On Mon, 2005-10-10 at 13:38 +0200, Alfred M. Szmidt wrote: In some cases this is true. In some cases it is probably less true than we would like to believe > > So: plugability is good, and necessary, but there are places where > it is a very bad idea, and the proc server is a good example of > where it is bad. > > I strongly disagree, me running my own proc server will not affect > anyone, unless they say that they trust my proc server. And I cannot > tell the other user to trust it.
The problem isn't really trusting your proc server. The problem is that any time I call a process *created* by your proc server I am trusting your proc server, and this means that I have to authenticate the process abstraction itself before I can call anything. All of these authentications are certainly possible, but in practice they are too hard a burden and programmers do not do them. Let me back up: what functionality is provided by instantiating a new proc server? Perhaps there is a design that can achieve this securely. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
