[opensource-dev] Viewer blacklist to replace the TPV directory ?
discrete.dreamscape at gmail.com
Thu Apr 29 13:39:16 PDT 2010
This discussion seems to have been created with misleading intentions.
Because some TPV creators don't want to reveal any personal information
about themselves, they can't be posted on the TPV directory, and because of
this, it's understandable they might view the directory as unfair. But, this
doesn't strike me as a valid reason to criticize the list.
It's certainly valid to say that the viewers on the list are not absolutely
trustworthy unless a full code audit is done, but even then, do you really
know that what's in the code is the same as what's in the binary? Isn't
there a limit to what LL can do, given a lack of resources to perform such
audits, especially when what you download requires trust that it's the same
as what they've audited?
But really, trust is supposed to be provided by the fact that the viewer has
indeed registered using real-life contact information, because who would
give such a thing knowing they could be held liable if they indeed decided
to include malicious code? In general, there is no way to certify purity
here, you can only provide a level of trust as a guideline. You can't rely
on babysitting the users, because LL isn't going to compile every third
party's code and release the binaries themselves.
In this regard, you may begin to argue that indeed, a blacklist would better
serve users. I argue that this is exactly the opposite. You may be able to
pick out which viewers are explicitly untrusted, but you make no statements
about the trustworthiness of any others. In this situation, a user is left
to choose between either a viewer which is in the grey about its status, or
an official Linden viewer. This point is key, as far less warranty is
provided for users that they won't be banned for using a third party viewer.
I suspect that in this case, many would simply give up and use the official
client rather than risk their business, etc.
If you want to provide a system where users can trust the clients they use,
it seems like our current one is decent enough. In any case, a blacklist
doesn't appear to be any safer.
On Thu, Apr 29, 2010 at 4:02 PM, Tigro Spottystripes <
tigrospottystripes at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> the disclaimer instead of being hidden in small print in the bottom
> should be the first thing in the page, in big bold red font, to at least
> start helping users be less confused about how much trust they should
> put on the viewers listed
> On 29/4/2010 16:35, Kitty wrote:
> > *From:* opensource-dev-bounces at lists.secondlife.com
> > [mailto:opensource-dev-bounces at lists.secondlife.com] *On Behalf Of
> > *Ron Festa
> > *Sent:* Thursday, April 29 2010 20:27
> > *To:* Henri Beauchamp
> > *Cc:* opensource-dev at lists.secondlife.com
> > *Subject:* Re: [opensource-dev] Viewer blacklist to replace the TPV
> > directory ?
> > Despite claiming the list is Self-Certified those viewers on the
> > list still had to have their viewer reviewed by LL before being
> > listed so really all the TPV's on the TPV Directory are Certified by
> > LL ensuring they comply with their standards & policies.
> > - release a viewer that's the LL source + a handful of innocent patches
> > - apply for the directory and get listed
> > - release a new viewer
> > The last step doesn't invalidate the current listing as far as I know so
> > I really don't see how the viewer directory could possibly be stamped as
> > "reviewed by LL" by any stretch, let alone go as far as claiming that
> > they're "certified by LL" as compliant.
> > Since the reason for the directory is really end-user assurance the
> > viewer directory doesn't really work in that sense because it doesn't
> > actually offer much: LL still reserves the right to ban anyone just for
> > using any third party viewer (whether listed or unlisted).
> > With all the threatening (whether intended or not) language in blog
> > posts or emails a lot of people are going by the assumption that
> > "listed" means "I won't get banned" or that it means
> > "approved/sanctioned/verified/vouched for by LL" but that's just not the
> > case. It would be a lot better for any resident wanting to use any third
> > party viewer to at least know that if they go by the list that their
> > account isn't in jeopardy (no matter how unlikely a ban might be) for as
> > long as that viewer is listed.
> > For better or worse the perception that the viewer directory is a
> > "safelist" is already there now, in spite of any disclaimers on that
> > same page, and it's too late to still reverse that. Personally it seems
> > best if the directory just officially became a "safelist". If a
> > malicious viewer ever makes the list then that wouldn't
> > undermine people's trust in any other listed viewer because LL would
> > guarantee that any viewer they list is indeed "safe" in the sense that
> > noone can be banned for using it, even if they accidentally list one
> > that turns out to not comply (which can just simply be delisted and
> > blocked at that point to prevent continued use since it would have its
> > own channel or it shouldn't have ever made the list to begin with).
> > Kitty
> > _______________________________________________
> > Policies and (un)subscribe information available here:
> > http://wiki.secondlife.com/wiki/OpenSource-Dev
> > Please read the policies before posting to keep unmoderated posting
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> -----END PGP SIGNATURE-----
> Policies and (un)subscribe information available here:
> Please read the policies before posting to keep unmoderated posting
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the opensource-dev