[cap-talk] A comment on James v Jed

[James A. Donald]

Jonathan S. Shapiro wrote:
> Subject changed primarily so that James receives this, and my suggestion
> is that neither James nor Jed should reply to this.
> 
> James:
> 
> Jed and I have had our disconnects as well. Invariably they are rooted
> in differing assumptions. Jed and I rarely come to agreement, because he
> and I tend to be looking at different cases with legitimately different
> outcomes. Our exchanges are sometimes pointed and frustrating.
> 
> That said, I feel (and from private exchanges I think Jed agrees) that
> they are worthwhile. The reason they are worthwhile is that they tend to
> reveal what the differing root assumptions were, and *that* is fairly
> well priceless. Jed and I also agree that we both wish we could find a
> better way to navigate the email exchanges on occasion.
> 
> So: I think it is possible that you are throwing away some real value.
> That being said, it is certainly your decision to make.
> 
> On to your specific key statement:
> 
>> the real world, where people
>> can and should write C++ programs with extensive access
>> to the net, to the user, and to system resources,
> 
> If this is an accurate summation of your view, then capabilities are not
> for you. The primary value of capabilities lies in the ability to create
> *structured* systems. The type of system you are describing is (rather
> aggressively) unstructured. Unstructured programs are, in principle,
> indefensible.
> 
> Nobody on this list will claim that these programs are going away any
> time soon, but we all hope that we can assist their demise with all
> deliberate speed. The more of them we write, the longer it will take to
> make computing systems survivable in the hands of normal users.
> 
> It is not an objective of capability-based systems to favor such
> designs. In my opinion, the *difficulty* of creating such designs in a
> well-articulated capability system is one of the great benefits of
> capabilities. Creating that particular breed of irresponsible crap
> software is a decidedly unnatural act in a capability system, and it
> *should* be an unnatural act.
> 
> I do not dispute the need to run legacy environments and programs. I do
> not dispute that people can and will and are actively encouraged to
> write crap unstructured software.

You neglect the middle ground - we not only need the capability to run 
legacy software, but also to utilize legacy source code.

The question then becomes:  What are the minimum changes from Single 
UNIX Specification necessary to provide safety.  In principle, it should 
be possible to accomplish this with very little change in the program 
environment - the major change being that any user mode program finds 
that it appears to be the only program running, and that there are very 
few files on the system other than its own files.