[Disclaimer: This blog entry is personal opinion based on a personal understanding of current events. Should you feel any facts are materially wrong then please contact me, citing sources, and I will be happy to make corrections or retractions as appropriate]
—
I try to keep my RL separate from my SL, but I guess it’s not giving too much away to say that I work in the IT Industry and have direct experience with software development. So the self-destruction of Emerald has been very interesting for me.
So, where did it all go wrong? I think to answer that you need to look at how a proper Open Source Project is run.
Generally you have a version control system which is able to be read (but not written to) by anyone who cares to do so. Obviously members of the development team can write as well.
This open access ensures transparency, because anyone with the technical ability can examine and review the source code to make sure there is nothing nefarious in it. They are also able to download the entire codebase and compile their own version of the application rather than trusting that the pre-built binaries available for download were actually made from the source code.
Furthermore, the version control system has an audit trail of every check-in, showing what changes were made, by whom, and when. This makes it more difficult to introduce malicious code although there are ways round it, of course. However, even if the developer subverts the process to avoid the audit trail (if they have direct access to the actual files on the server hosting the repository), the code is still available for inspection and anyone can compare a previous snapshot of the code with the current one using an automated difference tool. So there is still transparency.
The trouble with Emerald is that the version control system was not open and there was no transparency. Yes, the source code was published periodically but in a snapshot form. You were expected to trust that this source code was the real deal and not some sanitised version. And that trust was betrayed.
Because there was no transparency, certain members of the Emerald team were able to inject undesirable code (which is well documented elsewhere so I won’t bother going into it here).
Worse still, Emerald also used some Closed Source software which meant that only the developer(s) of that code knew what was in it and the members of the Emerald team were expected to trust that it was non-malicious. Again, that trust was betrayed.
It also appears to me that the team weren’t really following good Software Engineering process. This isn’t too surprising as, as far as I understand, they were all programming for fun and were all fairly young. So there were few controls in place to audit what was going on. I genuinely believe that the more respectable members of the team (and I’ll leave it for you to decide who they are) didn’t know what was being put in by the less respectable members. This is why we have processes, checks and safeguards in professional Software Development and I simply don’t think they were in place for Emerald.
And I’m not even going to comment on the clash of personalities, egos, hidden agenda and motivations of the actual developers of Emerald. That’s not something I want to explore as this piece is really more about the technical side of things.
In many ways, the Emerald project was a nuclear reactor being run without control rods or safety systems, and it went critical and suffered a meltdown.
So, where does this leave Third Party Viewer Development? Are we doomed to use Linden Lab’s awful Viewer 2.0? The short answer is no!
Emerald was not the only Third Party Viewer and some of the others are being run properly. Imprudence, for example, is fully transparent and Open Source. They are by no means the only one, of course, but it’s the one that springs most readily to mind.
Finally, I just want to say that this blog entry may seem very negative about Emerald. However, I don’t mean it to be because I do genuinely believe that Emerald was truly innovative and really moved the Second Life Viewer game onwards. The developers added some very good features (the nefarious ones notwithstanding) and they should be praised for it; they’re clearly very talented. However, as I’ve said, I think the project was very badly run and was very open to abuse. And that abuse was made.
Leaving aside their so called good practices which can all be got around by developing one version in one place and another version in another place. Suppose for a minute you read Jessica Lyons conversation with phox. Didnt that interest you where he says something like: I’m doing it for the money and jessica says what money and he says exactly. You know what he is talking about dont you? let me make it clear, Its gemini and onyx, he is alluding to the fact that emerald came second to onyx and gemini. Him, skills hak, and all those other people have a tidy little number going on there. That whole dev team were involved at some point or another in creating or distributing copybots, then they decided to trawl for ip addresses and usernames using gemini because it certainly dont cure copybotting. Also they tallied that database to emerald users who had their logins stolen by the emerald devs. You see you cant trust any of them, theres money in the emerald dev team onyx and gemini. Now u tell me – are they scammers or scammers, in my opinion the whole lot of them should be invetigated by european and american law enforcement. They are nothing but scammers
I don’t disagree. However, by using a Version Control System like Mercurial, it’s vastly more difficult to maintain the ‘plausible deniability’ of two codebases compared to publishing sanitised snapshots like Emerald did.
So my point was that the greater transparency in Phoenix and Imprudence means it’s *more likely* that they’re on the level.