Security Update to Second Life viewers: 2008-10-06

Come on.... It took me 5 minutes to produce a patch for v1.19.0.5 based directly from the diff between v1.20.16 and v1.20.17... Same thing for the previous vulnerability... Can't LL afford "spending" 10 minutes of time from one of their developers to simply keep v1.19.0.5 updated with security fixes ?...



Now, consider this: how many among your residents are aware of the existence of alternate viewers ?... 1 in 1000 ?... 1 in 10000 ?.... 1 in 100000 ?...

And how many of your residents are using "old" computers (3 years "old" and more) ?...
2 in 3, 1 in 2 ?...

See the ratio ?... It means many, many, many residents will be VERY unhappy about the current state of affair, because, for them, there is no suitable viewer for their computer: not knowing third party viewers even exist, they will simply give up on SL after the Nth crash of the official viewer.

My guess is that this problem (the Windlight only official viewers) is one of the reasons why SL "connected last 60 days" figure stayed around 1,200,000 residents for now almost a year while it used to grow healthily (and peaked at around 1,500,000 users in November 2007) before Windlight adoption.

Personally, I think this is uncalled for.... when you say its not 'free'... I have to wonder about revenue streams, why LL would not want to support other OS's.. there are only 3 basically. I understand there is a wide variety of permutations with OS, System components etc.... I have to wonder how many of those 'other' OS users are paying LL to use SL in some way?

Perhaps you might try getting the client to a stage whereby a lot of the grunt work is done by the OS/Browser api calls, in the form of a pluggin. The client is only 30mb so would not take much prunning down. Negating to support OS's is akin to only making a website compatible with IE.

Alternatively, why not employ many of the third party client creators out there, giving them notice of security issues (NDA's, Trust etc), so they can apply fixes. Afterall, for many using SL, they are the saviour. I thought this was the reason for making the client opensource in the first place?

In a nutshell, LL created SL to make money, there are certainly a whole raft of revenue streams going into LL bank. Many many people have supported SL from way back, even during the 'uncertain future years', no one from LL ever made these sort of statements before. This now the general feeling inside LL? Or just a bad day at the office?

The SL 1.20.17 client, as well as all the 1.20 clients, reset my video resolution to 640x480 and disables my second monitor. I cleared the cache before installing and the graphics settings were set to Low.

When I start SL 1.20, the screen goes black and then only my primary monitors comes back as 640x480. Even when I manually reset the resolution, the SL client will not expand more than 640x480.

What is the newest pre-1.20 client that I can run that won't screw up my video resolution?

Thanks.

This is either a strawman or you do zero testing..

5 minutes were to create the patch. The patch is so trivial that it did not require a lot of testing. But testing did occur !

I got the patch from Rob for v1.20.16/17 at 16:31 and published v1.19.0.5 at 18:03 (being able to compile a viewer in less than 10 minutes is a great thing... I love those quad cores... .
I could test it for one full hour and I'm still using it as I am writing this (19:45). A single error in the patch would have crashed the viewer long ago...

Ok so this update has now stopped my love from being able to log in at all. The game crashes when she starts it due to an older machine. she NEEDS to use an older browser version to play the game.

HOW does she go about doing this? I could have sworn i read that all updates would be optional. :/

If you seen the patch, well my work time was about 15 minutes for the back port, needed unpack the LL original source one more time, test and write release notes. I choose to to the back port with MANUALLY verify all the code lines, an extra time t make sure they did what they was supposed to do.

Well now i DL The CV code build again, I 100 sure Henri didn't fuck this up in his five minutes, it's so trivial.

So it's about 90 minutes to get something out the door, once you're been given the final code patch? I get the impression that this was a pretty simple fix, too. Yes?

How much time do you think it'd take the devs at LL to consider the implications of adding the patch to the older code base?

Anybody know how S3 charges? I wonder if LL keeps stats on how many people download and run multiple versions..


I was responding only to Henri seeming to say that doing support for older versions was basically free when we all know it isn't free.

Not really looking for an argument here but if you try to tell people that this wouldn't cost LL anything to do, I'm probably going to have to say something..

And, no, I didn't say LL shouldn't do it. Just said that it's not free.

I will give The Providers credit for at least not dumping this on everyone on a Friday, and hiding for the weekend as is standard procedure.

Cool Viewer for Windows has been updated to 1.20.17.0. Please use only this version until the rest has been updated. http://my.opera.com/boylane/blog/current-releases

That would be "Panther", not "Leopard".

