Re: The gun analogy (Was: Design Principles)

[Jonathan S. Shapiro]

On Mon, 2006-05-01 at 01:21 +0200, Marcus Brinkmann wrote:
> At Sun, 30 Apr 2006 18:22:05 -0400,
> "Jonathan S. Shapiro" <address@hidden> wrote:

> > Please explain why my comments about architecture and bullshit sophistry
> > are a misinterpretation. This would be welcome. I do not believe that
> > true confinement can be added to the system later in any practical
> > sense. Architecting it out is, for all practical purposes, banning it.
> 
> If that is the case, and it may be, then this reveals the aggressive
> nature of the mechanism, and it in fact raises the barrier for
> inclusion, because then the legitimation of the whole system would
> depend on the legitimation of this single mechanism.

I think that this statement is WAY to strong. There are *many* examples
of properties and behavior that are difficult to add to systems later if
they are not part of the initial architectural considerations. These
include things as basic as four digit years (as opposed to two digit
years). Surely you would not argue that this should raise the barrier
for including four digit years in the feature set?

And no, the legitemation of the system does not rest on the initial
inclusion of full confinement. Without this feature, the system may be
perfectly good at its original objectives.

However, it does seem likely that this is one of these properties that
is likely to be central to the design, in the sense that it is very hard
to retrofit if you decide to exclude it initially and it turns out you
were making a mistake.

The same was true of four digit years -- and if I may say so, the
decision to use two digit years was made under a structurally similar
argument:

  There was no demonstrated need for four digit years within the
  anticipated lifespan and anticipated uses of the system.

  There were reasons for excluding them (though I am not aware that
  there were moral concerns).

The problem is that systems live for a *very* long time, and the clear
absence of need in the 1950s and 1960s turned into a desperate need and
desperate panic in the late 1990s.

And yes, that fear in the 1990s was exaggerated. But I actually believe
that confinement may be more fundamental than four digit years. The
decision to include or exclude it changes the way we think about
architecting systems. Consider that POSIX has been around for a *long*
time, but it has not changed substantially since the 1970s, and shows no
sign of major overhaul in the forseeable future. It seems likely to me
that the architectural implications of the confinement decision will be
similarly durable.

And of course, this may be a good reason to *exclude* true confinement
if you are correct in your assessment.

But it is certainly a reason to go very very cautiously, and to look for
a "least damage" solution to the problems that you are really trying to
solve. If we can make it work, I would prefer a system in which true
confinement was present at the start, but the mechanism for half-blind
holes is restricted.


shap