How can you be certain that they've never used ioquake3 code when you don't have access to it?
I don't know for sure. That's their claim. I'm not going to accuse them of copyright infringement without proof though.
I really doubt that FS happened to find the same bugs and same fixes to all kinds of bugs or quirks like all the open source projects did before them.
You can't copyright the ideas in a bug report. They are free to use the bug report details from ioquake3. They can't take the actual fixes though. Whether they were strict with reimplementing the fixes is unknown.
So they are developing their own closed source engine now. Without SDL, without cURL, without sv_dlRate, without replacable renderer support, without IPv6, without VoIP, without Ogg Vorbis, without anaglyph rendering from ioquake3. Instead they will reimplement all this without even looking at ioquake3.
Correct. They are going to reimplement the parts they care about. They are starting from the commercial quake3 code (I assume 1.32c) and going from there. They say they will fix all of the known bugs from ioquake3/quake3. Time will tell. They haven't been exactly snappy with fixes for exploits such as the DRDOS.
They know that there's a lot of reinventing the wheel. I think their focus is more on new features rather than redoing what ioquake3 did. For instance, they are using the MD5 model format. I know that's not a new feature since Xreal has it but still... that's part of where they are spending their time.
Sounds like a utter waste of time. Or they'll just not include all these features. Sounds like a poor engine then.
Not to them. If you buy into their interpretation of the licensing, they are restricted to making changes that a quake3 client can run. Now that they have a quake3 license and starting from closed source code, they can do whatever they want. They are free to make it as incompatible with quake3 as they want. They can't use MD5 with the existing situation in 4.1.1 because quake3 cannot load MD5. The only way they can use new features like MD5 and keep it closed source is to start over with the commercial quake3 client/server.
They are also planning on an anti-cheat which isn't possible in an open source client/server. I highly doubt their closed source anti-cheat will be effective either but only time will tell.
I really like how you say that ioquake3 is not needed, when there are no official patches for critical security exploits in UrT for months and when even the latest Quake 3 1.32c released by id themself contains critical bugs.
The issue is one of licensing not security. You can load UrT with quake3 1.32c. That's all they need to worry about for licensing (according to them). Now I don't know anyone who uses quake3 instead of ioquake3 with UrT. I also know of few people who use their UrT client since it's from 2007.