If you’re using Glowstone, we’d appreciate it if you’d help us to test out plugins!
We’ve set up an Airtable base, which is powered by a form. It’d be great if users could post their experiences by filling out that form!
If you’d like to view the compatibility table, just click here.
If you’d like to discuss plugins and their compatibility with Glowstone, feel free to make a topic as well.
This is a post to notify everyone of a possible intrusion relating to the forum. I have provided a full report in an effort to be as transparent as possible.
Momo noticed that the forums were down. I was asleep at the time, and did not get the message until the morning - it was late at night.
I got Momo’s message, and investigated the problem. I assumed that Redis was down, so I restarted it and updated and restarted the forums, and everything appeared to be working just fine. I noticed that the plugins we had installed were removed, and so I reinstalled them. No configuration data was lost. I also noticed that a couple of posts I had made a day or two before that were missing.
I noticed that a Nextcloud install on a different VM (my personal install) was using the same database server as a memory cache, despite being configured not to. I reconfigured Nextcloud and removed all of its cached data from the database. Nextcloud did not touch any actual NodeBB data, so that wasn’t the cause of the issue.
At this point, we realised that data going back around a month and a half had been lost. Fearing further data loss, I set up some cron tasks to force Redis to save its data and save a backup every hour. I checked the Redis logs and there was nothing abnormal in them, so I assumed the problem was with NodeBB and continued investigating with Momo.
After reading over NodeBB logs, events and errors, we found nothing of interest.
At around 4AM BST, Momo became available again and continued his investigation. He discovered two things:
At around 8:30AM BST, I came online and restarted my investigation.
Due to an issue with Proxmox (the hypervisor I use to manage containers and VMs and keep things compartmentalised), it turned out that the firewall I had configured was not doing its job - instead of dropping all disallowed traffic as it was meant to, it was simply allowing everything. I fixed this problem by setting up a firewall directly on the storage container and this secured it from the outside.
I noticed that Redis was attempting to save data to /var/spool/cron, which is not its usual location. It did not have permission to write there - which is why it was failing to save data. Upon further investigation, I noticed that it was able to overwrite the crontab I had set up earlier - and had done so with the entire contents of the database. At this point, I took down both Redis and NodeBB so that I could fix things up.
I wiped all of the cron storage directories and reinstalled cron. I double-checked the Redis configuration and found nothing unusual, so I restarted that as well. It started up correctly and did not attempt to write to /var/spool/cron again.
I used a GUI tool to inspect the Redis data, and I noticed that the data I had removed previously (from Nextcloud) was still present. I removed it again, and I noticed an extra key that I hadn’t seen earlier: It was a randomized key, containing a crontab entry. This crontab was configured to download a shell script from an IP address and execute it.
I grabbed a copy of the script myself and took a look at it, and it simply downloaded a cryptocurrency miner and ran it. Upon investigation, it was clear that this crontab had never been run, and that the attack was supposed to play out as follows:
CONFIG SET command to overwrite the crontab with the databaseThe cron daemon I’m using performs very strict syntax checks and did not run the crontab - as soon as it realised there were invalid “entries” in the file, it errored out.
I removed the key from the database and made sure the forum was running correctly.
While there was absolutely no evidence that this attack targetted NodeBB or even Glowstone specifically, precautions should always be taken. As NodeBB stores its entire database in Redis, all of the data therein was exposed. It’s impossible to say what the attackers may have taken - if anything - but as always, users should take all of the necessary precautions.
NodeBB stores passwords using bcrypt. This is an industry standard and currently considered very secure, but we still advise users to change their passwords - both on the forums, and on any accounts they own elsewhere that may be using the same password as their forum account. Note that any other data provided during registration and profile modification will have been accessible as well - for example, email addresses.
I have revoked all the user tokens from GitHub OAuth, and reset the client secret, to protect users’ GitHub accounts.
I’d like to apologise for this intrusion personally - it definitely shouldn’t have happened, and while I’m amazed that it did, it is my responsibility. Please don’t attack or bug any of the other staff members - they don’t have direct access to any of this stuff.
As far as I am aware, everything is now secure and in working order, but I’m going to continue monitoring and testing throughout the day. Feel free to contact me if you have any questions.
This post was mirrored from the site.
Last day of the month, and I finally got my PR done. Sorry I’m so late!
…you used http://contributor-covenant.org , a site that has been used and pushed by insane SJWs.
Yup, I’ve seen this too often. The Node community, the Ruby community… yeah. There’s a little more to it than that, though.
Since the maintainers put the second line in the code of conduct…
You’re referring to the following, right?
Part of this problem lies with the very structure of some projects: the use of insensitive language, thoughtless use of pronouns, assumptions of gender, and even sexualized or culturally insensitive names.
While I agree with the sentiment you got from that paragraph, it’s not actually in our version of the CoC - and I don’t think it’s in the “official” version explicitly. You can check here for the latest version of what we’re using.
