secondlife / jira-archive

3 stars 0 forks source link

[BUG-232113] llGetVisualParams: is the intentional use shape stealing? #9459

Closed sl-service-account closed 10 months ago

sl-service-account commented 2 years ago

What just happened?

llGetVisualParams appears to allow people to inspect/clone avatar shape parameters without the user's consent, and regardless of permissions, is this intentional?

What were you doing when it happened?

N/A

What were you expecting to happen instead?

N/A

Other information

Original Jira Fields | Field | Value | | ------------- | ------------- | | Issue | BUG-232113 | | Summary | llGetVisualParams: is the intentional use shape stealing? | | Type | Bug | | Priority | Unset | | Status | Closed | | Resolution | Duplicate | | Reporter | Kyrah Abattoir (kyrah.abattoir) | | Created at | 2022-05-05T21:09:15Z | | Updated at | 2022-05-12T19:05:26Z | ``` { 'Build Id': 'unset', 'Business Unit': ['Platform'], 'Date of First Response': '2022-05-06T16:11:36.757-0500', 'ReOpened Count': 0.0, 'Severity': 'Unset', 'System': 'SL Simulator', 'Target Viewer Version': 'viewer-development', 'What just happened?': "llGetVisualParams appears to allow people to inspect/clone avatar shape parameters without the user's consent, and regardless of permissions, is this intentional?", 'What were you doing when it happened?': 'N/A', 'What were you expecting to happen instead?': 'N/A', } ```
sl-service-account commented 2 years ago

Robin Lobo commented at 2022-05-06T21:11:37Z

This is a disaster on such a scale I'm stunned. !!! It completely destroys the idea of having a unique avatar. The shape business is huge, HUGE, because we all want to have an individual appearance. I have to believe this was never fully thought through. The function rolled out a few days ago - somebody needs to hit the panic button right now and either remove or cripple the function.

sl-service-account commented 2 years ago

Kyrah Abattoir commented at 2022-05-07T08:51:14Z

I'm not going to be as hyperbolic, and I should probably have attended the server/scripting group meetings before this went live.

sl-service-account commented 2 years ago

Chaser Zaks commented at 2022-05-08T02:28:51Z, updated at 2022-05-08T02:30:38Z

If I really think about it, I get kinda conflicted on it.

For the function:

sl-service-account commented 2 years ago

IslaGrace commented at 2022-05-08T04:40:56Z

As a shape maker I was appauled to see this being allowed.  Whilst I understand that people can export their own shapes and such.. this is simply a click of a button and boom.   I know people look on shape makers as a lowly sort, but it actually takes a lot of time, patience and skill to get things looking proportional and nice.  I only do my store as a bit of a hobby but there are others out there who are very big business and who make a lot from it... so essentially this allows people to steal their hard work.

Shape making is about creatng a look, so it incorporates the skin, hair, makeup, body markings, eyes etc too (which is why they come with stylecards)... what's next? is there going to be a script to give all this infor too!... Absolutely shocked that LL have allowed this to happen and I trust they will look into it soon and actually regard shapes as intellectual property for creators out there!!!

sl-service-account commented 2 years ago

Robin Lobo commented at 2022-05-09T02:00:42Z

I agree that it would be useful for calculating height (child avatars), hover and offsets and I'm sure that this function was implemented as a result of a reasonable request to LL. But it should only return values for the subset of shape slider values to achieve that. It should exclude all the facial features, eyebrows and physics. It may be possible to do packet sniffing as described above to copybot shapes, but that would take effort that hardly seems worthwhile, and I think unlikely to affect the market ... certainly not as easy as buying a HUD and clicking a button. Considering the fact that you can buy a multitude of mesh heads where the only difference is the appearance as an indicator of how important this is to people, I don't think that was being hyperbolic.

sl-service-account commented 2 years ago

Chaser Zaks commented at 2022-05-10T23:38:01Z

Perhaps it can be locked behind experience keys. Experiences are able to be moderated, and if a experience abuses it's abilities as an experience, the experience can be revoked.

sl-service-account commented 2 years ago

Shadoskill Heckroth commented at 2022-05-11T02:14:31Z, updated at 2022-05-12T02:15:04Z

Going to put my 2 cents in, you can and have been able to export your or any users shape info as a xml on a lot of TPV's like firestorm for years.... and just reimport it from the edit shape window.

Having this feature would have been nice for as a example rigged heads could give you tips of like hey your head might be deformed here are the default shape values for this head.

Shapes have been easy to create, copy for years its laughable that they even have permissions attached to them.

 

Edit, even default viewer can steal shapes since at least 2014 so it's a bit hypocritical to remove the script functionality.

sl-service-account commented 2 years ago

Kyrah Abattoir commented at 2022-05-11T11:26:07Z

Looks like after yesterday's Linden group meeting, this function will be limited so it doesn't expose the full parameter set.

sl-service-account commented 2 years ago

PixelBerry commented at 2022-05-11T21:19:55Z

In regards to shapes and physics, this code makes copy, modify and transfer completely obsolete, I do not like this one bit. It should be up to the creator/owner of the shape/physics whenever the numbers get taken/shared.

It shouldn't be up to a few people to let this be okay because they have a different opinion regarding that, there is a ton of people who do not like this one bit, including myself.

It's pretty invading, while instead, people could simply ask for credits or whenever they could have one's shape/physics or not, instead of grabbing without permission.

This also completely effs up people who own shape/physics stores.

I don't know what else to say, bad idea.

sl-service-account commented 2 years ago

panterapolnocy commented at 2022-05-11T21:47:36Z, updated at 2022-05-11T21:48:07Z

From https://modemworld.me/2022/05/10/2022-sug-meetings-week-19-summary/ :

Apparently, there was an “issue” with the week #18 deployments which has lead to changes being deployed this week.

In short, the list of avatar appearance details for a given agent that could be returned by llGetVisualPrameters (which went grid-wide with the deployment of server release 571166 to the Main SLS channel in Week #18) gave rise to a host of “Shape Stealing HUDs” that allowed people to obtain the full set of avatar body shape details for any shape (including those sold as “No Mod” by shape creators.

As a result, both the SLS Main deployment on Tuesday, May 10th, 2022 and the RC deployments of Wednesday, will see the list of returned values significantly reduced to:

33 – height 503 – platform_height 756 – neck_length 38 –  torso_length 616 – shoe_height 814 – waist_height 80 – male 692 – leg_length 842 – hip_length 198 – heel_height 693 – arm_length 11001 – hover

Also see https://wiki.secondlife.com/wiki/LlGetVisualParams

sl-service-account commented 2 years ago

Maestro Linden commented at 2022-05-12T19:05:26Z

Version https://releasenotes.secondlife.com/simulator/2022-05-05.571557.html has been deployed to all simulators this week. Following feedback from creators, this update greatly restricts the supported parameters of llGetVisualParams() - see https://wiki.secondlife.com/wiki/LlGetVisualParams for details.