23:03 <+bridge> like. 9.2Kloc are generated 23:03 <+bridge> if cant fix vulnerability in c++ and have to ai generate rust 23:03 <+bridge> maybe time to retire 23:03 <+bridge> opening the PR puts you on a timer, but if you say nothing then you can test and push out a hotfix before explaining anything 23:03 <+bridge> i did not mean generate as in AI generated it -.- 23:03 <+bridge> if cant fix vulnerability in c++ and have to ai generate 10k loc rust 23:03 <+bridge> that you'll have to talk to heinrich about, I can't help you with that 23:04 <+bridge> if the vast majority of users are not vulnerable then the motivation to abuse the exploit is low 23:05 <+bridge> that's basically how browsers operate 23:05 <+bridge> i think a protocol should be set or drafted 23:05 <+bridge> The vulnerability was disclosed to me, we thought about 2-3 options on how the fix might be deployed responsibly. We thought a PR that gets a technical review and a post release announcement was the best option. We disclosed it to others that we deemed were relevant to the decision that needed to be made, they didn't disagree. 23:05 <+bridge> 23:05 <+bridge> Again, hindsight is 20/20. I would definitely handle this differently seeing the outcome. A release followed by the PR is likely a better idea 23:05 <+bridge> to follow in future 23:05 <+bridge> and avobid this 23:07 <+bridge> he got timed out for sending a meme about something I said 23:07 <+bridge> Our bad, we can maybe all talk about a future protocol that is more acceptable to everyone (I'm not amicable to just telling all 44 purple roled people, that's way too wide a spread especially for more critical issues) 23:07 <+bridge> Definitely a good idea to have something in place for situations like this. If you have suggestions or maybe best practices from other projects I'm all ears 23:08 <+bridge> even worse 23:08 <+bridge> time out for a meme 23:09 <+bridge> 💀 23:10 <+bridge> and u guys didnt remove the timout yet 23:10 <+bridge> русские пойдете блок клб по войсу? 23:11 <+bridge> theres no point in saving face "acceptable to everyone" 23:11 <+bridge> I think it would have been fine to state that the PR was for security from the start and no one would have cared. that's why I did not comment on it but I knew that others would not be fine with unexplained 10k rust loc 23:11 <+bridge> ignore ppl in prs, timeout for anything, no wonder there are no contrikbutors 23:11 <+bridge> ignore ppl in prs, timeout for anything, no wonder there are no contributors 23:11 <+bridge> That's your opinion and you are entitled to it 23:13 <+bridge> replacing the whole part of the code with another language pretty much covers you from peeping the diff to figure out where the exploit is, which I honestly thought was the whole point 23:13 <+bridge> that's the whole reason we can talk about it right now and it's still inconsequentail 23:13 <+bridge> that's the whole reason we can talk about it right now and it's still inconsequential 23:13 <+bridge> It was also a lot of snapshot refactoring that was needed, that part of the code is quite a mess and dangerous 23:14 <+bridge> I think the second we add a security tag to it everyone starts looking into the specifics, then I don't think we get to leave it up for review at all. At that point IMO it needs to be instantly merged 23:15 <+bridge> what exactly is the point of this comment? 23:16 <+bridge> I've seen other projects state that something is for security when the patch is large enough that it's not obvious. It's not something you can always do but it's also not unusual 23:16 <+bridge> <_laveer> Might this be helpful? Never used it, but sounds exactly what is needed 23:16 <+bridge> <_laveer> https://docs.github.com/en/code-security/concepts/vulnerability-reporting-and-management/about-repository-security-advisories 23:16 <+bridge> tater already mentioned more suggestions on how to handle it above, it still puts people at risk if they don't know there is an issue in the first place 23:16 <+bridge> if people were made aware they could have just waited for a fix 23:17 <+bridge> What was the point to his comment? 23:17 <+bridge> I hope you're not having a bad day or something 23:17 <+bridge> w ragebait 23:18 <+bridge> chastizing learath for this but not kebs for *gestures vaguely at this whole conversation* is crazy 23:19 <+bridge> Like why is it always personal? I'm having an excellent day, thanks for asking 23:19 <+bridge> kebs said exactly what he was gonna do before he did it 23:20 <+bridge> I'm very glad I just was wondering why you would waste your time saying that 23:20 <+bridge> he's referring to the numerous jabs kebs always takes at maintainers, not abt deleting prs 23:20 <+bridge> or especially in this convo 23:20 <+bridge> it wasn't meant as a jab 23:20 <+bridge> I think he actually is referring to the deleting PRs which is what brought up this conversation 23:20 <+bridge> This is more for libraries and stuff other people are using. This alerts all people who are using your library somehow IIRC 23:20 <+bridge> hehe 23:21 <+bridge> nope, louis was correct 23:21 <+bridge> I don't mind someone leaving, that's always allowed in open source 23:22 <+bridge> https://discord.com/channels/252358080522747904/293493549758939136/1495145132800872680 , however, 23:22 <+bridge> if it was only one 23:22 <+bridge> it's just that this situation was poorly handled but lea already said it above 23:22 <+bridge> <_laveer> I think somewhere deep in github should be tools for this issue, after all ddnet isn't the only project which such problems 23:22 <+bridge> i have my reasons, i dont see him as someone friendly 23:22 <+bridge> I clearly said I respect his decision. At that point I can only wish that my explanation is enough to satisfy him. Can't really do much else 23:24 <+bridge> <_laveer> I think somewhere deep in github should be tools for this issue, after all ddnet isn't the only project with such problems 23:28 <+bridge> it seems weird to put on an act like it's a normal PR that can be reviewed openly. There's nothing wrong with reviewing privately and then commiting to main or merging in 10 minutes if it's for security 23:30 <+bridge> Again, our bad, I thought that would be received worse than this. A binary release followed by a PR would perhaps just have been better 23:31 <+bridge> or maybe some transparency? 23:31 <+bridge> who even does that 23:31 <+bridge> ignore every concern 23:31 <+bridge> doesnt matter its a security fix 23:31 <+bridge> What level of transparency did you need here? Would "it's a security issue and we need to get this merged quick" be enough? 23:32 <+bridge> I don't think I can give you more than that without it getting an immediate merge and release (or even a release and merge, in the opposite order) 23:32 <+bridge> might have been better to warn people before binary or pr without details so people have enough time to react 23:33 <+bridge> too late to ask this, there are comments in the pr :) 23:34 <+bridge> Comments that we could at a maximum have answered with "this is also fixing a security issue, so we need to merge this quick". I'm asking whether that'd have been good enough 23:35 <+bridge> the lack of communication is one part that did upset people so probably 23:36 <+bridge> there are comments - dont ignore them, whatever you feel like is enough 23:38 <+bridge> That's all I think I could have said publicly about it. I think some people immediately knew it was a security thing, and the people that didn't know well we didn't want people knowing and digging around in it. 23:38 <+bridge> At least that was my thinking in not replying to anything non-technical 23:38 <+bridge> I can't speak for why heinrich didn't reply, but I'm guessing his thinking was similar 23:40 <+bridge> Just saying its for security doesnt disclose how bad it is, javascript projects often just say "security" in the pr and then it gets insta merged. 23:42 <+bridge> When you say nothing and ignore comments people start to assume the worst possible thing 23:43 <+bridge> Well I hope this never needs to happen again but in the future perhaps a security tag on the PR might be appropriate to indicate that this will be fast tracked, that some questions might not be answered and we'd appreciate you not digging around publicly 23:46 <+bridge> Im not sure any server->client vuln is worth losing contributors to keep secret. The attack requires joining a malicious server which can be avoided by users. I would have just explained it as soon as drama happened 23:47 <+bridge> I would also assume there are more server->client bugs that we havent found i kinda thought this was understood to be true 23:47 <+bridge> Well I really still won't go into any detail until it is released as an update 23:47 <+bridge> users could have also been protected by a warning in this case, I really don't see the benefit of trying to hide this in plain sight 23:52 <+bridge> Anyway, I do need to sleep. I will again apologize for how this ended up getting handled. I won't really apologize for keeping the details of a security vulnerability in as small a group as possible as I still think that's best practice. 23:53 <+bridge> We should really come up with a process that streamlines this as we will likely get more vulnerabilities in the future, this is C++ afterall. If you have examples of best practices from larger projects or ideas, feel free to discuss those and let us know 23:53 <+bridge> I think most of us see where you are coming from but hopefully this will be handled differently if it ever happened again 23:55 <+bridge> the easiest is probably just to put out a generic warning telling people to not play if they wanna play it safe when there is a critical issue then immediately target a new release 23:56 <+bridge> it's how I have seen it in other projects not just open source 23:56 <+bridge> In hindsight my current thinking of a process is: 23:56 <+bridge> - A pre-warning depending on how critical the issue is 23:56 <+bridge> - A binary update with the changelog indicating "(semi-)critical security issue addressed" 23:56 <+bridge> - A grace period so people can get a chance to upgrade 23:56 <+bridge> - A PR and a full disclosure reunifying the master branch with the binary release 23:56 <+bridge> we live and we learn, hope you get a good rest 23:57 <+bridge> Yeah, I'll go get some sleep. Feel free to comment on it or propose alternatives, but that is what I'm planning for the next time this happens