[Opensim-users] Announcement of inventory tool (MyInventory), mostly of interest to grid operators/grid nauts

Diva Canto diva at metaverseink.com
Mon Nov 19 18:21:10 UTC 2012 

On 11/19/2012 9:37 AM, Snowcrash Short wrote:
> Well, it is only the single most popular opensimulator based grid you 
> are writing complete off as hopelessly insecure, when the truth is 
> that it can be hardened. Although I agree that complete security would 
> require a rethink about where assets are stored.

As long as people can plugin simulators arbitrarily, these grids are 
impossible to secure. This is not up for interpretation. "Hardening," as 
you say, by providing session ids and checking permissions will only 
give a false sense of security, since when it comes to resources in this 
LL client, the simulators are proxies of user actions. Blocking the 
simulators would mean blocking the users.

Open, secure interoperation of grids, however, is perfectly possible. It 
can be done in different ways. One way is the Hypergrid. There are others.

The Hypergrid is designed with the separation of user services and 
simulator services in mind, similar to what you have described. It is 
possible to wrap up the collection of user services (inventory, assets, 
user accounts, avatar, and friends) and run them in isolation from grids 
(i.e. collections of one or more simulators under one authority). This 
is already possible now. You simply need to run a Robust server with 
exactly the Hypergrid services and no simulators.

In practice, people are still stuck with the grid model that encompasses 
both user and simulator services, so nobody operates on that separation 
[yet].

Your approach of having the user's computer as the locus of the user 
services is actually quite deficient, not the least of it the fact that 
people use different computers. There are very good reasons for why 
things are moving to the cloud in general. But I don't want to 
discourage you from exploring that approach, if that's what works for 
you. From everything you said, however, it seems that you are missing a 
few important bits related to security -- things that we have already 
thought through and addressed ("been there, done that"). What you want 
to do, the inventory download and upload, can be done in a way that 
doesn't upset anyone. Your approach is the wrong one because it upsets a 
lot of people. But again, if that's how you want to do  it, go ahead and 
do it.

Diva

More information about the Opensim-users mailing list