Slashdot Mirror

Unix permissions just aren't fine-grained enough without having a veritable multitude of your "pseudo-files". Capabilities are simply better designed security - check out eros for a pure capabilities system (it is really, really, cool), or the Java 1.2+ security model (they call their hierarchical capabilities "permissions", but the prinicple's there). Everyone _knows_ that the (non-ACL) unix security model doesn't scale well. And ACLs are a bitch to maintain/admin. I would like a hierarchical groups kludge, personally (and that wouldn't be so hard to implement), but capabilities, particulalry hierarchical capabilties are the best solution overall, and have the advantage of being "provably secure" (within certain limits, and levels of admin competence, obviously)

True capabilities (as found in EROS or E) are completely different, more powerful, and older than the stuff that came out of the POSIX committee; it's unfortunate to see yet another article which confuses this issue.

Eros: in the process of doing just that.

-----
"People who bite the hand that feeds them usually lick the boot that kicks them"

For those of you suggesting that EROS may be the way for DARPA to go, you may be on to something.

Note this statement on the EROS website:

This research was supported by DARPA under Contracts #N66001-96-C-852, #MDA972-95-1-0013, and #DABT63-95-C-0073. Additional support was provided by the AT&T Foundation, and the Hewlett-Packard, Tandem Computer, and Intel Corporations.

Guess that either means that DARPA's gonna funnel more money into EROS, or that EROS wasn't up to some standard, and they're looking for a replacement.

Maybe someone should just tell them about OpenBSD, save some time and money.

Maybe someone shuld just tell Michael about EROS, a GPL'd x86 capabilities OS currently under development.

Read more on capabilities and why they're important to OS security. A capabilities system is relatively resistant to a lot of the big security issues that plague other types of systems. For example, even if buffer overruns do occur, the damage that can be done is very limited. This is a really cool project.

Maybe someone should just tell them about OpenBSD, save some time and money.

Maybe someone shuld just tell Michael about EROS, a GPL'd x86 capabilities OS currently under development.

Read more on capabilities and why they're important to OS security. A capabilities system is relatively resistant to a lot of the big security issues that plague other types of systems. For example, even if buffer overruns do occur, the damage that can be done is very limited. This is a really cool project.

OpenBSD is still based on the fallacy that affects unix and all clones. That you trust every program you run as much as you trust yourself. Ie security is done at a per account granularity.
Any program you run can do anything to every file you have write access to, and can also leak information by default to anyone on the internet. Not good. This means a very large trusted code base, which is a bad thing. The set of code which need to be trusted (ie the kernel and very few programs) should be as small as possible.

There are some approaches to improving security. Capabilty models look like the best hope for the future. This comment is too small to hold a reasonable explanation - take a look at http://www.eros-os.org .

Don't get me wrong, OpenBSD is a good firewall and general unix server platform, but its security model is limited by posix compliance.

Eros has some great white papers

What is a Capability, Anyway?

Where Capabilities Come From

Comparing ACLs and Capabilities

Eros has some great white papers

What is a Capability, Anyway?

Where Capabilities Come From

Comparing ACLs and Capabilities

Eros has some great white papers

What is a Capability, Anyway?

Where Capabilities Come From

Comparing ACLs and Capabilities

By the way both Linux and Windoze 2000 can suspend and restart, but without crash-recovery and there are some issues with X.(I have not tried it myself though)

The Playtpus SSD doesn't do much for me. My goal would be to speed system recovery in the case of someone kicking out the plug without going to the extremes of the EROS project, and without doing the damage to file system performance needed for conventional journaling file systems.

I agree. I also don't buy the argument "that unix is 20 years old, so it's crap"

e.g. Take your pencil. It's simple, intuitative, old, and it does the job. ;-)

BUT ...

All those thing are "MUCH" simpler then thousands of lines of code, all interacting with one another. There is a "simplicity" to a light bulb, or "wheel", that the complexity of modern software can't even come close to.

Unix isn't perfect (*no* OS is, since they are designed with different goals in mind - avoiding the "Jack of all trades, master of none" syndrome.)

I believe the orginal comment is in reference to "In the past 20 years of computing history, there are better architecture designs, and better implementations - sometimes an OS should be "shelved" and redone from scratch with them:
multithreading, protected memory, pre-emptive multitasking, virtual memory, etc, which is all "old" and "proven." (Didn't the *nix's pioneer a lot of this? ;-)

One area that *nix still has problems with, is with user security. How many systems have been compromised, because root ran some program, that was a trojan? Eros has some good essays, one a really slick security design called capability.

BeOS has a *really* NICE design. Is it perfect? We all know the answer for that: "No, but use the right tool for the right job. Yada yada yada."

*BSD, mmmm nice, clean, fast code, perfect for a router/web server. Windows, mmmm, latest games.

Nice counter-argument, BTW.

Cheers

I agree. I also don't buy the argument "that unix is 20 years old, so it's crap"

e.g. Take your pencil. It's simple, intuitative, old, and it does the job. ;-)

BUT ...

All those thing are "MUCH" simpler then thousands of lines of code, all interacting with one another. There is a "simplicity" to a light bulb, or "wheel", that the complexity of modern software can't even come close to.

Unix isn't perfect (*no* OS is, since they are designed with different goals in mind - avoiding the "Jack of all trades, master of none" syndrome.)

I believe the orginal comment is in reference to "In the past 20 years of computing history, there are better architecture designs, and better implementations - sometimes an OS should be "shelved" and redone from scratch with them:
multithreading, protected memory, pre-emptive multitasking, virtual memory, etc, which is all "old" and "proven." (Didn't the *nix's pioneer a lot of this? ;-)

One area that *nix still has problems with, is with user security. How many systems have been compromised, because root ran some program, that was a trojan? Eros has some good essays, one a really slick security design called capability.

BeOS has a *really* NICE design. Is it perfect? We all know the answer for that: "No, but use the right tool for the right job. Yada yada yada."

*BSD, mmmm nice, clean, fast code, perfect for a router/web server. Windows, mmmm, latest games.

Nice counter-argument, BTW.

Cheers

I agree. I also don't buy the argument "that unix is 20 years old, so it's crap"

e.g. Take your pencil. It's simple, intuitative, old, and it does the job. ;-)

BUT ...

All those thing are "MUCH" simpler then thousands of lines of code, all interacting with one another. There is a "simplicity" to a light bulb, or "wheel", that the complexity of modern software can't even come close to.

Unix isn't perfect (*no* OS is, since they are designed with different goals in mind - avoiding the "Jack of all trades, master of none" syndrome.)

I believe the orginal comment is in reference to "In the past 20 years of computing history, there are better architecture designs, and better implementations - sometimes an OS should be "shelved" and redone from scratch with them:
multithreading, protected memory, pre-emptive multitasking, virtual memory, etc, which is all "old" and "proven." (Didn't the *nix's pioneer a lot of this? ;-)

One area that *nix still has problems with, is with user security. How many systems have been compromised, because root ran some program, that was a trojan? Eros has some good essays, one a really slick security design called capability.

BeOS has a *really* NICE design. Is it perfect? We all know the answer for that: "No, but use the right tool for the right job. Yada yada yada."

*BSD, mmmm nice, clean, fast code, perfect for a router/web server. Windows, mmmm, latest games.

Nice counter-argument, BTW.

Cheers

Eros, unfortunately, doesn't look like it's actually going to arrive (at least not in a timely manner), but I've read several of the papers on capability-based security and they were all very interesting.

What do you think about Eros? What's your opinion (and your perception of the security community's opinion) about capability based security?

Thanks, Jeremy

• Berlin inherits approaches from Fresco and InterViews; this doesn't provide any ability to run any existing code.

  Your Gnome apps? Would need to be completely rewritten. Ditto for the KDE apps.

  Everything needs to get recoded using OmniORB, C++, GGI, and the Berlin libs.

  As a result, jumping to Berlin means losing all the GUIed applications that you might be running now, from StarOffice to GNOME to Netscape to KDE.

  If you run Berlin atop GGI atop X, then maybe you can run some of those concurrently...

• GNUstep has similar expectations of your adopting Objective C, DPS, and LibFoundation.

