[E-Lang] ERTP-aware MintMaker

Mark S. Miller markm@caplet.com
Wed, 14 Feb 2001 16:43:07 -0800

To my knowledge no capability-based security program has ever been subjected 
to the kind of open public scrutiny Hal and Tyler have brought to this 
MintMaker.    Yes, just these few days has exceeded the entire history to 
date of open public scrutiny of capability programs, whether expressed in a 
capability language or built to run a capability OS.  Such scrutiny has 
often been applied to crypto systems, with great success, or with the 
security of established open source systems, like Linux, which happen to be 
ACLish.  Till today I could only look over at that and gnash my teeth with 
envy.  This is the only process that can ever give real confidence in the 
security of a system, if it is applied to a system that can be made secure.

I feel like today we have entered into that new world.  Besides making these 
particular programs secure, we will come to understand, though a publicly 
archived and re-reviewable process, what programming practices, patterns, 
and processes lead towards or away from danger.  It is often said that taste 
is a compiled form of a large bag of heuristics.  In general, our experience 
and the shared experiences of others shapes our tastes of what makes a good 
program.  It is a form of deep look-ahead.  "If you do it this way, it will 
remain modular and smooth."  Modern programming taste has evolved over 
generations of time as ever more such lessons are compiled in.

We have now started down this path for capability programs.  This wouldn't 
have been possible without the open source process, which is to say as well, 
it wouldn't have been possible without y'all -- the participants of this 
list.  I am deeply grateful.