On Mon, 2006-05-01 at 01:21 +0200, Marcus Brinkmann wrote: > At Sun, 30 Apr 2006 18:22:05 -0400, > "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote:
> > Please explain why my comments about architecture and bullshit sophistry > > are a misinterpretation. This would be welcome. I do not believe that > > true confinement can be added to the system later in any practical > > sense. Architecting it out is, for all practical purposes, banning it. > > If that is the case, and it may be, then this reveals the aggressive > nature of the mechanism, and it in fact raises the barrier for > inclusion, because then the legitimation of the whole system would > depend on the legitimation of this single mechanism. I think that this statement is WAY to strong. There are *many* examples of properties and behavior that are difficult to add to systems later if they are not part of the initial architectural considerations. These include things as basic as four digit years (as opposed to two digit years). Surely you would not argue that this should raise the barrier for including four digit years in the feature set? And no, the legitemation of the system does not rest on the initial inclusion of full confinement. Without this feature, the system may be perfectly good at its original objectives. However, it does seem likely that this is one of these properties that is likely to be central to the design, in the sense that it is very hard to retrofit if you decide to exclude it initially and it turns out you were making a mistake. The same was true of four digit years -- and if I may say so, the decision to use two digit years was made under a structurally similar argument: There was no demonstrated need for four digit years within the anticipated lifespan and anticipated uses of the system. There were reasons for excluding them (though I am not aware that there were moral concerns). The problem is that systems live for a *very* long time, and the clear absence of need in the 1950s and 1960s turned into a desperate need and desperate panic in the late 1990s. And yes, that fear in the 1990s was exaggerated. But I actually believe that confinement may be more fundamental than four digit years. The decision to include or exclude it changes the way we think about architecting systems. Consider that POSIX has been around for a *long* time, but it has not changed substantially since the 1970s, and shows no sign of major overhaul in the forseeable future. It seems likely to me that the architectural implications of the confinement decision will be similarly durable. And of course, this may be a good reason to *exclude* true confinement if you are correct in your assessment. But it is certainly a reason to go very very cautiously, and to look for a "least damage" solution to the problems that you are really trying to solve. If we can make it work, I would prefer a system in which true confinement was present at the start, but the mechanism for half-blind holes is restricted. shap _______________________________________________ L4-hurd mailing list L4-hurd@gnu.org http://lists.gnu.org/mailman/listinfo/l4-hurd
