Re: The Perils of Pluggability

[ness]

Jonathan S. Shapiro wrote:
> On Mon, 2005-10-10 at 13:38 +0200, Alfred M. Szmidt wrote:
>
> In some cases this is true. In some cases it is probably less true than
> we would like to believe
>
> >   So: plugability is good, and necessary, but there are places where
> >   it is a very bad idea, and the proc server is a good example of
> >   where it is bad.
> >
> > I strongly disagree, me running my own proc server will not affect
> > anyone, unless they say that they trust my proc server.  And I cannot
> > tell the other user to trust it.
>
>
> The problem isn't really trusting your proc server. The problem is that
> any time I call a process *created* by your proc server I am trusting
> your proc server, and this means that I have to authenticate the process
> abstraction itself before I can call anything.

Why do I have to trust the proc server if I want to call a process? But
more in general: what you say might be true. You maybye will sometimes
not be able to do sth. as you don't trust a component. That's
acceptable. But most often (always?) programs don't have to care about,
as such operations will simply fail (imagine e.g. 2 processes usin'
different auth servers)

> All of these authentications are certainly possible, but in practice
> they are too hard a burden and programmers do not do them.
>
> Let me back up: what functionality is provided by instantiating a new
> proc server? Perhaps there is a design that can achieve this securely.
>
> shap

--
-ness-


--
-ness-