Re: Part 2: System Structure

[Jonathan S. Shapiro]

On Tue, 2006-05-23 at 13:49 +0200, Bas Wijnen wrote:

> Protection for programs which are about to get capabilities which must not be
> disclosed to the wrong parties is fine.  That is not what this is about.  This
> is about protection from the user who owns everything that's known to the
> program.  That must not be possible.  The user must be in complete control in
> such a case.
> 
> In particular, that means that when starting a sub-Hurd on a transparent space
> bank, it must not be possible that
> - A part of the sub-Hurd becomes opaque
> - A part of the sub-Hurd can see that it is running on a transparent (to the
>   parent Hurd) space bank.

Okay. Just so we are clear, there are two possible views about opacity,
and you are choosing one. The two possible positions are:

  1. The default should be translucent, but it should be possible for
     a user to choose to execute an opaque program.

  2. The designers should not allow the user the freedom of this choice
     in the absence of extensive new development effort, and therefore
     mandate that all banks be translucent.

It appears to me that you are choosing position (2).

Speaking on a purely subjective basis, I find this incredibly arrogant,
and I think that the users will too.

shap