[opensource-dev] Known details of LL 'Firefly' client-side scripting
Tigro Spottystripes
tigrospottystripes at gmail.com
Wed Mar 17 17:52:09 PDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
wouldn't that be more like Flash then?
On 17/3/2010 17:36, Morgaine wrote:
> Argent is exactly right.
>
> From sitting in on these OHs, the intention that has come across (but
> with some ambiguity) is definitely that binaries will be pushed to our
> clients and executed, even if this involves some action in-world.
> Whatever the mechanism of transfer, these binaries are inherently
> untrusted and untrustworthy by inspection. If you choose to assign your
> trust to them, that is your own personal lookout.
>
> Note that this situation is *NOT* like on the Web, where Javascript is
> sent to browsers as /*source code*/ which is available for inspection by
> anyone who cares to do it. Because of the possibility of inspection,
> the Web enjoys the "many eyeballs" effect that allows browsers to flag
> sites as malicious. There will be no such protections here, because the
> distributed binaries are opaque.
>
> The mere idea that opaque binaries are being sent to people and executed
> locally on their PCs should be enough to send shivers down everyone's
> spine, even if they're only minimally aware of security. From our
> technical and open source perspective here, which is after all what
> opensource-dev is all about, it's just completely unacceptable.
>
> Designing script execution to run on LL's servers is wholly within
> Linden rights to do in secret. Designing script execution to run /*on
> OUR private machines*/ is NOT within Linden rights to do in secret at all.
>
>
> Morgaine.
>
>
>
>
>
> ==================================
>
> On Wed, Mar 17, 2010 at 6:45 PM, Argent Stonecutter
> <secret.argent at gmail.com <mailto:secret.argent at gmail.com>> wrote:
>
> On 2010-03-17, at 12:31, Dzonatas Sol wrote:
> > You install a program on your computer, and you either trust it or
> > you don't. It comes down to that, so it doesn't matter if it is .NET
> > or Java or some binary made by company XYZZY.
>
> The quotes from the office hours make it seem like they're talking
> about having in-world content pushing stuff onto your client, not
> explicitly installing code.
>
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/OpenSource-Dev
> Please read the policies before posting to keep unmoderated posting
> privileges
>
>
>
>
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/OpenSource-Dev
> Please read the policies before posting to keep unmoderated posting privileges
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuheTcACgkQ8ZFfSrFHsmWHuwCeKrI2SP+a2oPDny2sVIj7CwgV
INsAni/h81Gb4fKRjd+QOIRh68HC299S
=3wB4
-----END PGP SIGNATURE-----
More information about the opensource-dev
mailing list