Help Wanted: Volunteer Linux System Administrator

ioquake3 is an entirely volunteer-run project and we need more volunteers! Please share this post with your friends.

If you love maintaining Linux servers, and specifically Ubuntu Server, this is the role for you. The ioquake3 project is looking for a qualified Linux Systems Administrator to assist with maintaining our Ubuntu VPS. We need someone to help maintain our server and it’s services, keep it running, and up-to-date.

The first major goal we need to accomplish is to move our web sites off of DreamHost and onto the VPS that Ryan “icculus” Gordon provides for our project.

This role should not require much of your time once you become familiar with our systems. A few hours a week should take care of it, outside of any large upgrades.

Basic Qualifications:

  • 2+ years of experience with Linux Systems Administration. You need to have done this before if you’re going to help the project.
  • Virtual Private Servers
  • Apache configuration
  • nginx
  • PHP. You don’t have to be able to develop a new application in it, but most of the webapps we use make use of it.
  • Experience working with other free or open source software projects.
  • DNS
  • Domain registration
  • Experience with terrible shared hosting providers

Preferred Qualifications:

Please write an introductory e-mail to zachary at ioquake dot org (there’s no 3 in the domain name for our email services)  and we’ll discuss your future with the project.

Because this is a free software project and we receive what amounts to almost no donations please keep in mind that this is a VOLUNTEER ROLE. That also means you get to work entirely remotely. Woohoo!

If this role doesn’t sound good for you, there is plenty more work to be done. We need to make ioquake3 the best and easiest way to play Quake 3 on Windows, macOS, and Linux, develop new games, and play mods. This is your opportunity to contribute to an incredible free software project that needs your help. Get involved.

If you don’t have time to help, please contribute to Ryan’s Patreon campaign here.

Auto-Update Update

Ryan “icculus” Gordon has surprised us with a cross-platform auto-updater for ioquake3.

Created thanks to contributions to his patreon campaign, here’s how Ryan describes it:

I’ve written an autoupdater for ioquake3, with the intention of the game operating much like Google Chrome…it just stays up to date and you don’t really notice. This has been a long-time wishlist item for the ioq3 team…as they are locked out of platforms like Steam, they’ve been stuck telling people to download the game over and over, maybe migrating their mods, or live without new features and fixes.

Once this solidifies, the official builds will just keep staying up to date, which is pretty sweet. And of course, this is optional, so it won’t interfere with distro packages and such.

We still need to implement the network infrastructure behind the update mechanism, but this is a very important and large first step on that road.

You can browse the code in this pull request and this update that added more security features to the process.

Or read more about the updater in these three blog posts from Ryan:

  1. Project: ioquake3 autoupdater
  2. ioquake3 autoupdater: now with Linux support!
  3. ioquake3 autoupdater: now with Windows support!

Please contribute to Ryan’s patreon campaign if you enjoy his work.

If you’d like to support ioquake3  in a roundabout way I am selling t-shirts and hoodies for Nuclear Monster.

ioquake3 is an entirely volunteer-run project and we still need your help, please check out this page on our wiki for more information.

Help Wanted

Last month I wrote about an important security update, and we were lucky that the news was spread far and wide but many players still didn’t see it.

Even if they read the news, and they updated to the latest build of ioquake3, they wouldn’t have caught the follow-up security commits to the code repository unless they downloaded another test build more recently.

We have a serious issue getting people on the latest code because our installers and DMGs are 8 years old and designed for a time when the only way to get Quake 3 was on a disc.

That’s changed, the only good way to get Quake 3 today is on Steam or gog. You can probably find old discs on ebay, but I wouldn’t bother when you can get digital bits delivered instantly. There are huge caveats to those digital platforms, #1 for us is that if you’re on macOS or Linux it is not at all straightforward to get the data from Steam or gog.

If we had a standalone baseq3 replacement of our own, that would not be as big of an issue.

Even if we had installers that were modernized, our binaries aren’t code signed and so players on macOS and Windows receive warnings and their operating systems prevent our code from being executed. We need help resolving that issue from someone who is more familiar with the code signing process.

Even if our binaries were code-signed, we don’t have any way for players to get the latest binaries automatically. This has become the new normal for games delivered via Steam and standalone mechanism’s like the one Blizzard uses for their games. Even web browsers like Firefox and Chrome have been doing this for years. Networked software needs security updates, and we can’t get it to players without an auto-update mechanism.

Here again I will make the caveat that it would be possible for ioquake3 to be on Steam if only we had a standalone game, even a minimal one, for players to play when they don’t own Quake 3.

