[Freeciv-Dev] [patch #3296] Makerules.mk

2012-05-12 Thread Marko Lindqvist 
URL:
  

 Summary: Makerules.mk
 Project: Freeciv
Submitted by: cazfi
Submitted on: Sun 13 May 2012 01:23:10 AM EEST
Category: bootstrap
Priority: 5 - Normal
  Status: Ready For Test
 Privacy: Public
 Assigned to: None
Originator Email: 
 Open/Closed: Open
 Discussion Lock: Any
 Planned Release: 2.5.0

___

Details:

Add new file boostrap/Makerules.mk and put similar Qt meta object source build
rules from modinst/Makefile.am and client/gui-qt/Makefile.am to it.



___

File Attachments:


---
Date: Sun 13 May 2012 01:23:10 AM EEST  Name: Makerules.diff  Size: 3kB   By:
cazfi



___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #15725] [Metaticket] Lua script security

2012-05-12 Thread Jacob Nevins 
Follow-up Comment #6, bug #15725 (project freeciv):

Any reason to keep this ticket open? There's been no movement on it for quite
some time.

___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [patch #2829] Text data files with native line endings

2012-05-12 Thread Marko Lindqvist 
Follow-up Comment #4, patch #2829 (project freeciv):

Would it cause notable problems for any developer that ruleset data must be
built after every srcfile modification? Currently one can just modify ruleset
and start freeciv immediately to test out the changes (or even reload files to
already running freeciv), but after this change one would need to 'make' in
between ruleset src modification and their use.

When/if we decide to build srcfiles, we could make also other conversions from
src to dest. Compressing the files comes to mind. Currently build process
unconditionally gzips included scenarios, but no other file gets compressed
with any method. We could compress some datafiles with best compression method
that freeciv being built will support.

___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

2012-05-12 Thread Jacob Nevins 
URL:
  

 Summary: luasql (database.lua) threat model unclear, security
measures get in the way
 Project: Freeciv
Submitted by: jtn
Submitted on: Sat May 12 21:35:00 2012
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
  Status: Need Info
 Assigned to: None
Originator Email: 
 Open/Closed: Open
 Release: S2_4
 Discussion Lock: Any
Operating System: Any
 Planned Release: 2.4.0,2.5.0

___

Details:

data/database.lua (the Lua script handling authentication and database access
in 2.4+) is loaded in its own Lua instance, separate from the instance in
which the older server-side "game"/"scenario" scripts run.

However, the "auth" Lua instance gets the same restricted environment that
"scenario" scripts do (see bug #15624, bug #15725).

Right now this is a pain for me because for patch #3287, I want to call Lua's
os.time() rather than invoke non-portable SQL time functions (as used
currently). The "os" module is not included in the restricted environment.

In general, it seems a bit daft for the database script, which has read/write
access to some of the highest-value data the server deals with (user
credentials) as well as a suite of general-purpose database access functions,
to run with the same restrictions as "scenario" scripts. Perhaps this instance
should run in an unrestricted Lua?

The threat model which the Lua security measures are responding to is a bit
murky. Bug #15624 indicates that the desire is to allow users to continue to
confidently treat downloaded scenarios/rulesets as "simple data", without any
risk that embedded scripts can have any nasty effects beyond the game
environment they're running in (such as disclosing or overwriting user data
outside Freeciv). Now we have freeciv-modpack, that assurance should probably
extend to anything a user downloads with it.

It seems fairly clear that that threat model shouldn't apply to database.lua,
because that's essentially part of the server. So it's tempting to remove the
restrictions for the auth instance. (Perhaps that would also mollify Michal
per bug #19006?)

However...

database.lua is loaded from the data path, which defaults to:


.
./data
~/.freeciv/
${datarootdir}/freeciv


and can be overridden by environment variables FREECIV_DATA_PATH and
FREECIV_PATH. Thus, there is plenty of scope for an attacker to override the
standard database.lua by tricking a user into running the server from a chosen
directory, or (I think) by tricking them into downloading a dodgy modpack via
freeciv-modpack.

Even with things as they stand, such an attacker would be able to impersonate
other Freeciv server users, or possibly leak their credentials via side
channels. If we remove the Lua restrictions for database.lua, they could do
much more.

Looking at the contents of data/, I think database.lua is probably the first
file in there with this sort of security property. Other "code"-y files
include game scripts (handled by existing Lua security) and .serv files (only
limited potential for mischief -- "save ~/.bashrc").

So, even if I find another solution for my os.time() issue (such as
whitelisting bits of os.*), we still have a problem. What should we do about
it?
* Invent a new category of "data" file, with database.lua as the only current
member, loaded from a much more restrictive default path that only includes
the installation path (cf patch #2827)?
** How will a non-root server operator override it on a machine where Freeciv
is installed system-wide? Is an environment variable acceptable? That would
still be sufficient guard against the dodgy-modpack / chosen-directory
attack.

If we do mitigate the path problem, would there be any other issue with
relaxing the restrictions on database.lua?




___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19006] Add a lua_blacklist setting

2012-05-12 Thread Jacob Nevins 
Follow-up Comment #1, bug #19006 (project freeciv):

See Michal's post to freeciv-dev
 and followups
for discussion of this.

