Re: Hurdish applications for persistence

[Jonathan S. Shapiro]

On Thu, 2005-10-13 at 12:30 +0200, Bas Wijnen wrote:
> On Thu, Oct 13, 2005 at 10:30:39AM +0200, Alfred M. Szmidt wrote:
> >    Alfred's confusion 
> > 
> > I have no confusion about the matter.  You want `paranoid security', I
> > want a usable system.
> 
> I want both.

I want a practically useful amount of control on my own machine. I can't
get it without the right primitive security mechanisms. This does NOT
mean that I want to implement any horribly invasive policy. Many of
Alfred's objections have historical merit, but he is failing to
distinguish between the need for fundamentally sound mechanism and the
need to avoid invasive policy.

Concerning the need to avoid invasive policy, I would say that for
general purpose systems he is right and that for some special purpose
systems an invasive policy is necessary and appropriate. There is no
reason why a microkernel should not support *both* very effectively, and
there is no reason why the majority of the code in those systems cannot
be common code.

Hurd is clearly in the general purpose camp, and I would strongly oppose
changing this. HOWEVER: Hurd currently does not provide adequate
foundations to let users exercise control. This, in my opinion, is worth
fixing.

It may be useful to compare SELinux to the Immunix confinement policy.
Crispin and I have exchanged a lot of ideas over the years. SELinux
requires constant tweaking, it is a pain in the ass, it breaks lots of
applications on every update, and it doesn't even *try* to address the
virus/trojan issue.  The Immunix confinement policy doesn't suffer from
any of these problems. The main flaws in the Immunix approach are that
they are constrained by application compatibility, and as a result they
are unable to apply the policy finely enough.

Immunix was recently acquired by Novel, largely on the strength of the
business that this policy let them develop.

shap