#general

you could download the same plugin you ran the backdoor from in the first place, continuously improving the exploit

Maybe thats how big bot nets Are made

well i dont think they're spread using that but they do use that idea of visiting a place to get updates / instructions

Yeah

scary stuff

😨

So i wont see it open a tab when it visits that update / website ?

nope, it could happen completely invisibly

Oof

Somebody make an github issue on this

hehe it's not github's fault

😂

Bye

bye

yikes

Question, does anyone know a plugin than can link discord ranks to luck perms? Has a certain discord role so they get a certain server role

DiscordSRV

wait that does ranks? with lp?

Yeah ask their support about it

You might need the extra contents packs or something

Check pins for their support server

I am already in it, I already use the plugin haha just did not know about this feature

Oh alright

I haven't used it so not sure how it works but looks cool

It is on there install page haah

Yup DSRV has rank sync. You just need all your players to link their account with /discord link, then with about 5min in the config you can have it set up

ah yup you found it

ah ICIC I just need the role ids. It iis not my dyscord so ill have to wait until shes on

actually really simple

you don't need to be admin to get role IDs, anyone can see them if they know where to look

(i.e. I'm not proper staff yet I can still tell you the LP member role's ID is 420316139986485250)

Just right click the role and copy the ID

oh

well that's easy\

(you may need to enable developer mode in appearance settings if you haven't done so yet to see that)

Witchcraft

yup super easy

One thing that confuses me is how does discordsrv just work with that? it must detect luck perms and know what to do

complicated

Lp api?

It's actually not super hard. You know vault? Along with providing prefixes, it can also be used to change a player's group

so as long as the perm plugin you're using supports vault, it's actually really easy to support

(although we do indeed have some LP-specific integrations courtesy of luck, namely some contexts i.e. is linked, is boosting, and each role they have)

Oh God the contexts 🙏

GriefPrevention loves them nulls

ahhhhh don't remind me about the recursive nulls

but I don't think luck made that lol

Luck did make DSRV's contexts iirc

:0

yup https://github.com/DiscordSRV/DiscordSRV/pull/728

apperently it only works the one way

so you can have a mc rank give them a discord rank but not a discord rank give them an mc rank...so rip...

So back to my origional question, does anyone know a plugin that will sync discord roles TO mc server. So If they have sub club in discord it makes them have subclub in game

add subclub as a parent of default group with context of discord group=subclub

Using dsrv contexts

Hello Larry

Fefo, we meet again

DUDE isjcje I keep killing them

One right after the other

I hate this

discordsrb contexts?

...lost me again

also subclub is parent of a different group but still

like literally just put dsrv in the contexts tab?

No dsrv has its own set of lp comtexts

Literally linked above by _11

oh

ok so I can see how to kinda add a perm but not an actual role

or no

still confused

yea so I could do cmi.command.warp with context discordsrv:role sub club but thats just a specific perm not an actual rank

can anyone help me with making permission groups. I want to make a default and a mod and allow them to use certain essentialsx commands but im kind of confused on how to do it

Comtext
-larry 2020

!usage @warm thorn

thank you

No, thank you!

Do your part, stay apart.

2020

I am still confused lol

this is in command prompt right @onyx mason

and it is my minecraft username

group.subclub as a permission node will give the player inheriting it that group. Also, you can add contexts when you add parents or set parents to players in the command

so does that even need the srvs group sync function or this makes lp do it since it is just looking for if the person has the role

that's something I can't confirm or deny but you can easily try

so if someone is in the group defualt but has the permissions group.subclub they are essentially in the group subclub but still technially in default?

a player can easily have several groups

luckperms in no way forces anyone to have only one

can you make a default group somehow?

it's already made

!default

if the player had the permission group.a on their user, it's like they directly have the group. If group default has group.a it's like group a is a parent of default and they inherit a's perms through default @short ginkgo

Makes sense

I did this before accidently

group a has a higher weight so if you have that true you have that group essentially

even if it has lower weight you have that group essentially

weight only deals with conflicting perms

!weight

oh ok and prefixes

prefixes are stored as permission nodes but their weight calculates which displays

i think im doing this right but have no clue lol

lp is incredily complex..... but it is also crazy versitle

so i have essentials plugin.... if i do lp group default permission set essentials.tpa it will allow everyone to use teleport right?

it will allow everyone to use the /tpa command

it will not allow /tpaccept though, that's another perm

i just wasnt sure if i need to import essentials or somethin

do you have essentials on the server?

yes in the plugins

that's all you need

ok

thank you

np!

so heres what I did

op will have acess to all commands no matter what right

typically, yes

in default I put the node group.littlestars with the context discordsrv:little stars, In the group littlestars I put the node group.subclub with the discord context. Since they all inherit then I guess they could all go in deault but still

discordsrv is not a context type you can use afaik

here's a hint: log onto the server as a player, run lp user <you> info and look at the available contexts

I meant the actual context for the plugin, it is listed in the editor

screenshot? I'm not sure what you mean

context is discordsrv:role

ah

then yes

discordsrv by itself wouldn't work

oh I see what you mean, I typed it out wrong

apperently they are adding a feature in the next update of discordsrv that will allow for to server one way sync but.... this is really easy once you know it so ill stick with this

And my patreon is gone again

wdymmm

i see it

And i only got it 6 days ago

Scammed

Will be g9ne tomorrow then

hey larry, i think i got it working

Gone*

this causes and inheritence loop.... is that a bad thing? it has not caused issues yet. group c inherits group a and b but group b already inherits group c

