Okay. Please explain how to safely run a browser plugin when the plugin can write to anything in the file system.
Why must it not write anything in the file-system? I fail to see the point. I'm using emacs for my daily work, it would be a pita if you confined emacs to only allow touch some file depending on the frame or buffer I'm using. > Right, you want to secure your system by not making the wrong > syscalls in your code? And why do you think a hostile application > is going to live by that rule? > > And by not implementing the `evil syscalls', as I have said repetedly! > You cannot use a syscall if it doesn't exist. That is what I mean by > don't call it, don't use it, etc. Cool. Please remove open(), socket(), [gs]etuid(), and fork() for starters. There is nothing (fundamentally) wrong with open(), socket() or fork(). getuid/setuid are simple to work around, which is done on the Hurd (on Linux it is a syscall, we just wrap it around so auth is happy and provide something similar, a bit to similar...). Seriously: I think you have not actually sat on a standards committee if you can say this. And I think that you have missed the shalls/must bits in the standard. There are lots of optional bits in POSIX. Alfred: you are simply wrong. And you have been pointed at the formal results that conclusively, mathematically *prove* that you are wrong, you have ignored them, and you persist in making this wrong assertion. Sorry, but it is you who are wrong, you constantly refer to scientific `proofs' that have no realition to reality. I really don't care about a 100% secure system, why? Because it isn't practical to implement. In theory it is all dandy, but in reality it is a pile of unusable crap. _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
