Re: Part 2: System Structure

[Michal Suchanek]

On 5/24/06, Marcus Brinkmann <address@hidden> wrote:
> At Wed, 24 May 2006 12:53:27 +0200,
> "Michal Suchanek" <address@hidden> wrote:
> > The constructor in Jonathan's systems is a powerful tool. It allows
> > running programs on user resources and trust that they perform in
> > certain way (cannot be tampered with).
> > This allows 'outsourcing' system (and other) services so that most of
> > them runs on user resources and only small and simple part resides in
> > the system.
> > This is central to most of the examples already mentioned, at least
> > those that can be specified enough to be considered valid. It makes it
> > possible to build very secure services much more easily than any other
> > system I can think of.
> >
> > I just want to ask how this design pattern is replaced in your
> > (recursive) system. It seems that just leaving it out will make the
> > system much less secure because building secure services will become
> > much harder.
>
> You are using the words "trust" and "security" several times, without
> saying who trusts whom and what you mean by security.  I don't want to

OK, I as an administrator would trust the system that I can set up a
program that users can execute but not modify its execution.
The security I gain by this is that the shared services that have to
run on system resources can be greatly simplifed or removed
completely. The specific example that is probably of relevance to the
Hurd is networking. If you can run part of the bandwidth accounting on
user resources the shared scheduler can be simplfied.
The other examples that you consider of less relevance are the
competition examples.
I beleive that both the competition and the ping are examples of one
pattern that occurs very often in computing: some clients competing
for a shared capability. Access to this capability is regualted by a
service that does not allow direct access and does some verification
or accounting of the client access.
If some resource intensive computation has to access the capability it
has to be part of the service that regulates access to the capability
and use system resources for the computation. The constructos allow to
separate the compuation so that it runs on user resources. This looks
more flexible and secure to me.

> be anal, but these discussions can not happen at a marketing-buzz
> level.  My suspicion is that the examples you are talking about are
> (intentionally) not supported in my design, and that we differ not in
> an assessment on what is technically doable or not, but on the
> objectives.  There are types of "security" which I am interested in
> supporting, and types of "security" to which I object.  Some examples
> that I have seen where on the fence.  For example, the ping example
> was a case where I think that we could very well agree on alternative
> mechanisms that achieve some of the goals you want without going all
> the way.  Note that one goal of the Hurd is to _reduce_ system code
> and to maximize flexibility.

I want to hear the middle solution for the above problem either
abstract or specifically for ping so that I can abstract myself and
see if it is able to solve the problem for other services.That is why
I ask.
I did not beleive so but it really looks like you sidestep some
questions. Or what part is so unspecific that you think it is a
management buzzword question rather than a technical one? What do you
want me to explain in more detail?
How does your solution reduce code and maximize flexibility (is that
more than buzzwords)? As I understand the constructors they do exactly
that.

Thanks

Michal