FaTony {l Wrote}:This really shows that Xonotic developers are insecure and possessive. We value free software because we want to play games the way we want. Banning legitimate servers is a censorship that is not tolerable in free society.
charlie {l Wrote}:However isn't the advantage of open source the ability to do something about it? You, or people who care - such as those running the mods - can fork Xonotic. You can keep it in sync, so you don't have to do anything other than maintain the reversion of the ban.
Or do you desire to control their development, because they do something you do not like?
leilei {l Wrote}:This is not "censorship", it's a filter workaround to maintain the Xonotic experience.
andrewj {l Wrote}:While I don't like the idea of servers being completely hidden from the user (and no way of knowing they exist or to turn off the hiding), I bet the Xonotic developers have good reasons to ban those servers.
c_xong {l Wrote}:Usually games have a "modded server" filter that the user can choose, so they can play on modded servers or vanilla ones as they please. Is this what the Nexuiz servers essentially are, or is there more to the story?
c_xong {l Wrote}:FaTony is not giving us the full story here.
FaTony {l Wrote}:leilei {l Wrote}:This is not "censorship", it's a filter workaround to maintain the Xonotic experience.
I couldn't care less about "Xonotic experience" or "Red Eclipse experience" or any other vanilla game experience. I have chosen free software to play the game the way I want, not what devs want.
FaTony {l Wrote}:which is compiled into the bytecode. This makes it possible to make client-side mods and upload the bytecode to the client during connection.
Sauer2 {l Wrote}:That reminds me to ask OT stuff: Has anybody (or do you know someone security related that) tried to create a server that uploads handcrafted bytecode to break out of the VM?
To clarify: Have QuakeC vms some kind of bytecode verifier or do Quake-like players rely on servers that are assumed to be trustworthy?
FaTony {l Wrote}:Sauer2 {l Wrote}:That reminds me to ask OT stuff: Has anybody (or do you know someone security related that) tried to create a server that uploads handcrafted bytecode to break out of the VM?
To clarify: Have QuakeC vms some kind of bytecode verifier or do Quake-like players rely on servers that are assumed to be trustworthy?
I would guess that each function that is possible to call from VM has been audited for security. Otherwise, there would be tons of viruses from the Quake days.
Sauer2 {l Wrote}:That reminds me to ask OT stuff: Has anybody (or do you know someone security related that) tried to create a server that uploads handcrafted bytecode to break out of the VM?
To clarify: Have QuakeC vms some kind of bytecode verifier or do Quake-like players rely on servers that are assumed to be trustworthy?
andrewj {l Wrote}:There is also two other VMs which run client-side, which are mainly UI stuff. These can be downloaded from the server (i.e. the server can supply modded client-side QuakeC code). There is a CRC check to guarantee that the client has the VM code which the server expects -- that check may be optional though (I'm not sure).
FaTony {l Wrote}:The question is can malicious code escape from those VMs.
andrewj {l Wrote}:So no, downloaded client-side VMs cannot do anything malicious.
onpon4 {l Wrote}:I think the more interesting question is: does Xonotic download these programs by default without consulting the user?
If possible, every content that is uploaded to the client should have a license which can be checked before downloading the content
As with JavaScript that makes most people run proprietary software automatically without their acknowledgement, proprietary content that is automatically uploaded to client is a threat to freedom. A good game will at least display a warning message before downloading proprietary content.
If possible, there should be a way to easily download the source code of all custom content that is used by the server
If you are playing it, you should have access to the source. If you don't have it, you are playing a proprietary game even if it is on a specific server.
Sauer2 {l Wrote}:Assuming, the client verifies the bytecode sufficiently.
andrewj {l Wrote}:QuakeC has a much much smaller scope and is perfectly sandboxed (barring bugs in the engine).
onpon4 {l Wrote}:Could anyone link to some examples of these programs, or a document explaining what they do in better detail? I don't know what to look for in the Xonotic source code.
Users browsing this forum: No registered users and 1 guest