Re: Supporting POSIX *users*

[Alfred M\. Szmidt]

   Okay. Please explain how to safely run a browser plugin when the
   plugin can write to anything in the file system.

Why must it not write anything in the file-system?  I fail to see the
point.  I'm using emacs for my daily work, it would be a pita if you
confined emacs to only allow touch some file depending on the frame or
buffer I'm using.

   >    Right, you want to secure your system by not making the wrong
   >    syscalls in your code?  And why do you think a hostile application
   >    is going to live by that rule?
   > 
   > And by not implementing the `evil syscalls', as I have said repetedly!
   > You cannot use a syscall if it doesn't exist.  That is what I mean by
   > don't call it, don't use it, etc.

   Cool. Please remove open(), socket(), [gs]etuid(), and fork() for
   starters.

There is nothing (fundamentally) wrong with open(), socket() or
fork().  getuid/setuid are simple to work around, which is done on the
Hurd (on Linux it is a syscall, we just wrap it around so auth is
happy and provide something similar, a bit to similar...).

   Seriously: I think you have not actually sat on a standards
   committee if you can say this.

And I think that you have missed the shalls/must bits in the standard.
There are lots of optional bits in POSIX.

   Alfred: you are simply wrong. And you have been pointed at the
   formal results that conclusively, mathematically *prove* that you
   are wrong, you have ignored them, and you persist in making this
   wrong assertion.

Sorry, but it is you who are wrong, you constantly refer to scientific
`proofs' that have no realition to reality.  I really don't care about
a 100% secure system, why? Because it isn't practical to implement.
In theory it is all dandy, but in reality it is a pile of unusable
crap.