User:Robin Cornelius/ExecSummary

From Second Life Wiki
Jump to navigation Jump to search

ToDO TODAY!

I'm sketching out ideas here over my working day and expanding out on topics, feel free to ping me on AWG/#opensl for live discussion

Key areas

  • Viewer registry
  • Viewer Identification
  • Encryption
  • Server/Protocol security issues
  • Open source contributions to the stability and features of LL viewer
  • Open source inventions, new ideas, creativity with 3rd party viewers
  • non LL code base viewers and utility programs (text clients and bots)
  • Clari faction of TOS points

Viewer registry

Currently the entire concept of what is proposed by LL is very unclear and there is concern from the community that the entire concept may not work at all. Discussions on the Initial blog comments and at our pre-BB meeting has highlighted many of the concerns. The possible implementations we can visualize of this idea range from a simple list of "approved" viewers to only allowing "approved" viewers to connect to the grid.

Starting from the simple list extreme - There is some support for some ideas in this area from many in the opensource community, but this depends on exactly what is proposed. Some basic questions that cover all possible implementations include :-

  • How would you get on this list?
  • Who is making this decision?
  • How are "approved" viewers actually checked?

Subject to the above questions, the most basic implementations is just a list of viewers linking to there websites. Almost like we already have on the wiki now [link needed]

One issue here is that a list could give users some confidence in the viewer as a common concern is, "how can i trust a 3rd party viewer with personal information such as username/password combinations?". But conversely NOT being on the list could be seen as being an evil viewer and this is not a good situation either.

Moving along the scale we have things like providing some kind of crypographic signature for viewer binaries so that the list of approved viewers also contains, for a trivial example, a MD5 sum, or even a gnupg signature, so the user would then know they were getting the real thing from the 3rd part developer, whist the basic concept of "signing" a viewer is ok to many, if this was on the list it open up new questions :-

  • How would we update the list?
  • Are we really going to have to jump through hoops evey time we make a minor change?

Things like gnupg could avoid much of this as you could check the key was for an example the "Emerald developers" key, you wound not need to change the registry at all and the 3rd party devs could push out as many releases as they liked they just sign with there private key and the viewer registry contains the public key. Debian uses this system for there official apt repositories BUT there is *no requirement* in Debian to use there official apt repository, a user could simply download a deb from a web site or use a 3rd part apt repository.

Retrieved from "https://wiki.secondlife.com/w/index.php?title=User:Robin_Cornelius/ExecSummary&oldid=634813"