What to do with my embargoed bug reports?

quote: I decided to leave #zkdev and the game. I have a number of bug reports that I never posted. What do I do with it? Players, do you think it is better if the devs are aware of problems in their code? Or should they believe that there is no problem? What is best for you, the players? Whether I report the problems or not, they exist and they affect players/users. I believe that unidentified problems can not be fixed. Note: I'll only post bug reports that I already wrote... I'll not invest more time in this hopeless adventure.

They should be aware of the problems. Sorry to see you go sheep. Good luck in whatever adventures lay ahead. May the gods watch over you in your success. :)

quote: [8:56:13 PM] Anarchid: 23 timber 2014: sheep ragequits because noone supports his crazy plans [8:56:21 PM] Anarchid: 24 timber 2014: licho proposes forking/replacing uberserver

Sure you should post them, for posterity if nothing else.

(I assume this about bug reports contain infos that could be abused)
On springrts.com/mantis you can create "private" bug reports that only devs can see.
There is category "Site", maybe that fits a bit.
For zero-K specifique things, I dont know. On github one can apparently not create private reports.
Maybe forum pm or email to some devs.
Think private issue on mantis might be best: Even if it is maybe bit off topic there, it will be seen by right people who can at least pass it on? Not as much risk as it being lost, as might happen if you pm/email it to few individuals.

Princey I do not intend to damage the community. The community does that itself pretty well.

I will not post detailed vulnerability reports.

The general list of vulnerabilities is here:
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013

if you need examples that this is true:
item 1) look at http://zero-k.info/Forum/Thread/9936 (last message suggest same class of bug was introduced again recently)
item 2) look at https://code.google.com/p/zero-k/issues/detail?id=1170
item 3) I reported bugs in the past... such as using the amazing forum to inject javascript. Of course, this can still be done.
...

ZK infra is vulnerable to each and every class of problem.
It is fantastic teaching material if you are into teaching good programming practices or security.

If you can upload a file, you can abuse it... to crash the server, to hack the players, to serve malware.
If you can enter data in a field, there are fairly good chances you can abuse it.
If you can access the server, you can crash it.
If you use ZKL, you are at risk of installing malware coming from anywhere.

Those are my general observations.

I will only post funny stuff then... showing quality of the code rather than vulnerabilities.

https://github.com/ZeroK-RTS/Zero-K-Infrastructure/issues/256

This is why I leave.
Licho will cause the project to fail and I will not help him do that.

Sane people would look at the UdpClient.Close() method... instead of arguing shit about how udp is connectionless, which is not what the report is about.

Result: bug report was closed... problem is still there.

Here is today's metaphor:
#zkdev has been working on their racecar for a few years. The paintjob is nice, not perfect but nice.
I say I'm worried about the time spent on the paintjob, mostly because I'm worried about the wood chassis. Putrefaction smells are not pleasant, but I'm told I will get used to it. The chassis has been around for years, so complaining about it just shows bad faith and that I'm ignorant. I'm worried that #zkdev has been using nails to "secure" the rotten wood chassis, using some adhesive tape where wood started to fall appart. I complain about it, but people just want me to fix the wood chassis and not hear me whine about the chassis. I have to prove that I know how to use a hammer before I can criticize using nails for this. Even better, I need to prove than I can fix the chassis using nails.

See... a metal chassis would have been better. I don't really care how much time has been spent "fixing" the wood chassis.

Good race.

The most interesting reports were full vulnerability reports, with clear how-to exploit. I did not post them. The vulnerabilities are still present for anteep or competitive steam players to find. They will be found, without my help. I have no doubt that the bad guys will find them first.

The other bugs reports, hastily closed by licho... are IMO interesting for devs. But they are only worthy for a subcategory of programmers, and there are no such people in devteam, so I agree that the posted issues may not help much.

Not everyone believe that code should be easy to read, understand and fix.
Not everyone is able to understand that most of the known bugs present in the repository are not fixed because the code is so horrible that it requires a lot of effort. Example:

https://github.com/ZeroK-RTS/Zero-K-Infrastructure/issues/43
https://github.com/ZeroK-RTS/Zero-K-Infrastructure/issues/121

Affecting a lot of players. How can such a simple piece of logic fail? Why is it not fixed?

Try to fix it... then you'll encounter what I reported.
Do nothing, listen to licho...

Read the metaphor again.

Yes I did offer that. Offer is no longer valid.

The point of this thread is not to continue trying to reach consensus that something radical should be done.

Maybe you'll realize it later, but its beyond my current concerns.

No bug report was deleted, they were just closed, with polite reason why.

https://github.com/ZeroK-RTS/Zero-K-Infrastructure/issues/256
https://github.com/ZeroK-RTS/Zero-K-Infrastructure/issues/254
https://github.com/ZeroK-RTS/Zero-K-Infrastructure/issues/258

Other reports from same user and same time were kept because they made some sense:
https://github.com/ZeroK-RTS/Zero-K-Infrastructure/issues/253
https://github.com/ZeroK-RTS/Zero-K-Infrastructure/issues/257

Please stop trying to be a martyr.