  It makes you jump through the hoop of applying DPS to everything, which will be quite wonderful for anything that should be WYSIWYG, and which may represent a big "who cares?" for other sorts of applications.

  It has the merit over Berlin that there may be some existing NeXTstep and OPENSTEP applications out that would be an "easy port away," and might have a bit more ability to play well with existing X apps.

Unfortunately, both suffer from the same daunting problem that in order to make them useful, there's a whopping lot of code that needs to be written. And they're pretty useless until both libraries, services, and applications get written.

GNUstep is somewhat closer to usefulness, with the added merit that there are parts of it (namely the DPS services/libraries) that can be usable with other graphical environments.

In similar senses, Linux and the BSDs are not particularly "innovative," as they all "merely" represent Yet Another Unix Clone. In contrast, EROS is a truly innovative OS kernel design, but since building a user space to go along with that is daunting, practically nobody uses EROS.

Innovation is pretty cool and all, but I'm just not sure that it actually represents something deployable.

> What is your opinion of the "capabilities" model of security, as implemented in Linux

Here's my opinion: Linux capabilities aren't. You want real capabilities, check out EROS.

I hope those toilets run a secure capabilites-b ased system like EROS or TUNES

I hope those toilets run a secure capabilites-b ased system like EROS or TUNES

I hope those toilets run a secure capabilites-b ased system like EROS or TUNES

A couple links to throw your way before the rest of you start spewing all the grandios wonders of the ACL systems. BTW, NT's ACL lists don't fit the bill anyway. I've worked with them, and they're a pain in the behind.

• EROS OS Essays on Capabilities Systems
• Linux Intrusion Detection System

EROS has some serious potential, folks! And if you want serious Linux security, look into LIDS...

The /dev/random patch in the kernel. Neatest idea I've never seen.

reiserfs. It has some pretty new and interesting concepts in filesystem design.

My StreamModule system. Not at all a derivative of some non-free system.

Rogue, Nethack, Angband. Completely original in their time, and still leaps ahead in terms of gameplay than any commercial alternative.

emacs. It was originally free software. One of the first visual editors.

BIND. Sendmail, Apache is derived from the first (free) webserver. Netscape, derived from the first (free) web browser. Mosaic, the first web browser.

Eros, a totally new concept in how an OS should handle security and persistence.

Practically every new and innovative idea in CS came out as a piece of free software first before some company stole the idea from the public domain and tried to erect a fence around it using copyrights and patents to extort money.

Multics also had special kernel features for hot-swapping just about everything - again except the microkernel (called "hardcode") itself. But if your microkernel is small enough and enough well designed, replacing device drivers and other kernel parts becomes less of a problem.

> There is starting to be support for capabilities in Linux

Linux's so-called "capabilities" are a joke. They are nothing of the sort, they are just more acl bits tacked onto operations. You want real capabilities, try something like EROS. A true capability manifests as a visibility thing -- you can't call a forbidden operation if you can't even get a handle on it. A true capabilities system is a "thought police" model. You can't perform a forbidden operation because you just can't have that thought. You can't delete a file you can't touch. You can't open a device you can't see. Etc.

Capabilities can be rock-solid security, but they do have some problems, like revocation. The neat thing about EROS is that stack smash attacks can't gain any extra privileges, because they can't manufacture any extra capabilities -- you'd have to smash the kernel stack to do that.

So what do you think about the Spring and EROS papers? You have read the Spring and EROS papers, right?

$ cat < /dev/mouse

Berlin, a windowing system which has many of X's strengths (toolkit independence, network transparency) but few of its weaknesses (primitive framebuffer-based graphics model, bitmap fonts, no alpha channel, high bandwidth requirements).

Fiasco, a free microkernel which is a drop-in replacement for L4, used in several research operating systems.

$ cat < /dev/mouse

EROS will bounce back onto the desk you originally lifted it from!

Are there any environments you know about that are safer, or safe enough and faster?

Yes. EROS can run untrusted native code at full speed in a confined sandbox. Unfortunately it's still at the prototype stage IMO.

I for one welcome this shifty, greedy maneuver. If RAMBUS does manage to corner the market on volatile RAM technologies, then the computer industry will thrash around violently looking for a way out. And it will be about time.

We've become sloppy and trained to the notion that memory should be divided into segments varying by speed, size, volatility, and cost. We all spend months in college or in the field learning about the subtle differences between L1 caching, L2 caching, main memory, hard drive memory, ROM, and the trillion variations of RAM. We don't see the forest for the trees: this model of data management is the single most crucial hindrance to the advancement of computer science in our entire industry.

I for one would love to see a technology like the magram become viable through hard research and buckets of funding. Can you imagine the virtues of a system that could boast cheap, fast, large, and non-volatile memory in one consolidated chunk?

Imagine how intelligent an OS design such as the orthogonally persistent EROS operating system would become if the distinction between disk and memory were eliminated at low cost.

So, while I fear the short term repercussions of what it would mean for a company as shoddy as RAMBUS to gain broad control over the hardware market, in the long term such a development might just shake us out of our doldrums. Which can only be a good thing.

-konstant
Yes! We are all individuals! I'm not!

yea thats the problem with linux, if you get too complicated -- get too much stuff, you lose track of what you have and you can't keep everything secure. The fact that a simple program runs on your computer, can have an exploit that will give someone total access because it is root suid, is rediculous. That is why we should try a credibility system like the one in eros os. unfortunately, its not ready for real use yet. maybe we could avoid problems that made 2.2.16 release early.

Check out Eros for a surprisingly large amount of what you are talking about, plus extras like mathematically provable security.

First of all I would like to point out that the underlying cause of this is that Linux is moving towards having two security models. One is the traditional, "Root is GOD but can setuid" model and the other is "POSIX capabilities". This is a situation where an operation that should have worked under the old but which due to an oversight was insecure on the new. This may not be the last thinko of this sort. OTOH POSIX capabilities are an improvement on the old model so this is good in the long run.

Now why am I saying POSIX capabilities? Well here is a FAQ that goes into what is in the kernel. The traditional definition of capabilities are used by, for instance, EROS. This is incredibly secure. So when the POSIX standard was being developed for improving security by borrowing VMS' "privileges" they deliberately called them "capabilities" to introduce confusion and make people think they were better than they are. (Not that they are not an improvement on the old...)

Now the good sendmail folks have at this point every reason to believe that this particular thinko is likely not limited to Linux. Hence their check which they would hope will catch other current examples, and future ones if other people mess up. If they didn't do something like this then their (already pretty bad) reputation for security would get worse as they are an obvious target for taking advantage of setuid bugs.

Cheers,
Ben

Things people should be trying out include:

• VSTa
• Hurd
• MIT Exokernel
• SpinOS
• OSKit
• EROS
• Some variation on Wirth's Oberon systems

Even if you look at these, and go back to a UNIX-like system, there is benefit to seeing the extra abstractions they offer.

I'm not resisting "non-UNIX" things for the sake of them not being UNIX. Your conclusion that I am promoting "doctrinaire orthodoxy" comes from only half-reading the signature.

The point of the signature is that if you don't know the "orthodox," you are unlikely to do anything better than to merely replicate many of its features, badly.

It is also pretty fair to say that:

Any sufficiently complicated C or Fortran program contains an ad hoc informally-specified bug-ridden slow implementation of half of Common Lisp. -- Philip Greenspun

I think there should be a richer set of systems software research going on; people should be trying out EROS. People should be trying out And Hurd.

There should be work going on to provide OS environments supporting:

• Persistent data structures
• Garbage collected operating environments
• Filesystems with semantics going beyond the UNIX "bags of bytes."
• Security management using capabilities

Some of them will surely fail, and that's OK. Some of them may succeed, and that's a good thing.

One of the steps to allow people to actually learn from getting into system designs is to actually understand the systems that have come before.

In that light, it is not doctrinaire orthodoxy to consider that...

For a great new research OS, check out EROS, the Extremely Reliable Operating System. It is now licensed under the GPL, and it could just be the next great thing after Linux!

This operating system has some features which simplify and improve memory/disk usage and security. For one thing, it has persistent memory - it operates as a collection of objects in RAM, and is backed up every 30 minutes. There is no such thing as a "file" on the disk - just objects. Simple, eh? And you can boot up in about 30 seconds, right to where you left off.

