Re: The Perils of Pluggability

[Jonathan S. Shapiro]

On Mon, 2005-10-10 at 14:33 +0200, Ludovic Courtès wrote:

> > Of COURSE it is! Running code without control where you don't know what
> > the code does isn't vulnerable? Who has been giving you these wonderful
> > drugs?
> 
> I am not under drugs.  Code is not being run "without control": if I
> install a plug-in for XMMS, TeXmacs, Emacs, etc., or a translator for
> the Hurd, _I_ must evaluate the risk of misbehavior of this code and
> take appropriate measures.  Same when I install an application, be it
> extensible or not.

Okay. So you evaluate. And you claim that you control. But you are an
expert user, and I think neither of us wants to design LudovicOS (or
ShapOS). Please explain what tools are available that your grandmother
can use to effectively control the consequences of her actions in
practice?

I do not say that your grandmother should be immune to responsibility. I
say that it is our job as designers to make exercising that
responsibility practical.

[Actually, I think designing LudovicOS could be interesting. No
protections anywhere. Just a black box, Ludovic, some toggle switches,
and a high-speed network port on the back. :-)]

> Likewise, I don't expect my OS to be able to tell me
> whether a given server really correctly implements the io/dir
> interfaces.

Probably not, but when you think you are talking to the local disk
drive, you probably *do* expect your OS to be able to confirm that you
are using the filesystem that you think you are using.

For what it is worth, the "identify" operation in Coyotos is only used
at a very low level in the layering of security functions.

shap