Use welcoming and inclusive language. - that can be anyone’s opinion.
Subjective, yes, to a point. I think that may be intentional, though - not just to target the perspective of the “victim”, but also to make it easier to apply to the situation of each individual project. I think a lot of this comes down to enforcement - and yes, I have seen projects pressured into over-enforcing this clause.
That said, that’s specifically listed as an example of behavior that contributes to creating a positive environment - deliberately subjective because, in my opinion, it makes people think of the best things that they could say in the situation, rather than some idea of what we require from them.
Be respectful of differing viewpoints and experiences. - again totally subjective
I wouldn’t say this is subjective. A lot of people assume this means that you can’t challenge viewpoints or discuss them, but there are ways to do that respectfully. For example, instead of being confrontational and proclaiming that xyz viewpoint is wrong, you could ask Why do you believe xyz? - and if you don’t agree with them, just say something along the lines of I disagree with you, but I respect your right to believe that.
That said, we aren’t really about general discussion. It’s going to pop up, as it does with every community, but we prefer to focus on discussion that’s specifically related to the project, so we don’t anticipate having to moderate situations like that very often.
Show empathy towards other community members. - Totally un-needed, and also is subjective.
Empathy is a little subjective, yeah, but it’s not hard to give empathy. If someone is in a bad situation, and you are involved in the conversation, you can simply say something along the lines of Yeah, that sucks or Sorry to hear that or something similar - or if not, you don’t have to engage at all. Up to you!
This code of conduct also doesn’t take into account how speech can mean one thing in one context, and completely another in a different. The code of conduct could be used to spin the speech and kick a member off the team.
Interesting point. See the next section.
I take a lot of these points as they come - I see them raised a lot, and some of them are issues that I have also had with this exact CoC. That said, I think a lot of this comes down to enforcement.
A CoC is only half of the story - If you have a project which has people with malicious intentions, people that are ignorant of problems with a CoC like this, or just people that don’t care about the community, things can go bad quickly because the CoC is so open-ended. Sometimes, politically-motivated people may try to pressure staff to achieve the outcome that they want - a great example of all of this is the infamous eggplant controversy in the Node community.
I just want to make sure that you (and everyone else) are aware that we know about these issues. We are not interested in censoring certain types of speech, and we’re not interested in pushing our political views on others. What we are interested in is keeping things productive and friendly, which will allow everyone involved to further the project.
Some other misc stuff that has come up in discussion:
I hope that helps, and I hope it wasn’t too long. :P
I had similar concerns, to be honest. That said, I’m happy that @mastercoms has modified it enough and have grilled her about how it would be enforced and such.
If you have any actual questions about it, ask away - that’s what we’re here for. However, as a moderate myself, I can’t say that a code of conduct is inherently bad. We do need something to refer to on expected behavior, after all.
Sorry, I haven’t gotten around to it yet. I’m sure I’ll remember soon :v
I think this covers most of what we need. It doesn’t read very well, mostly due to punctuation and lack of Markdown formatting where appropriate - can I reformat it?
Interesting idea! Just to note that there’s an issue on your server - I connect, die immediately, and are stuck in a block. Wew! Also, I can’t seem to turn my view. Browser is Vivaldi.
Most of our organic traffic comes from GitHub, and not the site. That said, I would be fine with putting that info on there - it’s a question that comes up every so often.
EDIT: I have raised this on Discord.
Glowstone is a small project. We are “all hands on deck”, but “all hands” is two people at the moment. There are four people on the core team - @mastercoms as the project head and lead developer, me as a sysadmin and PR guy, @momothereal as a prolific contributor and talented developer, and @kamcio96, who is currently busy with other things.
As it stands, any “pure” bukkit, spigot or paperspigot plugin (which is to say, one that only uses the Bukkit/Spigot/PaperSpigot API and no internals) should be compatible at this point, barring the features we don’t have implemented yet. The plugins that don’t work are not strictly Bukkit plugins, and are instead have an intimate association with the server software they’re developed for.
Some developers have decided to add specific support for Glowstone, and others have decided to write plugins with Glowstone as their primary target, but we are a small project at the moment and we don’t have the infrastructure to maintain a big database of plugins - although that is coming.
We also have the Linkstone project, which attempts to add an emulation of the net.minecraft.server package, so that plugins which rely on it will be able to work with Glowstone - but that project is currently stalled as we do not have the manpower to dedicate to it right now. Perhaps you know someone or are a developer yourself?
EDIT: I’m going to bed now, but feel free to drop by the Discord if you feel so inclined.
Specific issues are best left to GitHub, but I can sum up the response nicely.
These things are simply not yet implemented. Glowstone is beta-level software at the moment, and it is not yet feature-complete.
This month, the team is working on AI and mobs, so hopefully those (and related things) will be working by May.