Another nice feature is the capability security model. Most operating systems keep lists of who can access what files, or set blanket permissions on them. Usually a user can access whole groups of files and might easily be given permission to access something they shouldn't. Likewise, user processes are given the same access rights as the user, creating virus problems as we have seen with MS Outleak.

Instead, the capability security model gives keys to users and processes to act as permission to access the object in a certain way. The key is essentially a pointer guarded by the OS. Cross-system links can be implemented through CORBA. So the solution to the scripting virus problem is that you only give enough power to the script as you want it to have. If this script is supposed to be able to display something in a little window, or contact a web site for information, you might give it the power to do only that. No need to dole out blanket powers. Standard sets of powers for certain situations could be established to lighten the user's management burden.

If that isn't cool research, I don't know what is.

ReiserFS may be pretty cool stuff, but it hasn't led to really new things. There is the offer that it may allow constructing data structures reasonably efficiently via "hordes of tiny files," but nobody is really using that yet, and the "research" side of that is already reasonably well-understood.

For there to be real research out of something like ReiserFS would require that people start studying different ways of constructing (say) DBMSes by using the abstractions provided by the new FS.

It isn't really systems research for someone to construct a Linux emulation system to run atop EROS; what would be innovative would be to see what kinds of cool things that may have nothing to do with UNIX as we know it can be done with it.

The problem that he doesn't comment on, which seems to be an important flip side to the notion that Microsoft is a source of innovation, is that, during the 1990s, Microsoft did an impressive job of buying up top researchers, virtually closing down major systems software research groups:

• Hiring David Cutler and other VMS folk eliminated much of Digital's OS efforts
• Hiring Mach folk, notably Rich Rashid, essentially eliminated CMU and IBM's Mach-related OS efforts
• Hiring TP folk like Jim Gray , author of the wonderful book, Transaction Processing Concepts and Techniques, pulls considerable transactional expertise inside the Microsoft Hegemony
• Similar "pulls" have taken place with databases ( Paul Larson ), compilers (folks who worked on AST Toolkit ), amongst others

If people started doing some substantial work on exploring how to powerfully connect applications together using CORBA, that could represent some new work; unfortunately, the tools are still maturing, and the mappings to C and C++ kind of suck, at least for the purposes of generating dynamic applications.

Remember, Pike's criticisms aren't based on some vague notion that Linux is useless or bad; they are based on the notion that it's not particularly innovative, from a systems software research perspective.

If 90% of your effort represents dealing with the same old ordinary UNIX stuff, that would be largely familar to a UNIX hacker of the 1970s, then whatever you're doing can't be more than 10% innovative. Note his comment that around 90% of the effort in Plan 9, which was one of the more innovative systems of the last decade, represented efforts to honor external standards. That's a problem.

As an ex-Amiga user, I find that many of the "innovations" of microsoft are only innovations with respect to their own previous product line. I'm sure many mac and UNIX people feel the same way. (Beleive it or not, many amiga people simply assumed versions of MS windows prior to 95 had pre-emptive multitasking, simply because it was such a trivial feature of a usable system in their eyes, the amiga having had it since 1985. Many were thus very surprised when MS touted it as a big new feature of W95, similarly with the multiple clipboards of Office 2000 - the amiga having had them since 1985 too...)

Anyway, my point is Microsoft does not innovate. It brings other people's innovations into the mainstream. It is a "close follower", not an "innovator", no matter what their PR dept. say.

Also, I'd hardly say systems research is dead. EROS is a very promising pure-capability GPLd OS, Atheos was recently mentioned on slashdot, Exokernels are still in development, The Tao/Amiga Enivronment is new, and ground-breaking system.

If you ask me, Mr. Pike is either hopelessly out of touch or just spouting the MS line for money...

If this becomes available, EROS and other persistent OS'es would be easier to develop and/or better fitting to available hardware?

If these things were in 10-100GB class, maybe we could unify random access memory and traditional more-or-less persistent storage (read: hard disks). Especially considering 32bit addressing is being left behind, so you could simply have it mapped to memory.