It isn't ideal but there are measures to counter that when running calculations

You would want to get rid of any circular inheritances if possible

By that I don't mean it's 100% expected behavior, I mean that it won't crash your server lol

what I did was for the discord perms in default I put it so that if you have discord role X you get the next rank up, then in the next rank up I put it so that if you have role Y you get the next rank up. I probably could have just put all the discord things in default and it would have worked the say without the loop

so in group 2 you can technically have group 3 but group 3 inherits from group 2

just put all the discord things in default and it would have worked the say without the loop

^^^^^

do

Lordy this is powerful, if somone gets banned from discord they would be back to default because no roles, couldn't talk and plus they would be server banned automatically as well. Found out that a reliable ban system is really important the other day. Also yea ill fix that tmmrw, then no more loop :)

idk if anyone knows but im using essentialsx to backup my world every hour. how would i restore to one of the backup folders?

stop your server, and replace your original world file with the new one

wait, essentialsx can backup worlds

damn i didnt know that

yeah lol

thanks ivan

wait would u have to backup nether seperate?

usually yes

hmm

i don't know how essentials backs stuff up so idrk but you should make sure you're doing that

idk how to do that lol

ill look into

you should take a look inside the backup folders you've been making to see what exactly is inside

wait i think i can change the command to world_nether

possibly

because i made a backup.bat and it backs up 'world' maybe i can do 'world_nether' and run the command in the essentials config

oh the plugin is running a batch file?

yeah

then you should definitely be able to back up the nether

noice

thanks again

no problemo

do you know how to make the server ip a domain instead of the actual ip?

yeah, all it takes is purchasing a domain from a provider

that expensive?

not particularly, if you do it right it'd only cost you $1 for the first year, and $15-25/year after that

when people go to connect do they need the ipv4 of the computer or the public ip?

players will only need your domain address

if i went the domain route

you'll have to give the domain provider your public IP though

but like friends can connect through public ip after i port foward?

so if you got example.com that's all any player would need to connect to your server

they could still use your regular public ip if that's what you're asking

ok

ty

no prob

trying to figure out luckperms to make different ranks/groups was struggle until i got linked the website

yeah the wiki is extremely helpful

you can also run !help in this discord for some nice links to different parts of the wiki

!commands

!help

!bungee

@normal surge do most plugins update automatically or do i have to do that and what about when the version of minecraft changes

most plugins you'll find don't update automatically, and that's a good thing

as far as versions update, it's a good idea to get plugin updates each time but you'll find a lot of plugins will work fine across several versions

ok

ty again

time to slep

gnight

What is the best way to backup your server/network?

the most straightforward way is to have a script run regularly to 1) stop your server, 2) copy your world file somewhere, 3) start your server

2. copy world and plugin and settings

ah yeah xd copy everything you can't download online

What would be an effective script for this?

do you use a host

or selfhost

Self

are you on windows or linux

Windows atm

idk how to automate batch scripts on windows so i cant help you there, but there are definitely lots of tutorials online

This restart script would be in another .bat file than the run.bat right?

Or in the same?

you can make a script that starts the server and one that stops the server

and just call on both of them from the one that backs up the world

I will look more into it

My world file in my survival server is like 50gb will the backup take a long time?

it all depends on where you're copying it from / to

but 50gb is a lot either way

if you're moving it to a different directory on the same drive, and you have an ssd, it could take a minute or so

usually backups compress things lol

so they don't take the whole space

things can be compressed very severely and still be recoverable

I only have an SSD

only? ssd is better than hdd

How Can i compress it?

larry what compression would you recommend for backups

I meant i dont have any HHD

that's... good? ssd is faster

IVan honestly I have no idea

Yeah exactly

i have a friend in another mc server who would likely know

well if it were me and i was on a windows system, i'd probably just zip the file

that's definitely not as small as it can be

well it's low effort and reduces the size by maybe 40%

yeah

i think it's a good compromise

Good and safe but could get smaller

yeah

if you want to make it super compressed i'd say you want to separate copying the backup from actually compressing it
so that you don't have unneeded down time

helpchat or Syscraft would be a decent place to ask, it's in the pins. i help run the latter but there are some really knowledgeable folks there

I have to go but i will try to find backup script and compression information and share with you

ok

@gilded nova re: compression: zstandard (zstd) is apparently the best

Yeah that aint mine

nah aber admited to owning it a minute later

still, pogbun.com feels like the kind of domain you might own, knowing your love for them

also wtf you pinged me yet clippy didn't yell at you...is clippy broken?

It doesnt yell for replies anymore

#github-spam message

Torrent?

wait why on earth did luck do that lol

¯\_(ツ)_/¯

hmm

Probably found it annoying all the clippy messages

Since afaik pings are for some reason enabled by default in replies

Regarding the backups:

• stopping the server is not necessary. Just running save-off then starting the backup is enough (and when it’s done save-on)
• Gzip is generally a good compromise between speed and compression (that’s why Webservers use it). If you want to go for file size then use xz with the options -9 (max compression) and -e (extreme compression)

Getting xz for Windows is a bit tough. As is gzip

7zip uses gzip internally. So I’d recommend that

I’ve downloaded a torrent which was only a few gigs and contained 200

I believe that’s fair btw

But yeah I’d be shocked if you couldn’t differentiate between a reply Ping and a random ping

And I mean it always was the goal to allow pings to reply. So now that there’s a good way it’s finally as it should be

@trail shuttle testing

Hey BrainStone! Please don't tag helpful/staff members directly.

