On Thu, 2005-10-27 at 17:15 +0200, Alfred M. Szmidt wrote: > In any case, this is not relevant. Your original assertion was that > users cannot have any more confidence in their kernels then they > can in downloaded code. I was explaining why this was not correct. > > But it isn't correct. What you explained was simply that you can > confine a process, and not have it do evil things. This doesn't > change the level of confidence in the kernel or the program.
There are two ways to achieve confidence: inspection constraint Because you know what kernel you are running, inspection is feasible, and higher confidence is possible than for downloadable code. For downloadable code, inspection is infeasible, and the only realistic option is constraint. Unfortunately, POSIX isn't strong enough to achieve the kinds of constraint that are needed to have confidence that you are safe in the face of downloadable code. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