On the other hand, that annoying javascript scroller on their front page seriously damaged their credibility in my eyes. Also, keeping in mind, most of these 'revolutionary storage technologies' never see day of light.

• Pricing.

  It is notoriously difficult to get pricing information for QNX.

  I have heard differing reports on comp.os.qnx, including that it is "very expensive, hundreds of dollars per system," or, on the other hand, the vague answer of "you can license it reasonably economically." (With no definition of what "reasonably economical" means, of course.)

• If people should start thinking of QNX, then they should also start thinking of:
  • VSTa

    A copylefted system that "lifts" ideas from QNX and Plan 9

    It looks like development has not been terribly active lately.

  • MIT Exokernel

    Again, not terribly active, but an interesting OS kernel.

  • EROS

    Eric Raymond thinks it's mindblowing, so the Eric Raymond Personality Cult should all be preparing to drop Linux in favor of EROS. (Of course, it isn't yet capable of self-hosting, which indicates that it's not all that useful at this point. But, to cultists, usefulness is irrelevant...)

  • Possibly even Hurd

    It's different from the other options; certainly not a tiny OS option...

  • eCos
  • RTEMS

    Which, like QNX, appears to be used in some reasonably critical system environments...

  • Fiasco

    Which is a "lighter microkernel than Mach"...

  • On Linux, people interested in QNX should almost certainly look at SRR -- QNX API compatible message passing for Linux

    This is the critical programming abstraction that QNX uses heavily which isn't all that widely used on traditional UNIXes, namely asynchronous messaging.

  These are all interesting alternatives, albeit not all being of identical levels of interest.

Wonder how that link from the word contact got in there ;-)

This idea of persistant memory is interesting when combining with something like EROS, which is designed to be a persistant system. I don't see how it works well for current systems - the article makes references to not having to wait for the computer to reboot if it crashes... Except with current systems, you'd need to reload a lot of stuff in RAM anyway, because it would've been corrupted by the crash...

I remember a little hack on the Amiga (Fastboot?) which was nearly instant-on. It dumped a copy of your memory to disk, and would just pull that memory image back into memory upon boot... So you could boot the machine in the time it took to pull owever many megs of RAM you had off of hard disk. It certainly had it's share of problems, but it was interesting to play with... Windows 98's suspend to disk mode is pretty similar, although I haven't actually played with that. Still, it certainly sounds like a nice technology for things like MP3 players and palmtop type computers, if nothing else.

> I hope these kids have a buttload of coders on board.. ACLs alone could take 18 months of serious coding..

I sure hope not. Capabilities address secuity in a MUCH cleaner way then ACL's do.

See:

http://www.eros-os.org/essays/capintro. html

Linux is not a good environment for viruses, but it's not impervious either. Even a half-assed capabilties system would greatly improve Linux virus security.

For example, how often do you use "su; make install"? That hands over full authority to do anything. It would not be all that hard to hide, say, literal strings of Perl bytecode in a deeply recursive make, that search all *.tar.gz|*.tgz files for just such a deeply recursive make and hide itself in the ones it finds (cryptic nonsense marked with cute yet unhelpful comments is nothing new to free software; if it was obfuscated to look like a cute piece of ASCII art, it might not even need to justify its existence as part of the project). Combine this with infecting key utilities, like gcc and make, and you've got yourself an annoyingly persistent and sneaky virus.

Even though it would be more useful to have a full capabilties system, like in EROS, a good "execute with permissions + limited capabilities" utility could prevent root-mode installation infections.

For example:capsdo -cu -wnf /usr/local/bin -cwd /usr/local/lib -c "make install"
meaning, run "make install" like current user (-cu), except that you can write new files (-wnf) to /usr/local/bin and create new directories to which it has full write access (-cwd) in /usr/local/lib (of course, it would require your root password to run). Not that this would be easy to write. It would have to sit between the app and the kernel, filtering actions.

Another way safety might be improved (at the admin level) is to create an "installer" group that has access to the "/usr/local" tree, and a new user in the group for each new installation; none of which gives write access for its files to any other user. A root utility could create and manage these psuedousers without bothering the admin. However, this would do nothing for holes like running SVGALIB games.

