On Thu, 2005-10-27 at 15:17 +0200, Alfred M. Szmidt wrote: > > open() -- assumes a universally shared, mutable store. > > > > Nothing wrong with that. > > There is. It is possible to protect private data from becoming > shared by malicious applications. This is a good thing. What you > need for it is confinement: in that case, a hostile application > which can read your private data cannot share it. A universally > shared mutable store makes confinement impossible, and therefore > giving private data to potentially hostile programs dangerous. > > I consider that a absurd level of paranoia totally unsuitable for a > system that you use on a daily basis.
Okay. Please explain how to safely run a browser plugin when the plugin can write to anything in the file system. > Right, you want to secure your system by not making the wrong > syscalls in your code? And why do you think a hostile application > is going to live by that rule? > > And by not implementing the `evil syscalls', as I have said repetedly! > You cannot use a syscall if it doesn't exist. That is what I mean by > don't call it, don't use it, etc. Cool. Please remove open(), socket(), [gs]etuid(), and fork() for starters. > But a system which only does parts of it is not a POSIX system. > > Yes it is, POSIX doesn't mandate that everything must be implemented. Could you please post the address of your drug supplier? It must be *great* stuff! Seriously: I think you have not actually sat on a standards committee if you can say this. > I think Jonathan will not consider OpenBSD defensible. ;-) > > Jonathan won't consider anything defensible other than EROS. Actually, no. KeyKOS was just as defensible. The VAX/VMM work was nearly as defensible, and the later Multics work was VERY good from a security standpoint (but probably not from a performance standpoint). The Blacker kernel (GemSOS) was adequate, but insufficiently general purpose. The ASOS kernel was *extremely* good, but was targeted at a narrower and more specialized base of applications. OpenBSD is probably the best attempt to retrofit security onto a hopeless situation that I have ever seen. It is a *great* holding action, but it is not a solution that will stand the test of time. Several core people on the OpenBSD project, by the way, have agreed with that statement. > Running untrusted code is useful, and people will do it anyway, no > matter what the consequences are. We can build an operating system > which makes this acceptable, instead of highly dangerous. > > We already such a system. Alfred: you are simply wrong. And you have been pointed at the formal results that conclusively, mathematically *prove* that you are wrong, you have ignored them, and you persist in making this wrong assertion. I am very sorry, but 2+2 will not be 5 no matter how many times you insist that it is so. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
