[cap-talk] More Heresey: ACLs not inherently bad
Jonathan S. Shapiro
shap at eros-os.com
Sat Sep 13 12:14:16 CDT 2008
On Fri, 2008-09-12 at 09:40 +0100, Toby Murray wrote:
> The way to start is to just install the software and all of its stated
> dependencies into the same namespace.
This assumes that the dependency set is fixed and that application
authors know their dependencies and will state them. Once gravity is
suspended, FTL travel becomes straightforward. Anybody who packages
things with RPM can tell you from experience that app authors generally
have no freaking clue what their dependencies are.
So in practice, your proposal devolves to:
Install the software and hand it a very large common pool of transitively
read-only authority because you don't know what subset it actually needs.
For selected applications, be prepared to add individual authorities on
an as-needed basis.
This is basically what I have in mind. In UNIX terms, the critical
enabler is the ability to run applications in name environments that can
be *quickly* constructed on a per-exec basis. Which is precisely what
Plan-9 lets us do.
> These obvious endowments could be specified as some sort of standard,
> e.g. FreeDesktop.org and incorporated into the various desktop
> environments.
I don't like the term "endowment" for this, because it assumes that this
is a one-shot activity. It isn't. That is not a conceptual objection,
just a terminology issue.
You are implicitly (and I think correctly) assuming a class of
applications that I will call "shells" that are trusted to enforce the
user's interests.
shap
More information about the cap-talk
mailing list