Re: Challenge: Find potential use cases for non-trivial confinement

[Marcus Brinkmann]

At Mon, 01 May 2006 21:21:02 -0400,
"Jonathan S. Shapiro" <address@hidden> wrote:
> For programs that are important enough and sensitive enough to justify
> the use of unconfined capabilities, this is a bug, not a feature.

Jonathan, to make this a productive and useful discussion, you must
listen very carefully to what I say, over the whole length of a
complicated discussion.

I have said many, many times that I am fine with encapsulation of
unconfined programs.  I have given two explicit examples: System
services and user-to-user communication.

Yes, a user should not be able to debug system services, or the
programs of other users.  In general, without any authority indicating
otherwise, I think that a program should only be able to debug its
direct children, or their descendants, but not its parents or
siblings.

It is important that you understand this, so please ask back if the
above is unclear in any way.

The reason that the above is consistent with my other beliefs is that
I do not think that a program needs to instantiate such unconfined
programs using its own storage resources.  They either already exist,
or they are instantiated by somebody else, using somebody elses
resources.

You think that there are important use cases where these design
patterns are not sufficient.  But we already are trying to find out if
this is the case or not in another thread.

> > The system
> > should allow debugging by default, and the user should not
> > involuntarily give up this right.  I believe it should be hard to give
> > up these rights,...
> 
> I believe you mean to say: the system should establish complete
> disclosure as the default, and should be goddamn close to impossible for
> any normal user to do anything about it.
> 
> I can picture the marketing slogan now:
> 
>       Hurd: Non-consensual Coed Naked *Everything*
> 
> Well. it will certainly be popular with 13 year olds until they figure
> out that they can't get any (ahem) photographic content without the DRM
> stuff enabled.

This is getting tedious and weary.  I am a very patient person, but
even that patience can be exhausted.  It is stretched by now.  Please
keep that in mind.  At some point you will have to decide if the side
attacks are more important to you than the parts of the discussion
where we still can be productive.

I am interested in getting to a point where we both at least
understand where we differ and what the actual core of the
disagreement is.  To get there, we both have to admit the possibility
that the world is complex enough to allow for such differences.  As
long as you keep insisting that my choice is based on irrationality or
absurdity, mutual understanding is not possible.

Thanks,
Marcus