Dear Jonathan, I am very sorry that the discussion has taken the course that it has. It was unnecessary and misleading. It has nurtured miscommunication and confusion instead of clarity and understanding. I cannot turn back the time by 24 hours and start anew, trying to find words to express what I think without hurting you in the progress. If I could, I would.
I was always honest with you. I told you from the beginning that I am a strong supporter of the free software philosophy, and that I cannot support DRM. We agreed, back in last autumn, that we would work on evaluating the technical requirements for implementing certain security policies. We said that we would try to find out what security policies are adequate for the Hurd and if we can support these security policies without also supporting DRM. This was a research agenda. We were sceptical because the requirements seemed to be the same. However, I was completely open to exploring all possibilities. In the course of autumn and January, we had several discussions on these topics. I remember that in these discussions, I have essentially expressed the same goals and opinions that I do today. Specifically, we talked about virtualization, information hiding, confinement properties, debuggability, and black box algorithms. I even remember that I mentioned to you that I think it is important that a user can inspect and modify a program he is instantiating. The result of the three hour discussion was that you agreed to have a bit in the constructor that would let the user do just that. At that point, I was not able to generalise, formalize, or in fact even defend my thoughts, but the content was not different from today. At that point, I also believed that there is a huge probability that there are indeed important use cases for us to consider. The apparent conflict of possible goals (strong security policies on the one hand, user freedom on the other) has caused me some deep concern, which I shared with you. Nevertheless, because your arguments in favor of the design patterns were strong and interesting, I spent a significant effort on understanding and exploring these use cases. You have helped me tremendously with that, and I am very grateful for that. I have then proceeded to look more carefully at two particular use cases in which I was interested, which were suid applications on the one hand and the cut&paste protocol of the EROS window system on the other hand. I found alternative mechanisms that I consider "good enough" for our purpose, and which do not rely on the confined constructor mechanism. This was mid-february, and after that I worked on generalising the result of this analysis, but was interrupted by other priorities than the Hurd. If it had not been for the Eurosys conference, where some new thoughts came up, I would still not spend any time on the Hurd these days. What happened last weekend is that I chose some words not carefully enough, because for me they do not possess the strength that they apparently had for you. Here is an important clarification: When I say I can not support something morally, then I allow, and expect, reasonable people to disagree with me. I do not consider my own moral framework important enough to tell anybody else how they should live their lives. I do not condemn anybody for not sharing my moral framework, and I certainly would never go so far as to claim that what you have worked on to build in the last 15 years is immoral. If this was your impression, it is a very unfortunate and regrettable misunderstanding. For me, moral is not absolute, but deeply personal. I truly apologize, because I have indeed spent so much thought about these matters that I forgot how the word "moral" is casually used. I surely would have been able to find words that are less strong to express what I am thinking, if I had considered the possibility that the words I used could be so misunderstood. I did not consider this, and this is my fault. In light of these explanations, I hope you can see that when I express my own, very personal moral reservations, no condemnation or other judgement on your work is entailed. Because nothing I have said is to be interpreted as a statement about your own work, in any way, I can also not possibly comply to your request for a complete and immediate explanation of such a statement. As you, I have been overrun by the dynamics of the discussion. My original attempts to contain them by withdrawing have failed. By now, just about any argument I can give, I have. They are scattered all over the place, and are not always expressed and substantiated carefully, but I have not withhold anything substantial. The only thing that is missing at this point is the answer to how I address specific use cases like the cut&paste protocol. This overlaps with the challenge I posted. I should also say that my starting point is quite a different from yours (and always has been). You consider dropping the constructor mechanism a radical change that requires justification. From my perspective, it is introducing the constructor mechanism that is a radical change that requires justification. I do not know how to reconcile these two positions. Best wishes, Marcus _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
