[opensource-dev] Known details of LL 'Firefly' client-side scripting

[Tigro Spottystripes]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

wouldn't that be more like Flash then?

On 17/3/2010 17:36, Morgaine wrote:
> Argent is exactly right.
> 
> From sitting in on these OHs, the intention that has come across (but
> with some ambiguity) is definitely that binaries will be pushed to our
> clients and executed, even if this involves some action in-world. 
> Whatever the mechanism of transfer, these binaries are inherently
> untrusted and untrustworthy by inspection.  If you choose to assign your
> trust to them, that is your own personal lookout.
> 
> Note that this situation is *NOT* like on the Web, where Javascript is
> sent to browsers as /*source code*/ which is available for inspection by
> anyone who cares to do it.  Because of the possibility of inspection,
> the Web enjoys the "many eyeballs" effect that allows browsers to flag
> sites as malicious.  There will be no such protections here, because the
> distributed binaries are opaque.
> 
> The mere idea that opaque binaries are being sent to people and executed
> locally on their PCs should be enough to send shivers down everyone's
> spine, even if they're only minimally aware of security.  From our
> technical and open source perspective here, which is after all what
> opensource-dev is all about, it's just completely unacceptable.
> 
> Designing script execution to run on LL's servers is wholly within
> Linden rights to do in secret.  Designing script execution to run /*on
> OUR private machines*/ is NOT within Linden rights to do in secret at all.
> 
> 
> Morgaine.
> 
> 
> 
> 
> 
> ==================================
> 
> On Wed, Mar 17, 2010 at 6:45 PM, Argent Stonecutter
> <secret.argent at gmail.com <mailto:secret.argent at gmail.com>> wrote:
> 
>     On 2010-03-17, at 12:31, Dzonatas Sol wrote:
>     > You install a program on your computer, and you either trust it or
>     > you don't. It comes down to that, so it doesn't matter if it is .NET
>     > or Java or some binary made by company XYZZY.
> 
>     The quotes from the office hours make it seem like they're talking
>     about having in-world content pushing stuff onto your client, not
>     explicitly installing code.
> 
>     _______________________________________________
>     Policies and (un)subscribe information available here:
>     http://wiki.secondlife.com/wiki/OpenSource-Dev
>     Please read the policies before posting to keep unmoderated posting
>     privileges
> 
> 
> 
> 
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/OpenSource-Dev
> Please read the policies before posting to keep unmoderated posting privileges
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuheTcACgkQ8ZFfSrFHsmWHuwCeKrI2SP+a2oPDny2sVIj7CwgV
INsAni/h81Gb4fKRjd+QOIRh68HC299S
=3wB4
-----END PGP SIGNATURE-----