[opensource-dev] Known details of LL 'Firefly' client-side scripting

[Morgaine]

[Another attempt to get the archives to see the rest of the post, prefixing
'From '.]


Argent is exactly right.

>From sitting in on these OHs, the intention that has come across (but with
some ambiguity) is definitely that binaries will be pushed to our clients
and executed, even if this involves some action in-world.  Whatever the
mechanism of transfer, these binaries are inherently untrusted and
untrustworthy by inspection.  If you choose to assign your trust to them,
that is your own personal lookout.

Note that this situation is *NOT* like on the Web, where Javascript is sent
to browsers as *source code* which is available for inspection by anyone who
cares to do it.  Because of the possibility of inspection, the Web enjoys
the "many eyeballs" effect that allows browsers to flag sites as malicious.
There will be no such protections here, because the distributed binaries are
opaque.

The mere idea that opaque binaries are being sent to people and executed
locally on their PCs should be enough to send shivers down everyone's spine,
even if they're only minimally aware of security.  From our technical and
open source perspective here, which is after all what opensource-dev is all
about, it's just completely unacceptable.

Designing script execution to run on LL's servers is wholly within Linden
rights to do in secret.  Designing script execution to run *on OUR private
machines* is NOT within Linden rights to do in secret at all.


Morgaine.


>
>
>
> ==================================
>
>
> On Wed, Mar 17, 2010 at 6:45 PM, Argent Stonecutter <
> secret.argent at gmail.com> wrote:
>
>> On 2010-03-17, at 12:31, Dzonatas Sol wrote:
>> > You install a program on your computer, and you either trust it or
>> > you don't. It comes down to that, so it doesn't matter if it is .NET
>> > or Java or some binary made by company XYZZY.
>>
>> The quotes from the office hours make it seem like they're talking
>> about having in-world content pushing stuff onto your client, not
>> explicitly installing code.
>>
>> _______________________________________________
>> Policies and (un)subscribe information available here:
>> http://wiki.secondlife.com/wiki/OpenSource-Dev
>> Please read the policies before posting to keep unmoderated posting
>> privileges
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/opensource-dev/attachments/20100317/a9305245/attachment.htm