Add a '--channel "Any Nonsense You Want Here"' option to the command line in the shortcut (on Windows) or in the "Resources/arguments.txt" file (on Mac).

That's two dashes before "channel", followed by a name in double-quotes. If there is already a "--channel" option, you need to change the name following it, not add a new one.

And follow the advice in the original post in this thread: disable streaming and only connect to SL servers, so nobody can find your IP address to launch an attack against you.

Boy's being entirely too rational for this thread, IMO.

How does one verify that the provided 3rd party binary does match the source verified by a 4th party?

Perhaps, but I put up a full version for my fans and it took a while to upload *shameless promotion*

You can't and that's the beauty of open source code.

I don't think Henri was saying it was free, but the fear of the costs are much bigger that it really costs, and he and I does think thet 19.0.5/or 1.19.1.4 are two good candidates to keep alive for a low cost. Many used love them and that a good reason to keep that stuff around.

Fucking up the users are never a good longterm strategy even if it can cost a little extra.

No? Here it is again...

If that's not saying it's basically free, it's certainly implying it.

It seems the viewer AND the server software are evolving at a rapid pace and maybe keeping the 1.19 series of viewers around complicates things since each new update to the newest viewer will require going back and making the changes to the older versions; this would seem to be a self-limiting endeavor with scarce resources.

"Data" meaning data between the SL client and LL servers? Or "Data" meaning inventory items for SL residents?

Please keep us informed. Thanks. I will await the update to your 1.19 viewer. So far it is working very well for me.

Ok we'll try that. Currently can't even get the new browser to launch. Soon as she clicks launch it starts to run then crashes. Tried the vertex argument on the SL site/wiki and that didn't help. Will try your channel thing and see if that works.

Yes, the costs involved in updating older viewers are not the costs involved in patching it, but the costs involved in QAing the viewers and making sure they're ready for release. And, we must do that with viewers we release as full releases. Otherwise, we're potentially adding a gigantic load to support. It's not just patching and shooting things out.

I don't want to quote statistics as to how many people are using various different viewers, because I don't know the numbers perfectly and it's not my place to decide to release those numbers, but the number of people still using 1.19.0 (the last pre-Windlight release) is quite small-- well, well, well less than 1 in 3. I will grant you they're vocal....

Re: people who want viewers from places other than Linden, I don't have the answer to that, but there are plenty of people on this thread who claim to be using other viewers successfully; could some of you please answer the question about as to where you get these other viewers?

given there have been only two security fixes so far since v1.19.0.5 is out, it would have required 10 minutes for any developer at LL to produce the corresponding patches from the ones done for the current viewers (this is the time it took for me), and then about 30 minutes of compilation... The testing is not even hard or long to do as the patched code is pretty much the same in both 1.19.0.5 and 1.2x if you except one or two trivial changes.



I *never* said it was free. I said that:

1.- it is trivial.
2.- it can be done in a matter of an hour or so (patch production + compilation + testing).
3.- it is *worth* it seeing how many residents give up on SL because of the Windlight renderer that can't work decently on their "old" computer.

'nuff said.

The only true QA is to use the viewer yourself... I don't want to be mean, but frankly, LL's QA let pass many many regressions that any resident can notice in a matter of minutes after they launch the "ready fro release" viewer (I could cite VWR-3616 or VWR-5530 for example)...
Beside, we are speaking about trivial security fixes here, not about new features or heavy changes in the code or UI...
The two security fixes that v1.19.0.5 needs to be at the same security level as v1.2x are so easy to port that QA is hardly needed at all (QAing v1.2x is pretty much enough to make sure that the backport to v1.19.0.5 will be OK too).


Like I explained in a previous post on this thread, this is mainly due to the fact that almost "no one" (when compared to the millions residents) actually know that v1.19 viewers still exist and can be used. But the neat result is that a huge number of new residents are giving up on SL because they can't find a viewer that would run decently on their "old" computer.


Perhaps would it be smart from SL to add a link to their download page, pointing to the alternate viewers Wiki page (https://wiki.secondlife.com/wiki/Alternate_viewers), saying that people experiencing problems with official viewers because of an "old" hardware could possibly find a solution among the third party viewers...

This said, I find it suicidal for a company to deny the problems of their customers and push on them a software that they can't run decently on their computers, then blaming on them for not having the right hardware (like I could read from a Linden in the sldev list, where he basically said that any Nvidia card before the 8800GT should be considered deprecated...).

Henri.