Re: Changing from L4 to something else...

[Marcus Brinkmann]

At Fri, 28 Oct 2005 18:07:51 +0200,
"Yoshinori K. Okuji" <address@hidden> wrote:
> On Friday 28 October 2005 03:17 pm, Marcus Brinkmann wrote:
> As Jonathan presented a good answer for this, I show some more examples (I 
> can 
> think of more, if you want):
> 
> Suppose that you are working in a company, and you are considered as an 
> administrator of a shared machine. The machine has a 100GB disk. Since your 
> company is quite free, everybody likes to store as many movies as possible. 
> So you decide to allow each one to use up to 10GB, as it is used by 10 
> people.
> 
> One day, a customer asks you data processing, and you realize that it 
> requires 
> at least 20GB. Since everybody in your company wants to use disk space at 
> max, each one uses 9.9GB. So even if you remove all of your data, the free 
> space is only 11GB. Now you must find a way to make more space as soon as 
> possible. What do you want to do?

You put in another disk, and bill it to the customer.

Or, if you want a direct solution to the question, here is one way you
can go about it:

You subdivide the user's resources into "important data" and "scratch
space".  Thus, you give the user two resource capabilities (two
different "banks"). You promise your users that the "important data"
will not be revoked quickly.  You don't make the same promise for the
scratch space.

When the time comes you need more space, you destroy the scratch
spaces and replace them with smaller ones.

> Another one. You share a machine connected to the internet with your 
> girlfriend. Your girlfriend likes to take pictures and publish them with a 
> web server.
> 
> One day, she by mistake puts very shameful pictures in a public page, but she 
> realizes that after she goes for a trip. Since she is now in an extremely 
> inconvenient area, she cannot connect to the internet. So she needs you to 
> remove or hide them. But she suddenly forgets her password, and even the 
> location of the pictures precisely. You must find them by yourself. What do 
> you want to do?

I revoke the network capability for her session.

If she doesn't remember her password later-on, you will have to kill
the session anyway.

But here is the important thing: Of course you _could_ also implement
backdoors for the administrator into the user sessions.  This option
is there.  You can always make a system less secure by introducing
more capabilities.

The important thing is that you can also not do it, and choose the
"paranoid" scenario.  The reverse is not possible.  An insecure system
is insecure is insecure.

> > But here is my suggestion: If you want to become co-maintainer of the
> > Hurd, I will happily pull all strings I have to make it happen, and
> > promise that I won't interfere with what you want to do.
> 
> Bad joke. Being a maintainer is the worst thing I have ever experienced. 
> Honestly, I do not want to be *any* maintainer. Thanks to Free Software, I 
> can do whatever I wish to do without being a maintainer, as long as I am 
> interested only in technical things. So if someone wants to take over any of 
> my maintainer's tasks, I can give it away anytime. But I don't want any 
> more. :)

Well, it was worth a try :)

Thanks,
Marcus