[EROS-Arch] Installers

[Bill Frantz]

One question I have is what we expect to get out of the installation
process, and what default security properties we expect it to have.  For
example, if we use Jonathan's approach:

At 7:29 AM -0800 3/25/01, Jonathan S. Shapiro wrote:
>Phase 1 should of course be turing complete as follows: what you load off of
>the installation image is a "pickled" image to be installed into a
>constructor. The constructor is built with this initial image, is handed any
>exceptional capabilities, and is invoked *once* by the installer. It's yield
>should be a capability that should be installed in some "directory of
>installed software".

Now what this constructor can do is instantiate a read-write capability
store which is shared by all instances of the program.  Each instance will
store any capabilities it receives or creates in this store and, for good
measure, give a capability to the store to any caller who knows the "magic"
password.

This ability makes me nervous.

The alternative of getting "no hole" constructors will probably be too
limiting, although it is otherwise quite attractive.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz       | Microsoft Outlook, the     | Periwinkle -- Consulting
(408)356-8506     | hacker's path to your      | 16345 Englewood Ave.
frantz@netcom.com | hard disk.                 | Los Gatos, CA 95032, USA