Re: Changing from L4 to something else...

[Yoshinori K. Okuji]

Hi Marcus,

On Friday 28 October 2005 02:07 pm, Marcus Brinkmann wrote:
> nice to see you around ;)

You know, I was the initiator of porting Hurd to L4. So I have a strong 
incentive to annoy you. ;)

> First, I have always claimed that what is good for security, is also
> good for robustness.  IE, what protects you against malicious code,
> usually also protects you against buggy code.  It is very easy to make
> mistakes if you are not paying attention.  Being paranoid forces you
> to pay attention.  I have a very specific example in my capability
> server design that I struggled with for a long time, until I looked at
> it from a security point of view and then things became _very clear_.
> IOW, being paranoid about security forces you to ignore short cuts
> that just don't work.

It makes sense.

> The other reason I am interested is that this is a compelling reason
> to build yet another operating system.  And we really need a
> compelling reason, as on just about any other ground, we will not be
> able to compete successfully with other systems like GNU/Linux, either
> because we don't have the resources or there is zero interest in it
> (because GNU/Linux is "good enough" or, *shudder* because Windows is
> "good enough").

Actually, I don't care about this very much. I share the same vision as RMS in 
this respect: the goal of Free Software is not the share. But I don't intend 
to impose this on you. If you can be more efficient with this view, I have no 
reason to stop it.

> If we have resource accountability, we give a user a certain amount of
> resources, and then we don't care anymore.  In fact, it makes sense
> then to not let the system administrator see what processes I run, how
> much memory they use, etc.  The resource accountabiliy can work at a
> trust domain level.  Root doesn't care if I have 2 tasks using each 10
> MB, or one task using 1 MB and one using 19 MB, as long as I don't
> exceed my limit of 20 MB.

As for the memory, I agree. But some resources are exclusive in nature. For 
example, if one starts a player with a horrible music on your computer, what 
do you want to do? One way is to mute the speaker. But, generally speaking, 
it is nicer to be able to kill it, isn't it?

> I do.  But here is another twist: I won't start an implementation
> before I don't have a realistic vision of what we are implementing.

I leave this kind of decision to you. After all, you are the maintainer, and I 
am a kind of person who respects maintainership.

Okuji