Prioritize getting a panel

I can agree with this, while I may not be an admin on this server, I have used a panel before and I can definitely say that it is a lot better than relying on something else that can put security at a HUGE risk.
Panels in general keep everything in check and are a good source overall, so I am going to vouch for this.

A panel in reality opens us up to greater security issues than the bot. While the bot has not been perfect to date, nothing is. The bot automates the management of in game admins in a way we aren't able to achieve without writing our own panel.

As I've already said, a panel would require considerable amounts of effort from the development team and other individuals which we aren't able to spare due to the HUGE backlash we keep getting for a lack of new shiny in game functionality.

There is currently no scope to add a panel for these reasons. To add a panel would require us to de-prioritise all development work happening on the server, and would open us up to additional risk and security issues which I don't believe people have actually thought through.

We did look at options for adding a "Basic panel" as a custom plugin to the new forums which would have been the preference, that way we aren't managing admins identities in another place, but the new forums along with any new things have since been de-scoped due to the community backlash.

Quote

↩  videogamesm12 no alternative was provided for a while.

I think in reality the bot was unavailable for around 2 days... Which causes minimal issues.

Quote

↩  videogamesm12 It's time we put this issue to rest once and for all by implementing a panel.

The community has put me in a position where we don't have that time, and the panel cannot be a higher priority because it's been de-scoped from all current future work. There is no current desire / plan to get a panel installed.

Quote

↩  videogamesm12 In August 2021, the reliability of Discord as a service as a whole was put to the ultimate test when the Discord server was wiped through a security issue regarding the TotalFreedom bot

wouldnt that be the same problem if someone had access to the panel?

↩  Miasmus Given the bot is now hosted on the same physical server as TF's VPS's are, as would any panel, right now there are no resiliency benefits. But yes, there is the same risk if an individual had panel access that shouldn't (Which is a more likely risk due to the lack of ability to properly sync the panel to the forums)

I Vouch. The damage of the bot breaches could have been easily been reduced if we had a proper panel because giving admin perms to a bot with such sensitive functions is quite dangerous.

Quote

↩  Alco_Rs11 giving admin perms to a bot with such sensitive functions is quite dangerous.

Has absolutely 0 to do with the bots management of the server... The admin access for the bot was for some of the moderation functionality it has (Things like blocking people posting discord links in the discord).

↩  videogamesm12 It has no different access to a senior logging into Telnet, given there are only 3 people on Discord that can give roles that don't mirror in game the risk is very low of that ever actually happening, and at this point the bot being hosted on ATLAS Infra (The same as the server) means if you're capable of hacking into the VPS the bot runs on or getting the token in any way, you've already got full server file access and can do what you want, meaning the bot is the least of my worries.

A panel on the other hand has no such sync ability. I'd take the risk of a suspended senior admin going AWOL to be far more likely than a repeat of a very rare issue which will not be able to repeat itself for one thing due to mitigations already in place, combined with the level of technical complexity that would now be required.

The security argument is really nothing more than an exaggerated position right now, nobody has been able to provide a credible reason why a custom panel we're going to have to write and host and grant even more access to the server than the bot already has gives us somehow more security, when everything I've stated confirmed the exact opposite.

Vouch

It was made very apparant that we should not be spending our development time adding new gimmicks, and rather spend it improving the user experience and backend issues on the Freedom-01 server.

I am also not convinced that the Discord bot hijack is even remotely related to a panel. The discord bot not only managed server startup and kill functions, but also managed several roles, mutes and reports. You cannot substitute a panel with the Discord bot.

I personally would love a panel, but I understand why its not an option based on other incidents....

i just read through the thread about this from november and i saw that packs made a point i made two weeks ago, that introducing docker into the mix would make the server a lot easier to manage at the root access level. but it was also mentioned that the server hardware won't support docker. is that related to the TF infrastructure being located in multiple countries?

also, i sent a few security suggestions to ryan.wild@[atlas website] 20 days ago because that was listed as a security contact in a forum thread. should i use os-security-reports instead?

with the panel, the server, and the website in the same docker network, they could seamlessly interact, allowing for a schematic system and anything else you would want to add. the panel could be behind an IP whitelist and have its own auth just to be safe. the only thing is to do that we might need to abandon one or more of our providers, like OVH or Hetzner.

as an op, this is beneficial because the server would be able to restart itself unless manually stopped, and when bugs are reported, devs could more easily debug them in the panel.

feel free to discuss anything in the email publicly. packs already mentioned a lot of it back in that november thread, which i wasn't aware of until a few moments ago.

↩  FromTimeToTime Docker doesn't work with OpenVZ. If you go to the Superior Networks website you'll see that the vps's use OpenVZ. That's why I theorized it because I have no idea if wild is using OpenVZ or not for TF or just the Superior Networks servers.

The reason it doesn't affect other companies like OVH VPSs is because they use KVM. The difference is that instead of a shared kernel, each instance can have their own kernel (I think?). Generally speaking KVM is the best way to go and docker supports KVM so that's why you can use it on OVH or Hetzner Cloud

↩  FromTimeToTime ↩  Telesphoreo TotalFreedom is currently running on OVH dedicated servers split into OpenVZ containers.

↩  Panther That would then require all suspensions to only be managed by me, something which is not sustainable nor desirable from my perspective.

↩  videogamesm12 And as part of the re build of the discord. There is only a single bot other than the total freedom one that has that access, along with the 3 people that currently are discord admins. It's a low risk as I've already said, and the panel would introduce greater risks.

Object