Around this time last year I wrote a post about an issue when the id master server was down, because id (thankfully) was able to bring their master server online we did not get a fix implemented and committed to our git repo. This means that exceptionally long-running Quake 3 servers might still be reporting to the wrong ioquake3 master server, and if id has ever changed their master ip address it could be wrong for those servers as well. It also means that the in-game Quake 3 server browser still only receives servers from id’s master.

When security issues, and others like the id master server downtime, occur, it would be amazing if we could also announce that they are already resolved for players on our auto-update system instead of having to post blog posts and hope that people update before their computers are compromised.

We need to deliver updated code automatically to everyone, and make it as easy as possible to play Quake 3, mods, and games built on this engine. We need a project manager to help get our launcher project going again and developers to work on adding an auto-update mechanism to it.

This project, ioquake3, is entirely volunteer-driven. We receive no grants of time or money from any corporation except for the wonderful discourse forum donated from the Discourse enterprise. We spend more money on hosting ioquake3 and its servers than it gets in donations.

We can’t move one step without volunteer contributions from the community of players and developers who love Quake 3 and the projects that have been built off of the source code. It’s only with those contributions that we have been able to develop ioquake3 for the past 12(!) years.

While there wouldn’t be an ioquake3 project without the code, the contributions we need now are in recognition of the mature status this codebase has reached.

We need help from build and release engineers to update and maintain our installation process for Windows, macOS, and Linux.

We need help from people who love writing documentation to help players, game makers, and systems administrators get started with ioquake3.

We need help from people to create art, sounds, maps, and menus for a small stand-in for baseq3 when people don’t own Quake 3: Arena but want to use this incredible code to get some frags in or to get started making a game.

We need help from anyone who loves the quality assurance process to go through our bug queues on Bugzilla & Github in order to triage and duplicate those issues to confirm their continued threat and eradicate them. Testing is part of quality assurance and testing means playing Quake 3, who wouldn’t want to do that?

We need help from people who want to help other players on our forums, live chat on our Discord server, and on our Facebook page.

We need to make ioquake3 the best and easiest way to play Quake 3 on Windows, Mac, and Linux, develop new games, and play mods. This is your opportunity to contribute to an incredible free software project that needs your help. Get involved.

Important Security Update: Please Update ioquake3 Immediately

Please immediately update ioquake3 to the latest test build before you connect to any online servers. Despite the name, the test builds are in fact way more stable and secure than any release at this time.

In doing so you’ll also receive access to all kinds of other updates and changes that we’ve made since you last installed ioquake3.

Here’s the why:

We recently pushed  a large security fix that prevents malicious actions from multiplayer servers.

Please share this news with any other Quake 3 players you know. It’s on Facebook and Twitter as well. These kinds of exploits are even worse in the regular Quake 3 client, nobody should be using that anymore.

Our Player’s Guide can help new Quake 3 players get started with ioquake3.

Ideally, we would distribute these security fixes automatically, similar to the way browsers like Chrome and Firefox distribute updates. Games on consoles, or in Steam, require updates in order to go online and happen automatically now. This way, we could distribute an update first so that nobody who is online is vulnerable in an ideal scenario.

Right now we don’t have anyone working on that issue, if you are interested in helping us with an auto-update system to be built into our launcher, get in touch.

Until then, please update your test build as often as you can to get the latest security changes.

ioquake3 is an all-volunteer project that needs your help. Check out this page if you’d like to join us in our mission to keep Quake 3 alive.

Our thanks to Victor Roemer for reporting the vulnerability.

If you find a security vulnerability, please e-mail zachary@ioquake.org.

The id Master Server is Back Online (Updated)

Update: the id master server is back online, the in-game server browser is working again. We will continue to look for a way to work around it in the event of future extended downtime. Our original post appears below.

Master server If you’ve tried to play multiplayer Quake 3 using the original id Quake 3 binaries or ioquake3 in the past few months you might have had a difficult time finding a game with the built-in Server Browser. You would have seen the error message in the screenshot above:

No Response From Master Server

The master server is what game servers that you play on talk to, in order to communicate their availability to your copy of Quake 3: Arena.

Since at least March 11th the official Quake 3: Arena master server offered by id software at master.quake3arena.com has been offline and that is why there is an error displayed instead of a list of servers.

We operate a master server at master.ioquake3.org that has been up for years, and fortunately servers using ioquake3 are still reporting in to it, but there isn’t a quick fix for the in-game server browser at the moment. We have repeatedly reached out to id software to notify them of the issue, suggesting resolutions for it, and received no response.

You can watch for the resolution of this issue on Gibhub, but even when we resolve the issue for ioquake3 players, people using the original id binaries will be out of luck unless they switch to ioquake3 or id software brings their server back online.

