Re: The Indecency of Zealots

[Marcus Brinkmann]

Dear Jonathan,

I am very sorry that the discussion has taken the course that it has.
It was unnecessary and misleading.  It has nurtured miscommunication
and confusion instead of clarity and understanding.  I cannot turn
back the time by 24 hours and start anew, trying to find words to
express what I think without hurting you in the progress.  If I could,
I would.

I was always honest with you.  I told you from the beginning that I am
a strong supporter of the free software philosophy, and that I cannot
support DRM.  We agreed, back in last autumn, that we would work on
evaluating the technical requirements for implementing certain
security policies.  We said that we would try to find out what
security policies are adequate for the Hurd and if we can support
these security policies without also supporting DRM.  This was a
research agenda.  We were sceptical because the requirements seemed to
be the same.  However, I was completely open to exploring all
possibilities.

In the course of autumn and January, we had several discussions on
these topics.  I remember that in these discussions, I have
essentially expressed the same goals and opinions that I do today.
Specifically, we talked about virtualization, information hiding,
confinement properties, debuggability, and black box algorithms.  I
even remember that I mentioned to you that I think it is important
that a user can inspect and modify a program he is instantiating.  The
result of the three hour discussion was that you agreed to have a bit
in the constructor that would let the user do just that.  At that
point, I was not able to generalise, formalize, or in fact even defend
my thoughts, but the content was not different from today.

At that point, I also believed that there is a huge probability that
there are indeed important use cases for us to consider.  The apparent
conflict of possible goals (strong security policies on the one hand,
user freedom on the other) has caused me some deep concern, which I
shared with you.  Nevertheless, because your arguments in favor of the
design patterns were strong and interesting, I spent a significant
effort on understanding and exploring these use cases.  You have
helped me tremendously with that, and I am very grateful for that.

I have then proceeded to look more carefully at two particular use
cases in which I was interested, which were suid applications on the
one hand and the cut&paste protocol of the EROS window system on the
other hand.  I found alternative mechanisms that I consider "good
enough" for our purpose, and which do not rely on the confined
constructor mechanism.  This was mid-february, and after that I worked
on generalising the result of this analysis, but was interrupted by
other priorities than the Hurd.  If it had not been for the Eurosys
conference, where some new thoughts came up, I would still not spend
any time on the Hurd these days.

What happened last weekend is that I chose some words not carefully
enough, because for me they do not possess the strength that they
apparently had for you.  Here is an important clarification: When I
say I can not support something morally, then I allow, and expect,
reasonable people to disagree with me.  I do not consider my own moral
framework important enough to tell anybody else how they should live
their lives.  I do not condemn anybody for not sharing my moral
framework, and I certainly would never go so far as to claim that what
you have worked on to build in the last 15 years is immoral.  If this
was your impression, it is a very unfortunate and regrettable
misunderstanding.  For me, moral is not absolute, but deeply personal.

I truly apologize, because I have indeed spent so much thought about
these matters that I forgot how the word "moral" is casually used.  I
surely would have been able to find words that are less strong to
express what I am thinking, if I had considered the possibility that
the words I used could be so misunderstood.  I did not consider this,
and this is my fault.  In light of these explanations, I hope you can
see that when I express my own, very personal moral reservations, no
condemnation or other judgement on your work is entailed.

Because nothing I have said is to be interpreted as a statement about
your own work, in any way, I can also not possibly comply to your
request for a complete and immediate explanation of such a statement.

As you, I have been overrun by the dynamics of the discussion.  My
original attempts to contain them by withdrawing have failed.  By now,
just about any argument I can give, I have.  They are scattered all
over the place, and are not always expressed and substantiated
carefully, but I have not withhold anything substantial.  The only
thing that is missing at this point is the answer to how I address
specific use cases like the cut&paste protocol.  This overlaps with
the challenge I posted.

I should also say that my starting point is quite a different from
yours (and always has been).  You consider dropping the constructor
mechanism a radical change that requires justification.  From my
perspective, it is introducing the constructor mechanism that is a
radical change that requires justification.  I do not know how to
reconcile these two positions.

Best wishes,
Marcus