Ok. Yeah. Clippy still works

See above

Y'all saying if someone replies to my message and leaves pings on, it doesn't yell? Are ya sure?

correct

There you go

@rigid widget but this triggers it

Hey BrainStone! Please don't tag helpful/staff members directly.

Ffs it was the one thing I liked that Clippy still did ;-;

see here larry #github-spam message

Ty _11

The way it is right now is how it was supposed to work from the start

Just back then there wasn’t a way to recognize replies

Well yes, people can one-click turn off the ping in a reply tho

It's not impossible, it's even less difficult there's a button for it

If I was still clippy protected I’d be happy about it. Because after all I like being informed of replies

Discord should've made it so it's disabled by default

It's not a big deal tbh, I can live

I think it’s fair the way it is. It’s also in line with their design to rather ping than not

And I do think that’s a good call

hello

you know this permission ?

/lp user Luck permission set test.permission land_area_trusted=yes

?

I feel like it doesn’t want to work? Maybe because I put a bad permission ?

https://github.com/Angeschossen/Lands/wiki/Luckperms-Context

!nw ?

You're setting that permission on a user named Luck

no, myplayername

i write this : /lp user playername permission set test.permission land_area_trusted=yes

If you're not specific then nobody can help you, sadly

test.permission doesn't do anything

and without test.

doesnt work

You need to specify an actual permission node

my player name is kiltzor

Like essentials.fly in your example command, instead, would allow people to run /fly if they were in a land area where they were trusted

yes

how i specify an acutal permission node ?

Replace test.permission with an actual permission node

Each plugin sets its own permission nodes

For Lands, it's https://github.com/Angeschossen/Lands/wiki/Permissions

so i write this : /lp user kiltzor permission set lands.bypass.fly land_area_trusted=yes

?

That would allow them to bypass fly in a trusted land area yes

ok thanks bro i try

So i should use zstabdard to compress my backups?

Is this a good backup script? i just found it and it says it will integrate 7zip to zipping the contents

https://paste.gg/p/anonymous/bb78125825f046ce9b4a805aefc7b9da

Who else hugh asf

@gilded nova

What plugin do I need to make a luckperms role show up in chat and tab list?

• Vault
• A chat and tab plugin

!chat Check the second link in the embed, it has a few suggestions for those

thanks!

When I add a permission for my trial mod group the GUI doest pop up when using the command. the permission is finvsee

I was thinking about making LP work as a single jar.
What do you guys think about that?

wdym by that?

add vault to the jar, etc?

like making bungee/bukkit work on one jar?

would that work because if so that would be pretty great

bungee/bukkit/nukkit/velocity/sponge/legacy

:^)

Wouldnt that make the jar large?

jarge

~0.006gb shouldnt be a huge issue

aka 6mb

lol

actually

better sense of scale when using gb imo

🤷

o right

I updated intellij and now it has to index half my disk

why is it lookin in luck's repo for PR lol

¯_(ツ)_/¯

because

the required jar for compiling is hosted in there?

Luck has a lot of stuff in his repo lol larry

I can access it just fine from Chrome 😦

the pom I mean

but this is windows being shitty

because if I run gradle on WSL it builds just fine LMFAO

it happens too often sadly lol

on our or in our

How do I make so a normal user on my server can't get all the commands as a suggestion like this:

That's on the other plugin / your server software's end, we don't manage tab completions (except for our own commands)

Well if the other plugin is properly made, setting the corresponding perms to false would suffice

But ¯\_(ツ)_/¯

did you have to code in all of the suggestions for lp?

or does MC have like an automated intergration thing?

yes and no

xD

aka Yesn't

MC has completions (otherwise how would your client have them), but there's a lot going on at LP's end for handling perms and coloring and stuff

i know the clicky stuff and advanced completion stuff is custom

(it's actually quite a pain, Luck's written an entire library just for doing completions)

Do you guys know how to fix it tho?

Luck is Lucky to have the knowledge

The way it's done is quite amusing

Because I don't know what plugin causes it

.

how do I fix it on luckyperms commands

luckperms*

If users don't have permission for the LP command, they won't see it in tab complete

I changed my group to default but I still saw it

are you opped?

I deopped myself

I will try again

ah it worked! my fault. I apologize.

yeah when testing as how your audience would play, do it like that, because I doubt they will have op lol

Thanks :heart'

bruh 😦

lol

op catches a lot of people out xD

can be annoying when testing stuff

Do you guys have any clue on how to fix it for other plugins, when they are on by default?

No idea, it depends on each plugin individually

Or you can use a suggestions blocker which more often than not cause issues "wHY cAnt I SeE SugGesTIonS"

Exactly

@rigid widget @short warren

Hey BrainStone! Please don't tag helpful/staff members directly.

I bet brainstone has an article on "Why you shouldn't use a suggestions blocker plugin"

What's that even supposed to be?

removes tab completions i think

ask Fefo

Ah

I mean just why?

Same reason you'd want to hide /plugins

Which, I know you love to do, BrainStone.

I'll never understand why anyone would put effort into removing useful information

if i set these two to -> 0 would it stop or disable the annoying messages in console ?

moved-wrongly-threshold: 0.0625
moved-too-quickly-multiplier: 10.0

so most servers are 1.15+?

eyup

bstats

https://bstats.org/global/bukkit

https://bstats.org/global/bukkit#minecraftVersion 😎

@brazen cradle ?

