Announcement

Collapse
No announcement yet.

Unreal Engine 4 and Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • replied
    I have pm-ed someone on this matter.. but basically the fix is just a matter of rewording:-
    'We cannot find the public repo (note that you have not logged in). If you are accessing a private repo, then please login first'.

    So this way, if a user want to brute force to check if the repo exist, he/she has no idea whether the brute force actually result in something. So security-wise, it is still good.

    Leave a comment:


  • replied
    You can't ever have a different behaviour on a private repo and a non-existing repo because it confirms its existence and can be bruteforced.

    Are we done on this ? This isn't the place to discuss the secucity and convenience of GitHub, especially for explaining the same thing over and over. Please ?
    Last edited by StrangerGwenn; 07-11-2017, 01:58 AM.

    Leave a comment:


  • replied
    Originally posted by Gwenn View Post
    I understand what he meant, I am saying that it would enable attackers to know the existence of a repository without access rights to it. You would be able to try random URLs like "unrealengine5" or "halflife3", and by getting a login prompt, you would know that such a repository exists.

    This isn't dumb at all.
    What github should do is like what I said please login first (which is what most user perplexed when they click the UE4 github link - they found 404 error). And then when they login, they will find the repo. But if the repo doesn't exist or inaccessible (private repo etc), then github can display 404 - it is good enough. No one mentioned about fixing the 404 error by returning a list of repo, even if they are private.

    Leave a comment:


  • replied
    Originally posted by Gwenn View Post
    but if Microsoft has a WindowsWithLinuxKernel repo, that's probably not information they want to be public. Private means private.
    The URL check will always fail at 'Valve' anyway not 'Half-Life', no?
    Plus surely leaks like this put everything else into perspective etc...

    Originally posted by Gwenn View Post
    Can we go back to Linux discussions instead of feature requests for GitHub ?
    No worries...

    Leave a comment:


  • replied
    I just explained it - if it returned a different code than 404, you could automatically generate a list of private repositories for an organization by just probing all possible URLs. While not a real risk in the classical sense, it's still private information. Everyone knows Epic has an UnrealEngine repo, but if Microsoft has a WindowsWithLinuxKernel repo, that's probably not information they want to be public. Private means private.

    Go to GitHub's issue tracker to see other people say the same thing (one with the same Half-Life 3 example I jokingly gave above) : https://github.com/dear-github/dear-github/issues/162

    Can we go back to Linux discussions instead of feature requests for GitHub ?

    Leave a comment:


  • replied
    Originally posted by Gwenn View Post
    I understand what he meant, I am saying that it would enable attackers to know the existence of a repository without access rights to it. You would be able to try random URLs like "unrealengine5" or "halflife3", and by getting a login prompt, you would know that such a repository exists. This isn't dumb at all.
    Security wise there's new attack vectors everyday.
    But are Github paths like probing existing Logins?
    Its not like malware probing 135 / 445 open ports...
    What use would that information really be Gwenn?
    Explain to us where you see the real security risks...

    Leave a comment:


  • replied
    I understand what he meant, I am saying that it would enable attackers to know the existence of a repository without access rights to it. You would be able to try random URLs like "unrealengine5" or "halflife3", and by getting a login prompt, you would know that such a repository exists.

    This isn't dumb at all.

    Leave a comment:


  • replied
    I think what he meant was the error should be 'Please login first' instead of 404 error (which doesn't look professional).

    Leave a comment:


  • replied
    It's not dumb, it's basic safety. You're not going to give away the existence of a file by outputting a different error if it does exists.

    Leave a comment:


  • replied
    Originally posted by Gwenn View Post
    Well, are you logged in ?
    Returning 404 for every repo behind a login-wall is a real dumb way to trip devs up.
    How does Github distinguish between real 404 errors or a deleted repo / branch etc!

    Leave a comment:


  • replied
    we arent getting a launcher any time soon. Epic replied that they have an interest in making a unified flatpack for all distro's.

    Leave a comment:


  • replied
    Epic should provide at least the Launcher with compiled binaries of UE4, or Flatpak package for example will run in any Linux distribution. Sad the lack of support.

    Leave a comment:


  • replied
    How cool is that:
    http://phoronix.com/scan.php?page=ne...VR-Vulkan-GNUX

    I'll try to run the ocean examples with Vulkan once I've finished some other stuff.

    Anyone has set up VS Code for Unreal?
    Last edited by mike444; 04-29-2017, 09:29 AM.

    Leave a comment:


  • replied
    Well, are you logged in ?

    Leave a comment:


  • replied
    hey peeps, was gonna build the editor on Linux, but can't find the repo any more. Getting a 404 error.

    Thanks

    Leave a comment:

Working...
X