RE: Challenge: Find potential use cases for non-trivial confinement

[Christopher Nelson]

> 
> On Tue, May 02, 2006 at 10:05:23AM -0600, Christopher Nelson wrote:
> > > Any other part of the OS (and that's almost everything) 
> can indeed 
> > > be upgraded without a reboot.
> >  
> > Lol. Okay.
> > So the TCB *isn't* the OS.  What's in the TCB?  Let's see... The 
> > kernel, of course.  Probably the network stack (those are 
> always perfect)...
> > Umm... Interface drivers for the keyboard and the mouse and my 
> > newfangled widget....  Also... Let's see.. Oh yeah ALL the 
> drivers for 
> > untrustable hardware buses, which includes my network card, 
> my video 
> > card, my sound card... And of course, those are all gonna 
> be perfect.
> > 
> > My point is that the TCB includes stuff that needs 
> updating, and may 
> > need updating on a regular basis as bugs are discovered.
> 
> The TCB should be pretty stable.  New features are never 
> added (mostly because the TCB isn't the place where most 
> features are implemented).  Bugs may need to get fixed at 
> first, but the amount of bugs that are found per unit time 
> will decrease.  After some time, it should be pretty close to zero.

Do you have much experience with running a datacenter of any size?  Bugs
*never* approach zero.  Or at least, they do so very rarely.  We have to
patch so-called "core" software twice a month.  Oftimes this includes
what would be considered part of the "TCB".  In the real world "should"
and "do" are very different.  I think it's a nice idea, and it will be
interesting to see how it works in practice.
 
> > Requiring a production server to have manual intervention for each 
> > update is just not feasible for large datacenters.
>
 
>It is a too dangerous operation to protect only by a 
> password.

I agree with that.  


> > Maybe you feel that this is not an area that is of interest 
> to the Hurd.
> 
> Now you're being silly. ;-)

 Yes. :-D