D:

our developers want the network to be on 1.8 universally

i fig it out

🤢

they say for the duel server, pvp, factions and practice server

@rigid widget i got it could not figure out how to link my patron to here

Hey LynxError! Please don't tag helpful/staff members directly.

because of old game mechanics

and skywars

Viaversion, viarewind

correct, but who would play any other game mode on 1.8?

nobody

even with viaversion and viarewind theres the server still lacks half of the modern minecraft blocks

Have pvp modes on 1.8.8 and survival-like ones on latest?

¯_(ツ)_/¯

i have a off question i run a server more for fun/hobby... i dont have many players,,, i started back on 1.12.2 do you think i should upgrade to 1.16.4 or fresh install?

What kind of gamemode

spigot.....

spigots a server software not a gamemode

o lol

Said server first edited my msg

i have a SMP/Skyblock

They edited their message

where can i look to recruit more developers?

Advertisement is a nono

smh my head

sorry i did not know

I'd say update to 1.16.4 paper/tuinity

BD bad

nah

i guess game mode would be smp?

Ye should update to what I said before then

@trail shuttle do you suggest i upgrade to 1.16.4 aswell, and just keep the more combat focused game modes on the old combat model?

Hey carti! Please don't tag helpful/staff members directly.

ok clippy

Uh probably?

yeah you could use OldCombatMechanics or something if you fully want to use 1.16.4

its not just old combat mechanics its like all the old game physics

thank you all for the feedback

need to restart server to change discordsrv prefix source but otherwise i should be good

Hi

@bold kayak dis is probs wt u need https://pixelmonmod.com/wiki/Commands#Permission_nodes

ty

Highlight of my day

Thanks spotify

you need to be server op to place and use command blocks

are you sure you are op? keep in mind that having * perm is not the same as being /opped

mk

Hey gigalegit-! Please don't tag helpful/staff members directly.

no clue tbh

please help i keep getting this really long error message every second

Please use https://bytebin.lucko.me to send files in the future. I have automatically uploaded undefined for you: https://bytebin.lucko.me/Zalu5uiLd5

hello?

Hello

Send a whole server log not just the small part

do i restart the server?

it happens when i do /vanish ;-;

is it normal?

is a virtualbox of a debian linux completely the same as an pc with it ? If not what are the differences ?

One is a vm, the other is not

so no difference except that its virtual

Idk

Might be a difference

would be logical if there was a difference but.. i want to know just in case

With the box you have all the control and power the box has, with a VM you have just what you get

well... usually you will vanish and become invisible

so the only difference is hardware?

no sh!@ sherlock

ok

well it depends on the plugin handling the command as well so...

wget, vim, nano

which one is best ?

wget is not a text editor lmao

oh yeah

https://xkcd.com/378/

Vim sucks

I just use nano whenever I am editing files with the command line, it is just so simple

!legacy

Sorry! I do not understand the command !legacy
Type !help for a list of commands.

!help | grep legacy

Wait

This is not a terminal

lol

New feature request

grep support for Clippy

it's been done before!

https://github.com/sk89q/plumeria

pretty cool

pipe operator for clippy

i want it

There goes my patreon

f

Second time it goes away after 6 days

Scam :(

https://i.imgur.com/P5jJgKF.png

the idea of patreon is that you support each month :p

it's like a subscription

https://paste.gg/p/anonymous/c44506b372db4e4584e2ce516ed22578 :

java.lang.IllegalArgumentException: Team 6e34380d-e8d9-4 already exists in this scoreboard

This only happens when i leave the bedwars server and joins the lobby server. For me it clearly is something from rocket-1 which is the problem (which stands in the error) i also discussed this with the developer of the plugin i have in lobby for
scoreboard (deluxehub 3) and its not their fault.

Rocket-1 plugins: ScreamingBedwars/Bedwars, Essentials, KohiKB*, Luckperms, Multiverse-Core, Nocheatplus, Oldcombatmechanics, Placeholderapi, ProtocolLib, SBAHypixelify, Vault, ViaBackwards, ViaRewind, ViaRewind-Legacy-Support*, ViaVersion, Voidgenerator and Worldedit

I thought it was the bedwars/sbahypixelify plugin, but when i contaced the, they say when you leave you also should get unregistered from the scoreboard.

I have looked up this problem for some days.

How do i fix this?

nano or else no no

This team exists already

No issue from luckperms

Check if this team exists

@twin warren well its weird like, if u paid for sample on 4oct, why doesnt it end on 4 nov then

Hey Thrasilias | TRose2000! Please don't tag helpful/staff members directly.

thats a whole month

¯_(ツ)_/¯

6 days feels kinda like a scam tbh

Because it runs month to month

And resets on 1st

To be fair Luck, your "description"/about does say "If you'd like to make a one-off donation [...] you can sign up to become a Patreon at the amount you'd like to donate, and then cancel the subscription afterwards to cancel any further payments."

Ya? You can

But the discord roles are automatically applied by Patreon, and will get removed as soon as you stop being a patreon

Hey Luck if you're around.
I recently started work on turning my code that allows a single plugin file to work on multiple platforms and download dependencies at runtime without relocating them and without conflicts in the classpath into a library and I could fairly easily apply that code to LP

So in short it would mean there's just a single plugin file for all platforms of LP (including legacy bukkit)

Dependencies would still be downloaded at runtime (only once of course)

If you're interested in how that would work out, let me know

@white idol villageroptimiser is useless 1.14+ iirc

I used to have villager lag till i used that plugin

hey

how to run Spark to indentify what is causing the lag?

