Re: The Perils of Pluggability

[Ludovic Courtès]

Hi,

"Jonathan S. Shapiro" <address@hidden> writes:

> More freedom must be balanced against more vulnerability.

In that respect, GNU Emacs tends to be a counter-example, no?  There are
also many applications extensible in Guile, Lua, Python, Perl, or
whatever.  Just because these applications are extensible doesn't mean
that they can execute code in the user's back.  So the user has no
excuse and is fully accountable for whatever vulnerability might be
exploited without his approval.  ;-)

> Of COURSE it is! Running code without control where you don't know what
> the code does isn't vulnerable? Who has been giving you these wonderful
> drugs?

I am not under drugs.  Code is not being run "without control": if I
install a plug-in for XMMS, TeXmacs, Emacs, etc., or a translator for
the Hurd, _I_ must evaluate the risk of misbehavior of this code and
take appropriate measures.  Same when I install an application, be it
extensible or not.

Of course, the more guarantees an OS can provide (such as a fine-grain
control over the resources used by a program), the better.  But there
are guarantees I do not expect from an OS.  For instance, I don't expect
my OS to guarantee that player X really flawlessly plays video in format
Z as it claims to.  Likewise, I don't expect my OS to be able to tell me
whether a given server really correctly implements the io/dir
interfaces.

> But it is also necessary. I do not propose that we give up
> extensibility. I propose that we architect systems in which the
> vulnerability that is inherent in extensibility is a manageable thing.

Agreed.

Thanks,
Ludovic.