What you are describing is a capability system.

Take a look at EROS for a GPL'd example of this.

In particular, note the principal of least privaledge -- just because a program needs one small aspect of root's privaledges, doesn't mean it necessarily needs to be given all of them -- in practice, this gets rid of the root account per se., which is never bad where security is concerned.

Here's what people are saying.

Where is Unix going? There seem to be three religious sects:

• Several argue Unix popularity is growing from its decline in the 70's and 80's. There is no serious high end competitor, and its evolution will continue as long as people care about it.
• zlotnick points out, and I concur, that the Unix name will live on, even for an unrelated OS. Like Windows, Ethernet, and Office, the name is so prevalent that new and unrelated operating systems will still be called Unix.
• Several raise the option that Unix is not exempt from the universal truth: "This too shall change." Someday, its concepts will be replaced by a future we cannot see.

Aside from proclamations of adherence to these sects, some interesting comments include:

Mr. Slippery on the other hand, asserts Unix is basically static and optimized, with a few new gizmos now and then.

eries mentions UNIX is a way of organizing operating systems.

dsplat and jetson123 talk of UNIX's evolving features while maintaining backward compatibility.

jabber points out that Unix and other OS's evolve mostly from using each other's features.

Several people point out the ambiguity of "Unix". A philosophy, command line tools, GUIs, appications and even the organization of file system are candidates.

Others take the opportunity to cry to the heavens for mana:

• Christopher Thomas argues for iron clad authentification and validation in networks and for users.
• Several have asked for more distributed computing capabilities.
• Robin Hood mentions about EROS, a GPL without file systems.

My Religion

Now, for some words of my religion. Back in school, I remember reading of a truism from the 50's and 60's: Every time you make working with the computer twice as fast, people become four times more productive. Innovation is risky, and has high costs and profits. I believe in innovation, and am proud to have helped at CenterLine, JavaSoft, and others.

Before making new theology, let us consider our dogma.

Unix Dogma

• Installable Software: Several fiction books talk about software existing on physical medium that must be physically attached to your computer, like a rack of PCMIA cards or game cartidges. Sun's JINI works as devices come together to form the environment.
• File Systems: Persistent objects are shown to more understandable to users. Hierarchy is only one method of organization. Databases?
• WIMP: Windows-Interface-Mouse-Pointer is the accepted standard. Window managers that shrink but do not hide windows are about 50% faster for users. Voice, gesture, pen are having challenges. What else is out there?
• Processes: Processes run all on one box with client/server programs each being handcrafted. With LCOS (Liquid Crystal on Silicon) and wireless technologies, can we afford this dogma? Unix made many of its advances from making networking easy, though not transparent. How could a network computer run a distributed task without the application caring?

Progress in computer science moves slowly. My computer science mentor taught me that: a new thing must be ten times better to get others to use it. Being thirty percent better doesn't even raise eyebrows.

So what can we do that is truly amazing?

Charles Merriam
Independent Business Consultant
Sunnyvale, California

Considering the core of any unix system is a few hundred well-understood system calls, I believe that the future lies in unix/posix compatibility layers over some more advanced operating system (EROS for example). What fun to be able to easily compile and run old code and also explore new and better operating system concepts all in the same environment!

In unix, you can't know if running a program as root is a security problem without seeing the source to the program. An OS like eros uses a key system so that a program doesn't need to have unlimited access privilidges just to say, run in full screen.

EROS is hard to describe. It's capability-based and has orthogonal persistence -- and if that doesn't mean anything to you, I'm not going to be able to explain it much better. Check out the EROS project site and read the documentation. One thing this means that I can explain, though, is this: "snapshots" are taken of the current state of the system every five minutes. If the power goes out, the system is later restored to the last good snapshot. So you could have a text editor window open, never save your file, PULL THE PLUG on your computer and then plug it back it. Within 30 seconds (or however long your BIOS POST takes to complete), your text editor window is back on the screen, and you've lost no more than five minutes of work.

EROS is cool. I think it has potential to be the Next Big Thing. Check it out, download it (it's GPL'ed), play with it. Have fun.
-----
The real meaning of the GNU GPL: