Execute without read (was Re: the deadly hypercube of death, or: handling permissions)

[Pierre THIERRY]

Scribit Marcus Brinkmann dies 28/04/2006 hora 00:47:
> > Wouldn't it be possible to be able to execute a program without
> > being able to read it?
> However, I don't know any actual use cases of this pattern that I am
> interested in supporting.  Quite the opposite: I find the use cases I
> do know morally objectionable.

In general, I think you should not decide to drop a feature only because
you find it's uses morally objectionables. For two reasons:

First, you may not have envisionned some use cases that are not morally
objectionable, so you are volontarily limiting users' freedom because
you just missed something. That morally objectionable, at least. ;-)

Second, you should consider that the morally objectionable uses are part
of the freedoms of the users. That's precisely why free software doesn't
limit the use of software. And there are a bunch of people that would
surely not agree with you that all the uses you rejected are morally
objectionable, or that some that you enabled were indeed morally
objectionable.

I fully support the fact that you won't implement yourself some schemes.
But as an OS architect, you must not close doors to other implementers
of thoses schemes, at least for this only reason. Naturally, if it is a
burden to let the door open to some undesirable scheme, we don't have to
shoot ourselves in the foot for what we don't want.

> Your mileage may vary, but in the end this boils down to the DRM and
> Trusted Computing discussion.

Not sure. What about the following use case:

Alice and Bob are two students attending a software development course.
On the departement's system where they have both an account, Alice want
to let Bob try her first draft of the program they have been asked to
produce.

Either she knows Bob has difficulties, or they are in a fair
competition, and Bob is known to be quite honest but easy to tempt to
cheat. So she wants him to only be able to execute the program, not read
it.

> In brief: to support this, these programs would need to run on your
> resources, but without giving you the authority to inspect and debug
> these resources.

So it's not so trivial to implement, at least.

Doubtfully,
Nowhere man
-- 
address@hidden
OpenPGP 0xD9D50D8A

signature.asc
Description: Digital signature