[E-Lang] ERTP-aware MintMaker

[Jonathan S. Shapiro]

"Mark S. Miller" wrote:
> We probably do disagree over the priority of these two.  From your note, if
> you had to chose, I suspect you'd make the opposite choice. 

Actually, I don't think I could choose either over the other. The open
and public part is important for a variety of reasons, which you have
already enumerated. The rigorous and systematic part is equally
important. My take is that if *either* of these is missing you can only
have anecdotal confidence. Anecdotal confidence is certainly better than
nothing, but in the final analysis it is still based on allegation. I
think what I'm saying is that the *process* by which assurance is
achieved is quite important in determining the confidence one should
place in the result.

Basically, I don't think we can afford to give up on either of them.

Linux, for example, has been open and public for quite some time, and
there have been some fairly in-depth attempts to examine it from a
security standpoint. The only systematic one I know about was done at
NSA, and that one failed the "open and public" test.

I also hasten to add that there is an open question in the assurance
community about the impact that "open and public" can/should have on the
assurance process (i.e. how can it change to best leverage the "open and
public" angle). I would say that the dialog on this subject is still
ongoing.


Jonathan