Re: Supporting POSIX *users*

[Alfred M\. Szmidt]

   >       open() -- assumes a universally shared, mutable store.
   >
   > Nothing wrong with that.

   There is.  It is possible to protect private data from becoming
   shared by malicious applications.  This is a good thing.  What you
   need for it is confinement: in that case, a hostile application
   which can read your private data cannot share it.  A universally
   shared mutable store makes confinement impossible, and therefore
   giving private data to potentially hostile programs dangerous.

I consider that a absurd level of paranoia totally unsuitable for a
system that you use on a daily basis.

   >         -- requires use of a known-ineffective access control
   >            mechanism
   >
   > How is a bitmask ineffcient?

   ineffective.

Thanks, the question still remainds unanswered though.

   >         -- most applications have no need to access the file
   >            system at all!
   >
   > So don't call it.

   Right, you want to secure your system by not making the wrong
   syscalls in your code?  And why do you think a hostile application
   is going to live by that rule?

And by not implementing the `evil syscalls', as I have said repetedly!
You cannot use a syscall if it doesn't exist.  That is what I mean by
don't call it, don't use it, etc.

   But a system which only does parts of it is not a POSIX system.

Yes it is, POSIX doesn't mandate that everything must be implemented.

   If you still think so after what I just wrote, could you please
   explain?

I think I already have explained it.  Do not implement the broken
bits.

   I think Jonathan will not consider OpenBSD defensible. ;-)

Jonathan won't consider anything defensible other than EROS.

   Running untrusted code is useful, and people will do it anyway, no
   matter what the consequences are.  We can build an operating system
   which makes this acceptable, instead of highly dangerous.

We already such a system.

   Let's do that.

Already done, POSIX.