[Opensim-users] Announcement of inventory tool (MyInventory), mostly of interest to grid operators/grid nauts
Diva Canto
diva at metaverseink.com
Mon Nov 19 18:21:10 UTC 2012
On 11/19/2012 9:37 AM, Snowcrash Short wrote:
> Well, it is only the single most popular opensimulator based grid you
> are writing complete off as hopelessly insecure, when the truth is
> that it can be hardened. Although I agree that complete security would
> require a rethink about where assets are stored.
As long as people can plugin simulators arbitrarily, these grids are
impossible to secure. This is not up for interpretation. "Hardening," as
you say, by providing session ids and checking permissions will only
give a false sense of security, since when it comes to resources in this
LL client, the simulators are proxies of user actions. Blocking the
simulators would mean blocking the users.
Open, secure interoperation of grids, however, is perfectly possible. It
can be done in different ways. One way is the Hypergrid. There are others.
The Hypergrid is designed with the separation of user services and
simulator services in mind, similar to what you have described. It is
possible to wrap up the collection of user services (inventory, assets,
user accounts, avatar, and friends) and run them in isolation from grids
(i.e. collections of one or more simulators under one authority). This
is already possible now. You simply need to run a Robust server with
exactly the Hypergrid services and no simulators.
In practice, people are still stuck with the grid model that encompasses
both user and simulator services, so nobody operates on that separation
[yet].
Your approach of having the user's computer as the locus of the user
services is actually quite deficient, not the least of it the fact that
people use different computers. There are very good reasons for why
things are moving to the cloud in general. But I don't want to
discourage you from exploring that approach, if that's what works for
you. From everything you said, however, it seems that you are missing a
few important bits related to security -- things that we have already
thought through and addressed ("been there, done that"). What you want
to do, the inventory download and upload, can be done in a way that
doesn't upset anyone. Your approach is the wrong one because it upsets a
lot of people. But again, if that's how you want to do it, go ahead and
do it.
Diva
More information about the Opensim-users
mailing list