Im mean i have like 35-50mspt

and then suddenly goes up to 60-70 for a few seconds

and goes down again to 35-50

https://spark.lucko.me/#Hl39R5WGnG

I've made a sampler over 400 ticks

And the lag is from "Unsafe.park"

Whats?

what website should i use to get a free domain ?

Google is a thing fyi

I know

Freedns or Freenom im not sure

i think it's much better to spend a buck and get a real domain xd

Mby

But i can always do that

Just want to test out the domain thingy

in that case i guess freenom would work

what would people see if they search my domain / subdomain up in a dns lookup ?

if i setup with cloudflare and tcpshield to

that depends on the whois information tied to the dns

so.. it depends on what information i give or ??

it depends on the provider, some will hide the information that you provide, and others wont

the providers is the domain hoster so in this case either freedns or freenom right ?

yeah

ok i will try to find out if they do, and if i would rather use one that hides it

that's a good idea

i also think if you setup with cloudflare it shows a cloudflare domain instead of your but.. idk atm

wdym by 'a cloudflare domain'?

i mean if you connect / setup your domain into cloudflare

Editing WHOIS records
Cloudflare redacts WHOIS information from your domain by default. However, we do store the authentic WHOIS record for your domain that is first set during the transfer flow. The contact information is shared across all domains in your Cloudflare account.

You can edit the contact information for all domains in your account. To do so, navigate to the “Configurations” tab once you login to Cloudflare and before you select a zone. Under Preferences, select “Edit WHOIS” and you can modify the record. You can also reach this screen from the Domain Registration card in the dashboard Overview page of any domain registered with Cloudflare.

yeah, they hide your actual information by default

so you should be safe if you use them

but i dont quite understand exactly

if i connect my domain into cloudflare do i transfer my domain into their service and has nothing to do with freenom anymore or do i just manage my domain with cloudflare ?

if freenom allows you to change the nameservers that your domain uses, then you should be able to use cloudflare to manage your domain

but freenom is still the providers ?

yeah, afaik

i don't know much about freenom though so i'd say the best option for you is to just experiment

do you think this is the same in reverse? like if they search up my public ip will they see this ?

are you asking if someone enters your actual public IP in the search bar, will the domain name you registered show up?

basicly

if that's the question then no it probably won't

what if they search in a lookup tho ?

still no

oh okay

more than one domain can be tied to a public IP

and there's no easy way to find them all, that's just how it is

but when i register a domain i need to type my public ip right ? not the ipv4 or ipv6

your public ipv4 IP is what you need to enter

so the one when i do ipconfig in cmd ?

no

or when i search public ip in chroome

the one you get when you visit a "get my public ip" website

ok

does cloudflare work the same on windows and linux ?

yes because it doesn't run on your computer, it's not a program

it's a cloud service

you have helper me so much

thx

now i will use freenom as provider, cloudflare and tcpshield as protection

alright, good luck

fyi if you selfhost and you'

tcpshield has a tutorial for cloudflare + tcpshield so wont be hard

're going to run more than one server you should moving to linux at some point

that's good to hear

you mean bungeecord ?

yeah as an example

or maybe you just have two completely separate servers

would it be better to run my server on an virtualbox debian than windows 10 ?

... is the virtualbox running on windows?

yes

then definitely not

ok

a main benefit of linux is it uses less resources compared to windows

i know

if you're still using windows then you lose that benefit

bloatware and stuff

are you hosting on the same computer you use for daily stuff

yes

then just keep using windows

dont worry about it too much

atm just with friends tho

but i use vb to learn linux meanwhile

that's smart

if you want to start using it for real, the best way to get a benefit from it would be to find a separate computer like an old pc to run your server on

Transfer to Cloudflare
Domain transfers tell your registry that a different registrar can now set those authoritative records for you. The relationship is based on trust. Registries only trust one registrar, at any given time, to make changes on your behalf.

Transferring a domain to a new registrar informs the registry that they should instead trust that new registrar to modify information. The process requires some steps at both your new registrar and the one you are leaving. Each registrar handles transfers a bit differently, but in general they follow a pattern based on rules set by ICANN, the organization responsible for regulating domain registration.

Is this just for domains or also subdomains ? so i basically transfer my entire domain ?

you can only transfer domains, not subdomains

ok

Hey, sounds cool

I’m not keen on having all platforms in a single jar, much prefer individual artifacts per platform

Also, tbh I’m pretty happy with the current system. Doesn’t really have any big flaws IMO and also is without bugs for the most part! So I’m not particularly eager to change just for the sake of it

I could throw together a PR so you can check it out. I think that would greatly improve user experience. Also with the system individual jars are still possible

does sound kinda cool, though we'd still get the people thinking that it only needs to be installed on the proxy

How does it play with legacy? Is it shaded in? Because gson is already available on 1.8.8+

I'm not gonna stop you from PRing if you want - but just to stress, I'm very reluctant to change a system that works & that I'm happy with :p

would at least be cool to combine legacy/bukkit if thats possible, might reduce some confusion while downloading from spigot or whatever

That won't be possible

The missing dependencies just get loaded at runtime

including gson?

Or well, I suppose you could combine any amount of versions into one. Nevermind then unix. That would work too!
But I mean stop at just two when you can have all?

And yes of course

Why not?

