Is My Viewer Safe?
Oftentimes people want to know if the viewer that they have downloaded is safe to use. In the past some third party viewers have included undesirable features, malware, or features that violate Linden Lab's terms of service. With this in mind, how can a user tell if their viewer is safe?
Below is a list of simple precautions to take and questions to ask. If you complete these, you will gain an accurate understanding of whether your Viewer is safe, or risky, relative to other software installs.
1. Validate the Installer
Ensure you have downloaded the installer directly from the Project's website. Do not be tempted by downloads or links you receive from other sources! If you receive a download link in IM, or a groupchat, or email, don't use these, even if they come from a friend. Instead browse directly to the project's website and follow the download links there. Following this advice will project you from trojan or malignant installers pretending to be a legitimate viewer.
Verify the installer is unmodified.
On a Windows PC your installer will ideally have a digital signature. Check for this by right-clicking the installer, and selecting properties. Look for a “Digital Signatures” tab and verify the organization listed in this tab matches the viewer. If you are on a different OS
, or your viewer is not digitally signed, you should compare the MD5 signature of your installer with the signature code listed on the Viewer's download page. For more information on how to verify an MD5 signature, see here: verifying MD5 signatures
2. Consider the Authors
Is the project listed on Linden Lab's Third Party Viewer Directory?
Checking to see if a viewer is listed on Linden Lab's Third Party Viewer Repository http://wiki.secondlife.com/wiki/Third_Party_Viewer_Directory
is an excellent way to gain some confidence in the Viewer's overall safety. If a viewer is listed here, it means the authors have submitted legal information about themselves to Linden Lab. It also means that the authors are considered to be in good standing with Linden Lab. Most importantly, it means that the viewer itself is believed to fully conform to Linden Lab's Third Party Viewer Policy. Linden Lab does investigate reported violations of the Third Party Viewer Policy and removes viewers judged to be non-compliant from the directory.
Is it easy to see who the developers are? A reputable viewer will have the authors clearly listed in a prominent public place such as the project's website, as well as in the credits section of the viewer. If you can't see who the authors are, this may be a cause for concern.
What history do the developers have within Second Life and other grids? Viewer developers typically aren't completely unknown personas. Most developers have some history of activity within a particular virtual world before they decided to step into viewer development. By looking at what other projects the developers may have been involved with and what their role was in those projects, one might gain insight into the relatively safety of their latest viewer work. The corrolary to this is that a developer with no known history may be hiding their past.
3. Consider the Project's Behavior
Does the project show you its code development history? If a viewer project has a code respository, check to see if that repository shows you all individual changes (commit messages) since the viewer was modifed from Linden Lab's original sources. The most reputable viewers will allow you to view and audit full development timelines without hiding or obscuring their development history, or aggregating it in large blocks for each release.
Is the viewer's source code well commented? If the project has a repository, check that the commit messages have non-frivolous commit messages and comments. The more care the author takes with their comments, the greater the chance they have taken good care of their code.
Is the viewer's source code well credited? A reputable viewer will list the authors of all of the code which it incorporates. These authors should at a minimum be listed in the viewer's Help:about section, and additionally may be listed in commit messages or source code. If a viewer knowingly fails to give credit for the code it uses or is derived from despite notification, you should not trust it.
Does the project license its modified code under the same license as Linden Lab's snowstorm code?
Linden Lab licenses viewer code to the community under the terms of the LGPL
license. The most reputable viewers will also use this same, identical license, in order to facilitate sharing of code between the development community. If a viewer chooses to use a different license, it may be a sign of unfriendly intentions towards the development community and/or deliberate incompatibility.
Does the project meet regularly Linden Lab and/or other grid owners? The most trustworthy viewers will have ongoing relationships with major grid owners. They will represent themselves at meetings and correspond in appropriate channels with grid representatives. The more a viewer team demonstrates awareness of their interdependency with host grids, the safer the viewer is likely to be.
5. Antivirus software may not be helpful
Antivirus software may not be helpful in determining whether a viewer is safe or not. It is common for antivirus software to incorrectly flag even official Second Life viewers as a potential threat. When in doubt, contact your viewer's authors or support team for advice.
It is not recommended to turn antivirus off completely, but instead it is better to whitelist specific files if your viewer is incorrectly generating false alerts.
If you ask the above questions and follow the above advice for your viewer, you should have a good understanding of its level of safety.