|
Yumi Murakami
DoIt!AttachTheEarOfACat!
Join date: 27 Sep 2005
Posts: 6,860
|
12-15-2005 05:11
I'm sure everyone here has heard about the JEVN security flaw that's being discussed on the General boards.
What bothers me about it even more than the release of an insecure script is the fact that every sale JEVN got was one that a competitor writing a more secure version (like Kyrah) didn't get. Then, people complain about "lack of alternatives" when in fact people probably just chose not to write their own networked vendors because there was no need to reinvent the wheel.
It is not a good situation when the best route to success is to get to market quickly with a shoddy script, maybe even with critical flaws, to grab the money and then count on patching it later - especially if the flaws expose innocent SL business people to having their products stolen. How many of them are going to patch their JEVNs now? Yes, I know, you can talk about Microsoft and any number of real-world software vendors but even their flaws aren't that serious and just because it happens IRL doesn't mean we want it to happen in SL as well.
The difficulty that I see is that at the moment, scripts are the only thing in SL which can't have their quality judged without being exposed to being copied. Is there ever going to be a way around this?
|
|
Kage Seraph
I Dig Giant Mecha
Join date: 3 Nov 2004
Posts: 513
|
12-15-2005 05:22
Is there any nicely automated method by which networked script developers could push patches, either through a cathedral "Windows Update does it for me" approach or a bazaar "I apt-get a fresh build of JEVN stable once a week" approach?
|
|
Kris Ritter
paradoxical embolism
Join date: 31 Oct 2003
Posts: 6,627
|
12-15-2005 05:29
From: Kage Seraph Is there any nicely automated method by which networked script developers could push patches, either through a cathedral "Windows Update does it for me" approach or a bazaar "I apt-get a fresh build of JEVN stable once a week" approach? I dunno about 'nice', but I found the most pain-free way to do it from a user perspective was through an updater object. When I made a patch or new script or whatever, I loaded it to a server, which autodetected the content change and sent out a copy to each of the vendor owners. They needed only to rez the updater next to the vending machine and touch it, and it'd transfer over the new scripts and reinitialise the vendor. It saves having to send notecards full of complex instructions to people and expect them to drop scripts into their vendors, and saves you the inevitable tech support from those that don't know how, anyhoo. I just called the object itself "Vendor Updater: Rez me near your vendor and touch me!"". Never had anyone call me to ask for help  |
|
Escort DeFarge
Together
Join date: 18 Nov 2004
Posts: 681
|
12-15-2005 09:25
The best way is to offer a short contract with a bounty to a trusted scripter. I did this with one of my more complex scripted apps that needed "security".
On another note, the best security should be open-sourceable and still not be hackable. I haven't got to that point yet, and suspect we can't unless a crypto library is made available (instead of just a hash function).
My 2c
/esc
_____________________
http://slurl.com/secondlife/Together
|