Open Source Viewers

how do we know all these new viewers that aren't run by LL aren't also people who can track passwords and then send alts to steal your stuff?

how can we trust LL?

I'd never use a non-SL viewer, although I think that Nick's reputation is trustable.

I will second that.If you make stuff in sl then I think you need to use the SL viewer to see what the end result will be ish.Before windlight was the norm it was a lottery.

I'm not sure how you can trust LL but one reason I have a certain level of trust is the simple fact that Linden Lab has a physical address in San Francisco, CA. An address I can give to a law enforcement department should LL use my password or any other personal information for illegal purposes. They also provide a secure site for personal business with them. Things like instill a little more trust than someone that only has a web page or maybe some web based email.

I believe the idea is that since the source code is viewable, those who wish can compile it themselves. In the case of SL the programming packages needed to compile the viewers are available free. There are instructions you can follow to do the compilation. If you don't understand the programming language and know how or want to compile the code yourself, you can get a friend with the skills needed to do it for free, or pay someone. There are folks who don't find it a bit of problem to read the source code, who do read the source code to viewers like Nikolaz's viewer, who would report if the source code included password stealing code, chat bugs, etc. There are also folks with port scanners and disassemblers and such that would be likely to be checking on the precompiled versions.

For those who need a verified physical address to trust a source, one could try asking the author of the program for an address to mail a letter to that they would need to respond to before you'd try their program.

So far as trusting downloads go, everything I see on the internet comes through Comcast, I can't really trust a bit of it, can I?

I notice that at least one of the open source viewers, the Dale Glass client, sends crash reports that go to the author. A normal crash report includes some information that some folks like to keep secret, such as an ip address. So if you are concerned with such things and using an open source client you might want to make sure you turn off the crash reporting.

Since viewer's like Nicholaz' can be based off the LL viewer, would that mean the LL viewer is just as vulnerable as any?

I am raising money to help save the lemmings. Please help!. Send me your L$!!

My address is:

14 Pudding Lane
London
England

If you don't trust a third-party viewer, do you trust a proggie like SculptyPaint? Or the lossless sculpt map uploader tool?

Both are created by residents and target residents and just because they're not viewers doesn't mean they couldn't easily get your account details anyway (if you have "Remember Password" checked then password.dat yields your password and the settings xml yields your account name).

I'm not trying to imply both of those do anything bad, but if you're going to be suspicious, be suspicious of all proggies regardless of their stated purpose. Anything you run on your puter has the potential to do harm in some way.

There are many people working on the open source SL client under the wing of LL. There is nothing to prevent any of those people from adding a backdoor.

We just take our chances!

I trust LL's viewer more for two reasons: First, there are lots more eyeballs looking at the source, so if somebody slips in a nasty, it's pretty likely to get noticed. And second, LL has a lot more to lose.

The next level of confidence, seems to me, are the more common of the compile-it-yourself open source clients, including Nicholaz's, and others. There are enough people looking over those shoulders that I feel reasonably sure that anything nefarious would be found pretty quickly.

(Proprietary, non-open 3rd party viewers? No thanks.)

Not to mention the unethical ways some of these third party proprietary viewer creators (cough) ESC... got the source and the licensing in the first place.

It's a risk to use any third party program that you give you're SL info to however it really is a matter of reputation and of the number of people and length of time of people using it without complaint, for example Nicholaz's viewer has been used by a ton of people (I don't feel comfortable making a guess of how many) with no real complaints and nobody losing their info to it, could it turn out he's been mining everyone's info to use at a later date, yes, however the odds at this point are against it especially since he openly shows the source for the viewer and as of yet there are no complains about the source and no reason to believe that the pre-compiled version is different than the shown source although that's always a risk when both are given.

You wouldn't use the onrez viewer?

You can live in fear for the rest of your life, you can hole up in your house, cover your windows and doors with plastic and duct tape, you can lock up the silver, unplug the electrical items, and stop drinking water because you're afraid it's contaminated.

Then you can be "safe".

Personally, I find that you develop trust for people over time. If that trust is abused, so be it. I don't want to be the kind of person who distrusts everyone and everything. The cost of being wrong, is too high.

There could be something in the duct tape. A light coating of anthrax powder on the adhesive.

Right. Not unless they open their source. And, yeah, that was the viewer to which I was alluding; I originally had some snarky sheep remark that I elided because I'm not anti-ESC, exactly, I just wouldn't trust their viewer on my machine, given that I have zero information about who actually wrote the code and under what supervision. But it's all academic anyway, since they have no Linux viewer.

...and then you run something you built from that source. If they say "here's what we did" and give you a binary, you still have to trust that they only changed what they said they did.

Now you tell me.

That's suspicious in and of itself.

You hit the nail on the head there ,, there are lots in the C++ community that can read code some as well as they read the written word, the OS community prides its self generally on protecting its users I'm pretty sure if there were discrepancies or suspicious pieces of code someone would report it and make it public ..

A good thing you suggested is if you in any way mistrust the third party client/viewer is disable the crash reports there will be plenty who have examined the code who will send the reports.. If it makes you comfortable then err on the side of caution.

Likewise because the official viewer is OS there are ppl checking it for the same backdoors and the like, Some dont understand ,thats the beauty of opensource. the end user protects themselves and their own . With so many people Annaliseing the application instead of a hand full of company employees. Potential flaws or security risks will come to the fore far more quickly. Hence acted upon /fixed. Then theres the lack of need to protect code in multiple wrappers of encryption or protection which in turn makes the code run more efficiently.

Yes I'm a shameless OS advocate, but I much prefer to trust an opensource app in the public domain over any corporate closed language similar app ...

I too was skeptical all the years ago I started with OS , Experience has educated me. I feel safer with OS .
The user base of SL naturally determines there are many who can "blow the whistle" if need be and I assure you the laws of percentages and averages weigh on the side of protection . If SL was closed source id be suspicious rather than complacent as I am now.

It comes from a lack of trust in what I'll say next.

I have used other 3rd party source programs related to SL....Sculptypaint,Rokoru, Math sculpt, and Av painter but I have never used another viewer except Onrez's
I did use briefly with alt account the Onrez viewer but I didn't like it.
I trust the system that if someone gets my bank info they find out I am broke they aren't going to get much money from me.
And if they did I can dispute whatever unauthorized charges...but I also know that may always work.

I'll answer that for you, most of the code was written by LL or by volunteers who submitted patches to LL ESC just added a few visual tweaks and one or two little features which already had their base elements implemented in the code just no UI aspects for them (web viewer for example) at the time. I'm not even going to go into the circumstances of how they bought the license to the code because I don't want to derail this into an anti ESC rant.