___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [patch #2829] Text data files with native line endings

2012-05-12 Thread Marko Lindqvist 
Follow-up Comment #3, patch #2829 (project freeciv):

Notable conceptual change here would be that data files would be built. We
currently have them in their final form in srcdir, but with this change we
would have some sort of srcfile (game.ruleset.stxt) in srcdir which is then
built to final file in builddir.

Last summer I said that this would make crosser builds impossible, as those
builds depended on data-directory taken from version control to work as is.
That's no longer the case. Reworked ("new style") crosser builds have data
files gone through build system.

___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [patch #2874] [lua] files needed for the ftwl client if client lua script is added

2012-05-12 Thread Marko Lindqvist 
Update of patch #2874 (project freeciv):

  Status:None => Wont Do
 Assigned to:None => cazfi  
 Open/Closed:Open => Closed 


___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [patch #3295] Maglev to experimental ruleset

2012-05-12 Thread Marko Lindqvist 
URL:
  

 Summary: Maglev to experimental ruleset
 Project: Freeciv
Submitted by: cazfi
Submitted on: Sat 12 May 2012 09:38:40 PM EEST
Category: rulesets
Priority: 5 - Normal
  Status: None
 Privacy: Public
 Assigned to: None
Originator Email: 
 Open/Closed: Open
 Discussion Lock: Any
 Planned Release: 

___

Details:

Just an idea how we could demo gen-roads in experimental ruleset as soon as
third road type is possible.

Add road type "Maglev" available from "Superconductors".
Adjust move costs so that Road 1/3 -> 2/3, Railroad instant -> 1/3, Maglev
instant. So unit with 3/3 movement would move 2 (using their 2 + 1 movement
fragments) tiles a turn via Road, 3 (1+1+1) via Railroad, and anywher via
Maglev.
Should some other bonuses provided by road types be adjusted?

Biggest obstacle in implementing this is that we would need gfx for maglev in
all official tilesets.





___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [patch #3294] Remove handling of obsolete road building activities

2012-05-12 Thread Marko Lindqvist 
Update of patch #3294 (project freeciv):

  Depends on: => patch #3293


___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [patch #3294] Remove handling of obsolete road building activities

2012-05-12 Thread Marko Lindqvist 
URL:
  

 Summary: Remove handling of obsolete road building activities
 Project: Freeciv
Submitted by: cazfi
Submitted on: Sat 12 May 2012 08:23:56 PM EEST
Category: general
Priority: 5 - Normal
  Status: Ready For Test
 Privacy: Public
 Assigned to: None
Originator Email: 
 Open/Closed: Open
 Discussion Lock: Any
 Planned Release: 2.5.0

___

Details:

Rename old road building activities ACTIVITY_ROAD and ACTIVITY_RAILROAD as
ACTIVITY_OLD_ROAD and ACTIVITY_OLD_RAILROAD, and remove most of the code
related to them. Only compatibility code for loading old savegames remain.



___

File Attachments:


---
Date: Sat 12 May 2012 08:23:56 PM EEST  Name: ActRoadRm.diff  Size: 17kB   By:
cazfi



___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [patch #3293] Xaw gen-road road connect commands

2012-05-12 Thread Marko Lindqvist 
URL:
  

 Summary: Xaw gen-road road connect commands
 Project: Freeciv
Submitted by: cazfi
Submitted on: Sat 12 May 2012 08:02:59 PM EEST
Category: client-xaw
Priority: 5 - Normal
  Status: Ready For Test
 Privacy: Public
 Assigned to: None
Originator Email: 
 Open/Closed: Open
 Discussion Lock: Any
 Planned Release: 2.5.0

___

Details:

I somehow missed Xaw-client keyboard issued commands when converting road
connect commands to use ACTIVITY_GEN_ROAD instead of old ACTIVITY_ROAD and
ACTIVITY_RAILROAD. This patch handles those.



___

File Attachments:


---
Date: Sat 12 May 2012 08:02:59 PM EEST  Name: XawGenRoadConnect.diff  Size:
1kB   By: cazfi



___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19727] Pregame chatline, start button etc missing

2012-05-12 Thread anonymous 
Follow-up Comment #1, bug #19727 (project freeciv):

Sorry for neglecting this.
I had a workaround (not sure, perhaps it's a real fix) for this for a few
months. Though a bit of testing on your side is strongly advised.

(file #15732)
___

Additional Item Attachment:

File name: new-game-screen.patch  Size:2 KB


___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19726] When worker is assigned back to road building spent movement is not restored

2012-05-12 Thread Marko Lindqvist 
Update of bug #19726 (project freeciv):

  Status:  Ready For Test => Fixed  
 Assigned to:None => cazfi  
 Open/Closed:Open => Closed 


___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [patch #3289] Remove get_activity_move_restriction()

2012-05-12 Thread Marko Lindqvist 
Update of patch #3289 (project freeciv):

  Status:  Ready For Test => Done   
 Assigned to:None => cazfi  
 Open/Closed:Open => Closed 


___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [patch #3015] Add "citizens" feature to built-in help

2012-05-12 Thread Jacob Nevins 
Update of patch #3015 (project freeciv):

 Planned Release: 2.4.0,2.5.0 => 2.5.0  

___

Follow-up Comment #1:

Postponing to 2.5: this feature does not yet have much effect on gameplay in
2.4, and this seems unlikely to change, so there's not really anything to
document.

(We may still want to work out what terminology we're using instead of
"citizens" before it escapes, though.)

___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev