I wonder if this is how the guys at the Manhattan Project felt when they successfully detonated the world's first nuclear bomb: we have this tool, but do we dare use it?
I do agree that it's a bad idea to turn libSL in to a potential vehicle for a free upload program - especially when all of the textures, sounds, and animations are hosted on one server at LL (the true weak point of SL). Is this the same for scripts and notecards? I think someone on the forum mentioned that it's possible to use libSL to upload a compiled script.
I still don't agree that we should be "SL cops", but I do agree that it's important to be responsible when releasing a tool that could be used for evil.
What about this? Contact LL, keep the checksum algorithm a secret for now, and don't publish the upload function to the SVN until you get a definitive answer from LL. In the meantime, I'm sure that the people who are reading this list are sensitive enough to the problem to be responsible, and not publish or release the checksum algorithm or any programs that upload textures, animations, or sounds without charging the obligatory L$10 fee (and paying it to LL, of course).
A HUGE concern about libSL on the forums is the potential for griefing with client side routines. The big one that has come up is sending money without the user's permission. Other potential issues include the possibility of doing things like stealing a user's password or transferring items to another account without the user's permission.
It's probably going to require some sort of registration/validation system for developers to curb the kinds of fraud that could occur with this library. This issue is only really the first of many.
My thought is to use developer registration: essentially, LL would have some sort of validation sequence with third-party applications. The system could be as simple as PGP-encryping a security sequence on the client side and the SL servers decoding the key and confirming the developer's identity. If the key can't be confirmed, the app isn't allowed to log in. This would require SL to create a database of developers, and could help them track developers who break the TOS by writing apps that don't follow the rules.
Doing that also helps you with some of your responsiblity and liability. Developers who register in the developer program have certified to LL that they will follow the TOS with all of their programs.
On 7/9/06, Jesse Nesbitt <[EMAIL PROTECTED]> wrote:
This seems like a fair and just solution, and should keep LL off our backs.
--Jesse
On 7/9/06, John Hurliman < [EMAIL PROTECTED]> wrote:
> Let me add some context to this issue, and an explanation for those who
> haven't taken a look. Upon login an EconomyData is sent to the client,
> saying how much it costs to do various things in the game. After that
> point, the client is responsible for making a payment for the correct
> amount every time it does one of those things. Right now there is no
> server architecture in place to prevent uploads if people haven't paid
> the correct amount, but there is plenty of logging in place to tell if
> this is happening. Since there is a snowcrash modification in the wild
> (called blackmarket) to halve upload costs and reroute them to an alt
> account, LL is now periodically scanning the logs for cheap or free
> uploads and will ban accounts using this exploit. People can modify,
> patch, or fork libsecondlife however they want but the official codebase
> has an obligation to prevent it's users from being banned. The trunk
> will automatically sink the required amount of money per upload and no
> version of the software that will get an account banned will be
> distributed from the official page.
>
> John
>
> _______________________________________________
> libsecondlife-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/libsecondlife-dev
>
--
--Jesse
_______________________________________________
libsecondlife-dev mailing list
[email protected]
https://mail.gna.org/listinfo/libsecondlife-dev
--
Tom Wilson
[EMAIL PROTECTED]
KI6ABZ
_______________________________________________ libsecondlife-dev mailing list [email protected] https://mail.gna.org/listinfo/libsecondlife-dev
