Re: [ANNOUNCE] Introducing Codezero

[Sam Mason]

On Sat, Jul 25, 2009 at 07:36:11PM +0300, Bahadir Balban wrote:
> Having all capabilities maintained by the microkernel will add policy to
> it and inflate it, so it will somewhat deviate from a rigorous
> microkernel design. If you believe that to be more appropriate for
> maintaining security, it may be a reasonable tradeoff for you.
> 
> However, a significant goal in Codezero is to remain generic for
> building any OS core on top. In that respect, no OS specific policy is
> allowed inside. Keeping userspace capabilities in the kernel would be
> against that principle.

I keep getting the feeling that you've "missed" the point of
object-capability systems.  I'd recommend a read through the literature
available on it, say:

  http://www.erights.org/
  http://www.eros-os.org/
  http://www.cap-lore.com/

Coyotos is dead now, but the kernel design docs are still up and very
elegant:

  http://www.coyotos.org/docs/

Marcus and others (sorry for minimizing everyone else, it was Marcus
who was most vocal when I joined) tried *very* hard to make a l4 work;
maybe a fresh perspective was all that was needed, but it looked pretty
terminal at the time to most people.  I've had a look back through the
archives and the following looks like a nice early reference:

  http://lists.gnu.org/archive/html/l4-hurd/2002-12/msg00003.html

Jonathan Shapiro, of EROS and Coyotos, seemed to join properly here:

  http://lists.gnu.org/archive/html/l4-hurd/2005-09/msg00060.html

and the earliest I could find was:

  http://lists.gnu.org/archive/html/l4-hurd/2003-08/msg00000.html


The cap-talk mailing list is active and I'm sure would welcome any
questions you may have:

  http://www.eros-os.org/mailman/listinfo/cap-talk

-- 
  Sam  http://samason.me.uk/