Re: How to add confinement to the Hurd?

[Jonathan S. Shapiro]

On Mon, 2006-05-01 at 01:34 +0200, Marcus Brinkmann wrote:
> At Sun, 30 Apr 2006 18:24:19 -0400,
> "Jonathan S. Shapiro" <address@hidden> wrote:
> > 
> > On Sun, 2006-04-30 at 22:29 +0200, Marcus Brinkmann wrote:
> > > At Sun, 30 Apr 2006 20:29:28 +0200,
> > > Pierre THIERRY <address@hidden> wrote:
> > 
> > > > 2) If someone implements [confinement] will it be integrated in the 
> > > > Hurd, even
> > > > if disabled by default?
> > > 
> > > This doesn't even make sense if the issue were not contentious.
> > 
> > I believe that Pierre is asking "If someone implements it, will the Hurd
> > designers reject integrating it because of politics?" (Please note:
> > Marcus himself described this as a decision motivated by the politics of
> > ownership).
> > 
> > I think this is a perfectly legitimate question. What is your response?
> 
> You said in another mail:
> 
> > I do not believe that
> > true confinement can be added to the system later in any practical
> > sense. Architecting it out is, for all practical purposes, banning it.
> 
> I said, many times now, that I do not know a legitimate use case that
> is relevant to the GNU Hurd.  I have put up a challenge to find one.
> 
> Assuming that no legitimate use case is found, and that you are right
> that introducing this feature means a fundamental shift in the
> over-all system design, then the answer is clearly that the patch
> would be rejected for technical reasons, independent of any political
> evaluation.

Yes. I understand this. But it does not answer the question. Pierre is
asking whether your political objections are also decisive independent
of the technical argument.

You  write that you do not know a technical argument that decisively
requires true confinement. We will certainly work to find one. But if we
*fail* to find one, this is an insufficient reason to reject such a
foundational mechanism. Even if other mechanisms can apparently achieve
similar results, those other mechanisms will not have the strength of
formal foundations that the confinement mechanism already has today. We
will be unable to reason about the correctness of those systems --
merely to get back to where we stand today with confinement in this
regard will be more than a decade of work.

Therefore, I would argue: unless there is an overwhelmingly compelling
reason to *exclude* true confinement, I believe that it should be
included. I do not want to lose 10 to 15 years of progress on verifiable
systems unless there is an overwhelming reason to tolerate this.


shap