[cap-talk] More Heresy: ACLs not inherently bad

[David-Sarah Hopwood]

Jonathan S. Shapiro wrote:
> On Thu, 2008-09-18 at 20:10 +0100, Mark Seaborn wrote:
>> "Jonathan S. Shapiro" <shap at eros-os.com> wrote:
>>
>>> We are trying to run a source code repository. We have two classes of
>>> users of the repository: documenters and developers. We also have a
>>> class of administrators who determine which users are in which class (or
>>> possibly in both).
>>>
>>> The desired policy is:
>>>
>>>   1. All users in either group should have read access to all source
>>>      files stored in the repository.
>>>
>>>   2. In order to revise a file whose name ends in .c or .h, the user
>>>      must be in the developer group.
>>>
>>>   3. Similarly, in order to create a directory anyplace *other than* the
>>>      "doc" tree, the user must be in the developer group.
>> ...
>>
>> This should be straightforward to do with today's distributed SCMs.
>> You could have a system that pulls changesets from users' individual
>> branches into the main branch and accepts or rejects the changesets
>> based on whether they contain changes that the user is allowed to
>> make.
>>
>> Bazaar uses the term "gatekeeper" (http://bazaar-vcs.org/Workflows).
>> There are already gatekeepers that check whether tests pass or require
>> code review before merging changes.
> 
> Yes. But today's SCMs aren't at all easy to implement credibly on pure
> capability systems.

Why not? The approach that Mark Seaborn suggests (which is one of several
possible approaches) does not put *any* constraints on the access control
of the SCM implementation on each user's system. The overall policy is
enforced only by the gatekeeper, and that is application-level access
control that can express pretty much any policy, no matter how silly.

-- 
David-Sarah Hopwood