[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The Perils of Pluggability

From: Jonathan S. Shapiro
Subject: Re: The Perils of Pluggability
Date: Mon, 10 Oct 2005 09:20:51 -0400

On Mon, 2005-10-10 at 14:33 +0200, Ludovic Courtès wrote:

> > Of COURSE it is! Running code without control where you don't know what
> > the code does isn't vulnerable? Who has been giving you these wonderful
> > drugs?
> I am not under drugs.  Code is not being run "without control": if I
> install a plug-in for XMMS, TeXmacs, Emacs, etc., or a translator for
> the Hurd, _I_ must evaluate the risk of misbehavior of this code and
> take appropriate measures.  Same when I install an application, be it
> extensible or not.

Okay. So you evaluate. And you claim that you control. But you are an
expert user, and I think neither of us wants to design LudovicOS (or
ShapOS). Please explain what tools are available that your grandmother
can use to effectively control the consequences of her actions in

I do not say that your grandmother should be immune to responsibility. I
say that it is our job as designers to make exercising that
responsibility practical.

[Actually, I think designing LudovicOS could be interesting. No
protections anywhere. Just a black box, Ludovic, some toggle switches,
and a high-speed network port on the back. :-)]

> Likewise, I don't expect my OS to be able to tell me
> whether a given server really correctly implements the io/dir
> interfaces.

Probably not, but when you think you are talking to the local disk
drive, you probably *do* expect your OS to be able to confirm that you
are using the filesystem that you think you are using.

For what it is worth, the "identify" operation in Coyotos is only used
at a very low level in the layering of security functions.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]