Proposed: Evaluate three proposals for V-Sekai content distribution

The Context

Address security concerns with V-Sekai content distribution like including the sandbox API surface, file size management, resource loading, and packed scene instantiation.

The Problem Statement

We aim to safely initialize an avatar body from the V-Sekai content distribution network into the virtual world without compromising security or performance.

We wish to enable Godot to load older content seamlessly.

We want to avoid animations causing security issues.

Describe how your proposal will work with code, pseudo-code, mock-ups, or diagrams

Option 1: Instantiate and Validate binary PackedScene

This method involves loading chunks of an average packed scene from the web, instantiating it in the sandbox, and applying runtime verification. This approach prevents double initializer security concerns and avoids using double the memory to copy PackedScene.

Double initializer security concern

Different content initializers becomes a security problem as code drifts and fixes are lost.

Option 2: Instantiate and Validate binary GLTF

For this option, we would stream an average glTF file from the web and develop a loader for glTF within the Godot sandbox equipped with a set of verifiers.

We must create custom VSEKAI or GODOT extensions for each unspecified resource and node type, though simple schemas could be autogenerated from classes.

Option 3: Stream arbitrary Godot-packed scene resources, write a verifier and then parse

Creating a JSON schema for arbitrary Godot-packed scene resources that have been converted to JSON is a complex task. This option might be more challenging than adapting glTF for sandbox C++.

The Benefits

A significant benefit of these approaches is the ability to enforce specific requirements, such as using PCVR and mobile image textures through formats like Basis Universal, BPTC, and ASTC during upload and download. By controlling the instantiation process, we can also prevent loading when, for example, an avatar exceeds a polycount of 70,000 triangles. We can size worlds according to predefined constraints, with various optimization settings available.

The Downsides

The primary downside is the complexity of these security measures and their potential performance impact. Each option requires substantial development effort and may introduce latency or processing overhead. Furthermore, maintaining these systems as Godot evolves could increase long-term maintenance costs.

The Road Not Taken

We could have explored simpler, less secure methods of content distribution that rely more heavily on post-load validation rather than stringent pre-load checks.

The Infrequent Use Case

These methods are designed to handle extremely large or complex scenes that might exceed the proposed limits and infrequent resource types not covered by standard validators.

In Core and Done by Us

We will maintain the core functionality of the sandbox and basic loaders, ensuring that critical updates or security patches can be applied swiftly and uniformly.

Status

Status: Proposed

Decision Makers

  • V-Sekai development team
  • Fire
  • Lyuma
  • fwsgonzo

Tags

  • V-Sekai

Further Reading

  1. V-Sekai · GitHub - Official GitHub account for the V-Sekai development community focusing on social VR functionality for the Godot Engine.
  2. V-Sekai/v-sekai-game - This GitHub page hosts the V-Sekai open-source project, which integrates social VR/VRSNS/metaverse components into the Godot Engine.