There are third-party server browsers such as Qtracker and XQF will continue to work if directed to our master server.

Our Quake 3 server is still online and you can connect to manually by typing /connect phobos.ioquake3.org in the console. This same methods works for connecting to other servers when you know their address.

ioquake3 on OS X El Capitan & Windows 10

El cap win 10

Two major updates have come to desktop and laptop computing recently. OS X 10.11 El Capitan and Windows 10. Big news for users of each platform, and we’re excited that ioquake3 continues to work with both platforms for players updated to the latest build.

Check out our Players Guide and Sysadmin Guide, or just go ahead to the test builds, to get started with playing ioquake3 or running a server today!

If you run into any issues with either this new operating systems or old ones, let us know on our community forums. Thanks to our community of contributors for helping us keep Quake III, mods, and new games going for TEN YEARS now, wow. That is a lot of fragging!

ioquake3… in Docker?!

The folks from the open platform for building, shipping, and running distributed applications called Docker demonstrated a containerized version of ioquake3 at Dockercon. Not just the server, but also the client. Docker’s Arnaud “icecrime” Porterie even called ioquake3 “The best game ever” in their dockerfile description. I don’t think I could be more proud. They were already my favorite container project when I started using Docker for our Discourse forum installation.

ioquake3 updated to SDL 2

If you’ve been following along via github, twitter, facebook, and our new discourse-powered forums, you might have noticed that we’ve been working on updating ioquake3 to Simple DirectMedia Layer (SDL) version 2. SDL 2 is already in use in lots of games, and we’ve been using it internally for over a year now, which is why we felt that it was finally appropriate to bid farewell to SDL 1.2.

The SDL upgrade won’t make a huge difference to the experience of playing Quake 3 and the assorted games that have been built with this engine, but if you’ve got a copy of Q3A please try out the new test builds. Your testing will give us a chance to see if everything checks out OK on more systems than the ones we have access to.

Once in-game you can /connect to our new test server at phobos.ioquake.org

Please report any issues you find with the test builds on the forums, in IRC, or on bugzilla.

Test Builds are Back!

If you’ve been waiting to try out the latest features like the new renderer from our github, you don’t have to wait any longer. We’ve got our test builds page back online and updated with the latest builds from our continuous integration systems.

These builds aren’t tested, but you can file bugs against them on our bug tracker and let us know how they work out for you on our forums.

Go frag somebody today.

Continuous Integration with Travis

Ghost of shame

It’s been a long time since I last wrote about any kind of testing, and one of the most basic forms is making sure your build compiles as a step of continuous integration.

This has been added to ioquake3’s github with the Travis service.

What this means is that every time one of your friendly neighborhood ioquake3 team members makes a commit, travis will pull down a copy of the codebase from github to a fresh virtual machine, read our instructions, and follow them to compile our codebase with a script that we’ve created.

If the build succeeds, great!

If the build fails, then, oh no! Somebody screwed up and let me write code again. A bot is dispatched by travis to our irc chat compound (irc.freenode.net #ioquake3) to let us know and will let everyone know which commit broke the build. The author will then receive the depicted ghost of shame in the mail within 64-128 weeks.

Currently we’re telling Travis to build for mingw (under Linux) and Linux itself with various options and it takes about 14 minutes to complete the operation.

In the future we hope to figure out a way save the builds Travis creates to the ioquake3 website so that we can offer you more expedited builds.

Travis’ website suggests a method that involves Amazon S3 but we are interested in other storage solutions.

Happy New Year, ioquake3 and github!

Hi All,

This August will be the 7th Anniversary of ioquake3!
Time flies when you’re fragging fools and breaking builds.
We still haven’t had a release since 2009. Don’t worry, we still have another 365 days to go until it has been 5 years since a release!
The real reason for this post is that I wanted to tell you all that we’re moving the project to github.
There is a new organization there, called ioquake.
But most importantly there is a project there that you can clone, fork, and send pull requests.
Bugzilla and other things hosted on icculus.org will keep going, but the SVN repository is now deprecated and I don’t know if it will remain online or not. If possible, we may set up a thing to automatically slurp in changes from the github project.
ioquake3.org itself is not going anywhere
Thank you to everyone who has contributed and played ioquake3 since the project started on August 20th, 2005!

Make sure to join us on server.ioquake3.org for some baseq3 fragging when you get a chance!