Because if gson is downloaded and relocated at runtime too, then that is completely possible 😛

It won't be relocated at runtime at all

Nothing gets relocated 😏

uuh.. why not

That's actually quite crazy how it works under the hood

In short I use my own classloader to isolate libraries against the outside world

ooh

I mean we're not talking about some theoretical concept or anything

I have actually implemented it

It's just not separated into a library yet

But my very WIP plugin AuraBan uses that technique

LP does the same already, just only with select dependencies

It even automatically download dependencies of dependencies I declare to download

two or more different versions of the same class loaded at the same time is not an ideal situation

which I why it's only used when absolutely not possible to use a different technique (i.e. relocation)

the situations when it's not possible are: a) before the relocator lib has been loaded b) for libraries that use native code

Is it any more ideal than relocation for the common use cases?

I mean it means jars don't need to be modifed and can be verified much more easily

That's why I personally prefer the "isolate everything with magic ClassLoaders" solution

mm

except that's bad because of:

two or more different versions of the same class loaded at the same time is not an ideal situation

so

really a case of picking the least worst :p

which imo is relocation

Well what exactly is the issue if those duplicated classes nerver interact with anything outside of the environment?

if they never interact then there is no issue. but if they do interact, then it is a big problem and very hard to track down

When would they ever?

The API is the only interaction point and frankly you should only use java itself there

this has actually been an issue in practice -- different plugins shading slf4j and not relocating:

https://github.com/lucko/LuckPerms/blob/master/common/src/main/java/me/lucko/luckperms/common/storage/implementation/sql/connection/hikari/HikariConnectionFactory.java#L208

I have solved that issue as well

That's a bit more complicated but works very well

perhaps that specific issue is solved, but it was just an example of a problem that could happen.

Well not quite. The fact that I isolate all libraries to myself makes it actually trivial

not really, because you ideally want your libraries to hook in with the platforms logger if it provides slf4j

Oh I think I have to mention that the classloader is written in a way that prefers classes from its own sources over those of the parents

So other jars can have shaded in whatever they want, as long as I load it in my classloader that has precedence

That's why I detect if it's on the platform or not before I load it in

LP has done the same, but alas it is still a problem :p

Because you load in stuff that is accessible to other plugins

Whatever I load in is only ever accessible to my plugin

that's not correct -- LP is usually not the culprit when the problem occurs

It's practically impossible for conflicts

I know

That's why I decided to write the ClassLoader in a way to first always check if classes it looks for are in one of the source jars I gave it

I'm fairly sure bukkit's (Paper's) PCL also operates in the same way -- I promise that is not a magical fix all :p

That means no matter what's inside another plugin's (or platform's) jar if I have it as well I prefer my version

No it doesn't

I looked into it

https://github.com/PaperMC/Paper/pull/3366

🙂

I'm doing that even more agressively

I'm not convinved

I've tested it with plugins that shade in SLF4J in in a way that would typically break things

Then plugins that shade libraries that I use as well (different versions though)

Also for Sponge I wasn't happy with the MySQL driver so I loaded a newer version

All working great

you have to be careful with that too -- your driver is most likely registered with the DriverManager on class static init

and will leak out to other plugins even if not visible to other classloaders

That is correct. Though I've seen your recent fix to that so that can be remidied

Though the classloader magic is definitely not at fault here

true, relocation is also vulnerable to the same issue

but it's a good example of unforeseen problems occurring form loading multiple versions of a class into the jvm

my argument is that relocation is easier to debug and prone to less issues, because the class name is different at least

there's not two classes with the same exact name, but actually different classes

Though here the same issues apply to both relocation and magic classloader

yes, I said that in the message above

I mean you can still relocate

indeed, but then why even bother with the hassle of isolating

Exactly. Though I generally prefer only loading jars that you know what their hashes/signatures should be like

Because after all that means I can always verify them before loading them in

that's fair, but when the loading/relocation code is open source and initial binaries are checksumed, I think that should alleviate most concerns

Do you relocate the jars every time?

Or just once?

Just once

Ok. So I as a malicious plugin can just override a library you load in

yes, in the same way that you could override any plugin sitting in /plugins/

Well not quite

You know what hashes those plugins should be

And the jars can be signed

You need to remove the signatures from the relocated jars

if you're going to that level of precaution, then it's not much of a stretch to just hash /libs/ and be done with it lol

Yeah but what good would that do with the relocated jars?

well they're only relocated once - so once that process has happened the hash will not change

Correct

But you as a plugin don't verify that

I can and do

Minimizing the risk of code injecting while gaining more flexibility when it comes to using libraries

that's because it's not LPs job to do so

Since you're loading them into the classpath it's your liability however

that... doesn't make sense lol

I can use your plugin to have an arbitrary code execution as the user that runs the server

Which I would classify as a fairly serious security concern

that's always going to be possible, no matter how many checks you put in place

ultimately, you can always just inject code into the server or into some other plugin and do whatever you want if you manage to get malicious code in somewhere

whether that's a plugin, or a lp library, or whatever

Well putting a check in place that requires breaking a hash that no one has broken before vs. none is a significant difference

so.. I just replace your plugin and then the check is gone..

