[cap-talk] POLA focus seen as counter productive

Peter Amstutz tetron at interreality.org
Tue Jun 12 17:38:17 EDT 2007 

On Tue, Jun 12, 2007 at 04:13:24AM -0400, Jonathan S. Shapiro wrote:

> > What sort of delivery do you believe would have been effective?
> 
> Absolutely anything that worked now and could be improved over time. It
> certainly worked for Microsoft.
> 
> But that was the right thing to do 15 years ago. Today, Linux has the
> benefit of overwhelming engineering investment performed over those 15
> years. It is no longer possible to deliver something "good enough" and
> iterate.

This sounds like the classic "worse is better" argument -- the ad hoc 
half-assed solution trumps the elegantly designed solution by virtue of 
being available sooner and becomes dominant in its area.

To introduce a new system in that sort of market, users need a bridge 
from their old system to your new one.  This may mean emulating the 
flaws in that old system, but alongside it you have the new, more 
secure/robust system.  The other strategy is to implement things 
entirely in userspace, port it to multiple operating system, and hope 
people who build on your platform realize that it works better (more 
secure/robust) if they also use your operating system.

Amusingly, Java and .NET, despite being similar technologies, reflect 
these two distinct approaches.  Microsoft .NET provided a safer, easier 
platform while providing ways of achiving backwards compatability with 
Win32 APIs.  Java by contrast created a new OS-independent userspace 
with the hopes of drawing users off of the proprietary Windows platform 
to the more neutral Java platform, and then eventually have a migration 
path away from Windows to Solaris or Linux.

All things being equal, creating a cross-platform runtime almost 
certainly requires less resources, and can leverage existing code more 
effectively.  The more subtle point, I think, is a cross-platform 
runtime is more likely to succeed in its goals, in that interoperating 
with other services is a more useful to more people, and will be able to 
build a userbase in a way that an emulation approach cannot.

It's also worth noting that hardware virtualization technology on 
commodity PCs is getting pretty good, making it possible to have several 
operating systems run side by side.  This allows the host OS can keep 
the unstable/insecure operating systems in a box and impose additional 
security restrictions, although it lacks the neat integration that an 
emulation solution could provide.

> > One thing about these sorts of issues, there is always time
> > to use hindsight for moving forward.  With my "hindsight" as
> > I note, my best hope for progress is in the network area - which
> > I hope will eventually trickle down to the OS level.
> 
> I actually think the network area is a lost cause, because it is a
> solved problem. There is this thing called CORBA...
> 
> Now CORBA isn't capabilities. It has no security story and so forth. But
> it is close enough to the capability story that customers generally do
> not understand the difference. They do not perceive any operational
> *pain* from CORBA. When they do, they will evaluate compatibility costs
> and conclude that they can continue to use CORBA and handle security as
> a problem of increased engineering effort.

I don't believe CORBA has anywhere near the influence that Unix, Windows 
has -- and I certainly wouldn't call network security a solved problem!

In fact, I think most of the interesting development right now is in 
middleware (distributed operating systems, virtual machines and the 
like).  This type of software puts pressure on both the underlying 
operating system layer and application layer to follow good design 
patterns that are known to robust/secure/efficient.  A good example of 
this would be the X server, which as a sort of middleware for GUI 
services has had a direct impact on certain decisions made in the Linux 
kernel.

For the most part, distributed systems have yet to coalesce around 
standard, high-level general-purpose platforms above the the level of 
TCP/IP.  The network protocols (and underlying data/computational 
models) to read a web page, check your email and play an online game 
have nothing in common, even though the applications run on the same 
operating system using common APIs.

I believe capability security is one piece in building a high level 
system that can unify distributed processing in the same way current 
operating systems unify the way individual applications share a single 
machine.

-- 
[   Peter Amstutz  ][ tetron at interreality.org ][ peter.amstutz at gdit.com ]
[Lead Programmer][Interreality Project][Virtual Reality for the Internet]
[ VOS: Next Generation Internet Communication][ http://interreality.org ]
[ http://interreality.org/~tetron ][ pgpkey:  pgpkeys.mit.edu  18C21DF7 ]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20070612/85da50da/attachment.bin

More information about the cap-talk mailing list