Here are your top-ten all-time contributors, by number of commits:

  1. Thilo Schulz
  2. Tim Angus
  3. Ludwig Nussel
  4. Zack Middleton
  5. Ryan C. Gordon (he beat me by 3 commits!)
  6. Zachary J. Slater
  7. Tony J. White
  8. Aaron Gyes
  9. James Canete
  10. Coyote

If you have any questions or suggestions let me know in the comments here, on our freenode irc channel #ioquake3, or on our twitter account and facebook page.

Continue reading “Happy New Year, ioquake3 and github!”

ioquake3 and OS X Mountain Lion

10imac27 photo

The latest version of OS X, Mountain Lion has been available for a little while and we have now confirmed that ioquake3’s latest SVN (revision 2306) compiles and runs smoothly on it.

If you already have ioquake3 installed on your intel Mac running 10.6 or greater please try a test build:

It should run fine under Mountain Lion, if you have Gatekeeper enabled with the default setting you will have to right click and then select Open on the .app.

Please let us know if it works well for you.

CVE-2012-3345 symlink attack in ioquake3 >= r1773

Background
==========
 
ioquake3 [IOQ] is a fork of the Quake III Arena (id Tech 3) game engine,
and has become the de facto upstream for that engine since id Software
ceased to develop it. It is also used (unmodified, modified or forked)
in various open-source and proprietary games including OpenArena [OA],
Reaction [REA], Smokin’ Guns [SGN], Tremulous [TREM], Turtle Arena [TA],
Urban Terror [URT] and World of Padman [WOP].
 
Vulnerability
=============
 
Access vector: local
Authentication required: local system
Impact: overwrite a file owned by the victim with a predictable integer
 
Since svn revision 1773, ioquake3 has written its process ID to the file
/tmp/ioq3.pid (or ioq3.pid in a world-writeable location) under the
following circumstances:
 
* running on non-Mac Unix and TMPDIR not set, or set to a
world-writeable location; or
* running on Mac OS and FSFindFolder() for a temporary directory fails
or returns a world-writeable location
 
On a multi-user system, an attacker could create a symbolic link
/tmp/ioq3.pid pointing to any file owned by a user who plays an
ioquake3-based game. When the victim runs ioquake3, the target file will
be overwritten and replaced with the process ID of ioquake3.
 
The effect of this attack depends on the file being overwritten: it
could be simple vandalism (destroy one of the victim’s files), or it
could have further security implications if knowledge of the contents of
a target file is used for authentication (in a system similar to
pam_dotfile [DOT], for instance).
 
For the dedicated server, the process ID is written to ioq3_server.pid,
but the attack is essentially the same. For forks of ioquake3, the
filename will typically include the name of the fork, e.g. openarena.pid.
 
Affected versions
=================
 
* ioquake3 >= svn r1773
* ioquake3 < svn r2253
* OpenArena 0.8.8
* Reaction beta 1.0
* Smokin’ Guns 1.1
* Tremulous “trunk” >= svn r2125
* Tremulous “gpp” >= svn r2140
* Turtle Arena >= svn r204 (all releases named Turtle Arena)
* World of Padman >= 1.5.2 beta
 
Unaffected versions
===================
 
* ioquake3 1.36
* ioquake3 <= svn r1772
* ioquake3 >= svn r2253
* OpenArena <= 0.8.5
* Smokin’ Guns <= 1.1b4
* Tremulous “trunk” <= svn r2124
* Tremulous “gpp” <= svn r2139
* Tremulous GPP1
* Tremulous <= 1.1.0
* Turtle Arena <= svn r203
* TMNT Arena 20091211 (former name of Turtle Arena)
* ioUrbanTerror 2007-12-20 client
* ioUrbanTerror 2007-12-20 server
* World of Padman <= 1.5.0
 
Solution
========
 
The attached patches have been reviewed by two ioquake3 maintainers.
Please apply them to affected versions on or after the embargo date.
 
Patch 0001 fixes the vulnerability by writing the pid file into the
ioquake3 user’s home directory (e.g. ~/.q3a/ioq3.pid for an unmodified
engine with default configuration) instead of the temporary directory.
 
Patch 0002 is recommended, but not strictly necessary to fix the
vulnerability. It removes the functions to get the temporary directory,
as a precaution against other unsafe uses.
 
 
References
==========
 

Calling all content creators!

Work has started on “baseio“, a project to create a small game to include with the ioquake3 engine download with Creative Commons licensed content. Work has already been started on textures, weapon models, and a player model, but there is still much to be done. Animations, mapping, and audio are most needed, but if there’s anything you can contribute, join the discussion. Any content contributed must be under a Creative Commons nonccommercial-by-sharealike license. The ioquake3 code base and any contributed code will remain GPL. We also need some people who have lead mods before since we’ve run out of beer so now we’re too sober to know what to do.