But you can notice that

Because you can verify the contents of the jar

yes, in the same way that you can hash /libs/ and notice

if you were paranoid enough to do so

Well yes and no

Let me explain

If I were to try to prevent code injections in a server there's a few things to do

just... don't install malicious plugins? :p

For example make sure all jar files that are in the plugin directory stay the same and new one cannot be added

Next you could argue that it makes sense to look for additional jars but not really because the relocation you deploy is not 100% predictable

So while the resulting jars always work the same the individual files can be a bit different

So there's no reliable way to ensure those files stay the same

There is, because relocation isn't attempted if the files are already there

For what I'm doing that is not an issue because I always verify the files

Then I delete the file so it gets regenerated

And then it's different

right, then you just reset your hash

in the same way you would need to whenever you updated a plugin

But again I need to hash it myself

you're going to need to do that anyway lol

I have no external trusted source to know if the file is good or not

That is an issue

there is never going to be an external trusted source unless all plugin authors signed their releases

Well yes

so that argument really does not apply

The hash of the offical download is trusted to a point

is it though?

It's more trustworthy than not having any

chances are that's where the malicious code is going to originate

unless you're planning to introduce it yourself!

That's not what I meant

But if you want to verify files for integrity there's no point in comparing it to hash you did yourself

All that ever checks if that file got changed or not

Not if it's the file you want it to be

that's exactly what you said you wanted to do ^

Verifying the integrity from an external source

you can keep going a step further forever lol

Yes that is true

the point is to take reasonable precautions

But again changing jars and loading them is super iffy

which I'm doing already

Because at that point it's trivial to inject code

Even when reasonable measures are in place

the code is open source, you can go and see for yourself that malicious code is not being injected

Not what I'm saying

& people that download the binaries I make available on spigot and lp.net vs compiling themselves are trusting me to not sneak stuff in

I'm saying that a malicous plugin can now just easily replace one of your jars and no one would notice

And if they pick one that rarely gets updated they can ensure their code gets injected even after all plugins were updated

Now to end the discussion

I'm not saying this is a major security concern

I'm just saying that I find it bad practice to not verify binaries you load

Especially if you can

What is WHOIS redaction?
WHOIS redaction removes all contact information categorized as personal data from the published WHOIS record for a domain (registrant name, email address, postal address). Fields will read “Data Redacted”. The nameserver, domain lock information, and date records for a domain are still available publicly.

Cloudflare still maintains the authoritative, unredacted, record of your WHOIS data. You can modify this information at any time in the domain overview tab of the Cloudflare dashboard.

Note: WHOIS redaction is not the same as WHOIS Privacy. WHOIS Privacy replaces your information with proxy contact information. Redaction removes it altogether

Doesnt this mean they just hides the information if you register or transfer a domain on cloudflare and not a subdomain ?

And by doing it my way those files always can be (and are) verified

I agree, which is why there are checksums 🙂

verified binary -> predictable relocation -> loading is realistically just as secure as verified binary -> loading.

I disagree here

you can't register just a subdomain

that text basically means cloudflare will not reveal your information if they are the ones managing your domain

you've not given a good reason as to why it's any easier to exploit than the plugin loader itself

For two reasons:
The relocation is not predictable

And second intermediate files are always bad as they no longer can be externally verified

the relocation is predictable. the plugin loader itself is open to the same flaw since it cannot be externally verified either.

You two still going?

there is no difference between you hashing a file from spigotmc on download, vs hashing a relocated file in the libs dir immediately after LP has started

I've had the relocator produce functionally identical but still different files under different conditions. For example different java runtimes and OSs produced different files

And what plugin loader do you mean?

well it's predictable within the same runtime - good enough for me

the platforms loader

I see

Again you can verify

You have an external source that can give you the expected hashes

no you do not

How so?

because most authors do not sign their binaries

you have to download the file from spigot or whatever and hash it yourself

I can still verify. By trusting SpigotMC to give me the file it claims it does

Which is still an external source I can use to verify

that's exactly my point - you can trust LP to perform relocation safely on the first startup too

No

Not to the same extent

There's no external source I could ask for a hash of such a relocated file

The fact that it's "just" a transformation doesn't change the fact

I have no way of ever knowing if such a relocated file is the file I expect it to be

it's even better - the jar is literally created on your system.

if you trust the LP binary, then you can trust the relocation

But since you don't verify the result you cannot

the result does not need to be verified because the jar is created by using trusted code to transform a trusted binary

Considering that relocation process has hiccups every once in a while (!libsdir says hi) that is not the case here

there is no scope to inject malicious code there

those hiccups are filesystem i/o errors - it's not due to a vulnerability

Yes but it shows that the results are not verified and can be meddled with

No they cannot, it is not the same thing

Meaning that even if all sources involved are trustworthy the result is not

again - that is not due to a vulnerability.

Well who says someone didn't inject something into the runtime that modifies data being written?

Yes but it creates one because results are unverified and unverifieable

if that's the case then you're fucked anyway 😆

nothing's gonna save you

Grown ups talk over?

👀

So if i for example go to freenom and take the subdomain "whatever.chilldown.tk" and i setup with cloudflare it wouldnt hide it because it doesnt manage it or am i misunderstanding rn ?

Not really. There have been a few cases of malware operating in such a way.
Injecting themselves through a fairly open system and then depositing themselves in non obvious places

So even if you remove the original infestation they were impossible to remove

Or near to impossible

i've put a lot of thought into making the system secure 🙂 think it's right to listen to and discuss criticisms

In any case

I want you to understand that I don't think your system is inherently insecure

I'm just saying I find it iffy that it's unverified and unverifiable

🙃

two contradictory statements there lmao

How are they contradictory?

i've explained how it can be verified and trusted - if you don't see that then I am not sure what else I can do to show you

There is a transformation and the direct result cannot be verified except by recreating the transformation on the very same system

And well that's not how proper verification works

In practice it's absolutely fine

But there are edge cases where the system breaks

But that's all really besides the point.
You can say what you want:
You are loading binaries without first checking if they are the correct ones

No matter the circumstances

This is a fair assessment I agree with

This is also true, but it is no different to what the Bukkit plugin loader does

In a sense

The JVM can verify signed jars

You out of necessity strip that too if it exists

No, not in a sense - it is literally exactly the same.

There's a difference here

A plugin author can sign a jar

But your relocated jars can never be signed

That is true & a fair comment

In practice there is hardly any difference

But there is one

If I wanted to do signing, then yeah, I would relocate the binaries myself, sign the result, then make those available for download instead of the originals

In my opinion though, it is better to transfer the original library binaries (as released by their respective maintainers) over the net, and allow the plugin to verify those

Absolutely

it would be much easier for me to sneak malicious code in if I hosted and served the relocated binaries myself

And that's why I'm quite happy to have made a system that not only doesn't need to modify any jars, which means I can verify them on download and prior to loading every time. The system is also capable of isolating a version of a library from another

And that all seamless

full circle!!

That was the point I was trying to make an hour ago

😆

Just saying

on that note, I'm gonna head off

Alright then

nice chatting 🙂

I agree

For once 😛

@gilded nova now we're done 😛

Hey BrainStone! Please don't tag helpful/staff members directly.

❤️

ngl that was quite engaging

But overall expect an universal LP jar to drop some time next week :3

hey, any chance you can help me with something in that plugin? i keep getting the 'command doesn't exist' even after i added the alias

ping me if you respond please

https://cdn.discordapp.com/attachments/604011113939468294/784265799254540318/2020-12-03_22.51.35.png

Peep Y Cord

Can you send the config file for your aliases?

Hello,

I come to you because on my server, when I put the context "server: lobby" in the permissions, it works, my players only have permission to the lobby. On the other hand, if I put the name of another one of my servers (which is on my bungeecord), there the permission is not put at all, the player does not have access to the permission on the desired server.

Do you know why server-based permissions work with the lobby and not my other servers?

Thank you in advance,

Yours sincerely,

Adrien

Screenshot lp info on thr server that it works on and the one where it doesnt

doesn't work

!update btw

!latest

and work

Would an update be enough? :/

Set server option in the configs to the server name

here ?

Yes

ooooookayyyy

Thank you very much

Still update tho

I understand better why it didn't work! Thank you very much for your help 😉

Yep

I'm so fucked right now

Why?

well it's 1:14am in melbourne on a saturday so i have a few guesses as to why

Hello can somebody help me?

I am trying to install phpmyadmin but it´s not working (mysql 5.7)

the website doesn´t work

or do you recommend any other thing than phpmyadmin?

you will need to provide more info than that. what have you done so far.

I´ve done sudo apt get install phpmyadmin

I have apache 2

and mysql installed correctly

that´s all

so what makes you think it doesn't work

because on the website I type [serverip]/phpmyadmin

and It´s a blank page

so I can´t login

a complete blank page?

what do the console logs say

yes

completly

the only thing that seems strange at console is this:

root@gamesups:~# sudo apt-get install php-mbstring php7.0-mbstring php-gettext libapache2-mod-php7.0
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package php7.0-mbstring
E: Couldn't find any package by glob 'php7.0-mbstring'
E: Couldn't find any package by regex 'php7.0-mbstring'
E: Unable to locate package php-gettext
E: Unable to locate package libapache2-mod-php7.0
E: Couldn't find any package by glob 'libapache2-mod-php7.0'
E: Couldn't find any package by regex 'libapache2-mod-php7.0'

An user told me to do that command

before that command I had like an error msg

when i said console i meant the browser console

where can I look that?

really lol

I just do that, it´s everything I know

ctrl shift i

okey

There are lots of things

want them all?

just send what you see

https://pastebin.com/DqCYLQGQ

that´s everything

wat

that's not at all what i asked lol

ctrl + shift + i on the browser when you try to go to the web page

go to the console tab

what does it say

send a screenshot

nothing there

I will send screenshot

weird that it's completely blank

yes

never installed phpmyadmin on linux so idk what else to suggest ha

it´s anything better that phpmyadmin?

easier to install?

it´s not the first ttime installing php

Probably a php error, but by default phpmyadmin doesn't show errors unless you explicitly enable error showing

I installed it many times

but this time idk what happened

Make sure in your virtualhost you route the /phpmyadmin to the /use/bin/phpmyadmin (I don't remember right path, google it)

okey

it is good

It is good as in its working or?

no, I mean that the path is good

the route I mean

it´s mysql 5.7 idk if that has sth to do with that

@gilded nova https://getbukkit.org/download/craftbukkit sketchy website, but here you go if youre desperate

what a shit host theyre partnered with though

xd

3$/gb on ram and no info on specs

xd

here's a fun problem i've stumbled into

[LuckPerms] Failed to init storage implementation
[00:42:16 WARN]: java.sql.SQLTransientConnectionException: luckperms-hikari - Connection is not available, request timed out after 5000ms

i know for a fact it isn't LP's fault, but i can't find exactly why this is going on and how to solve it

for context this is happening inside of a docker container being run on a brand new machine i just set up

so i probably forgot something silly, i just have no idea what

!errors @normal surge