fork() is not all *nix has got.
There's also vfork() for performance, pthreads, etc.
Under Linux specifically, there's clone().
What can CreateProcess do that pthreads/fork cannot do portably?
If this is not nil, what can it do that clone() cannot do?
Writing an interpreter is not quite equivalent to macros/reader macros. Also, implementing a LISP interepreter, with macros, reader macros and other LISP semantics will NOT be trivial in ML:)
The resulting program you may have, if you write it, may be the winner-language, but that doesn't make ML the winner, as you wont' be able to use it from within ML itself, it will be a separate language.
Well, I think that when designing an OS, you shouldn't yet worry about the shell you're gonna run. I also think that while it may be a good idea to ponder what language to use for the OS itself, it shouldn't really make a difference for the users of the OS, that should be able to use any safe language they want on top..
The tweaking should still be possible, provided that the interface provided to safe languages is completely compatible between all safe languages.
If the OS is modular/generic enough, one would be able to create emacs-on-steroids, or a simple *nix-behaving shell on top, and the OS designer himself should not worry about it:)
I myself don't believe in *nix compatability, btw, because *nix is bad news, and lack of such support will give rise to interesting new replacements:)
capability based, orthogonally persistent, Ooh, an orthogonally persistent pure capability operating system, written in a safe language, is my long-term OS dream..:)
I also plan on writing an OS like that sometime.
However, I don't believe this OS should be more than a basis for more work. For example, it shouldn't define that the text interface should be Scheme, or whatever, and it shouldn't enforce a specific language (LISP), but rather just allow any language that supports capabilities (unforgable object references), and is safe (no unsafe manual memory management).
Emacs is written in C??
As far as I know, emacs has a small C core, basically just running an elisp interpreter, on top of which everything is written in ELISP..
Do you think that these advantages are fundamentally impossible to achieve in a typed setting?
Common LISP has optional static typing, as far as I know..
The advantages have nothing to do with typing.
In LISP, one can write macros and reader macros to have Python, perhaps ML, or any other language run. This means that LISP encompasses all other languages through writing some macros, and is thus as powerful as them all, combined.
Please, go and check the several UN resolutions regarding this matter. That is international law. Again, international law forbids murder of women and children.
Arafat's support of terror is by no means valid resistance. NO TERROR IS VALID.
Also there is one reason why the term "occupied territories" is used. Because they are occupied and they are territories?
Israel didn't roam in there, it was forced in there by an attack from there.
I will not mention Amnesty International. Oh! I did. Damn. Try looking at the whole picture, you seem to be blind to the most important facts:
- UN division program, rejected by Palestinians, while Israel accepts it.
- Israel being attacked by all surrounding arab countries in its inception.
- Israel is attacked again and again throughout the years, defending itself while occupying strategic territories.
- Israel signs peace agreements with Egypt, Jordan, and initiates a process with the Palestinians.
- Israel makes an unprecedented offer to the Palestinians, to divide Jerusalem, return to 67-like lines agreeable on the Palestinians, but the Palestinians reject it with no offer of compromise of their own.
- The Palestinians start the violence that gets hundreds of violent Palestinians killed, dozens of innocent Palestinians, and dozens of innocent Israelis.
I mean how many people really want to throw their lives away just to make an irrational point, that they know won't change anything for them, just make a lot of other people miserable.
There are many hundreds just waiting to suicide on Israeli targets..
Suicide bombings have been common in Israel since about '93 or '94..
There is one place invaded. And why is that place invaded? Because that place attacked Israel, and Israel has no option but to remain there to protect itself from such attacks.
The refugees come from one die of the conflict only. Obviously, as they have no country. Why? Because they refused to the UN settlement of 47, dividing Palestine into Israeli and Palestinian territories, into two countries.
The Israelis agreed, but ofcourse you don't find that worth mentioning.
Only one side is violating international law (with the support of a country that fights for international freedom). Oh really? Is it not against international law to murder innocent men, women and children?
because, in fact, the constitution reads:
"blahbalh... with full support and recognition of arab rights... blahbalh" That's not the constitution, that's the declaration of independence, as well as some of the base laws that are somewhat analogous to a constitution.
"Sharon did horrible things in the past, but is now governing with completely legitimate means."
So bin Laden should not be held responsible for the embassy bombings, or other past crimes then, since these things also happened 'in the past'?
What? I don't see how you could have misunderstood me so badly. Sharon is NOW using legitimate means, and in the past has done illegetimate things. Assisnating murderers which are NOT dealt with by those responsible (Arafat) and cannot otherwise be handled - is as legitimate as murdering civilians is illegitimate.
Sharon is responsible for the massacre of thousands of civilians, and should not, NEVER ever, be forgiven. What?? Sharon is directly responsible for the murder of dozens. He is accused of being indirectly responsible for not preventing the murder of thousands. That's not quite the same as murder, definitely not the same as proven murder. As a comparison, the secretary of the UN Kofi Annan is responsible for not preventing the murder of many thousands in Africa, yet nobody gives much of a damn.
This argument is fucking depressing. Shooting children in the street is NOT preventing terrorism. It IS terrorism, and it spawns even MORE terrorism. Children are rarely harmed, and when they are, its an unfortunate incident, that is inevitable when the only means you have is elimination of terrorists. This means that if other means could be applied, children wouldn't have to be harmed. Those other means are arrest and otherwise disabling the terrorists' ability. Unfortuantly, only arafat can do this, and he is not doing this, indirectly causing children to be harmed.
"What would you do if every day several innocent civilians are murdered by gunshot terrorism, bombing-terrorism"
This is EXACTLY what is happening to the Palestinians, EVERY DAY! No, it is exactly what happens to Israelis, every day. Palestinians who get killed are terrorists, or innocent civilians terrorists hide behind.
Humiliation, murder, beatings, bombings, kidnappings, it goes on and on and on. Some Israeli soldiers are downright evil to Palestinians, and should be placed in jail: they humiliate and beat Palestinians. However, bombings, kidnappings, and 'murder' are methods applied against terrorists and terrorist senders, as Israel has NO other means against them, as they have Arafat's support.
Another incident in which Palestinians get killed, is when they form large mob-assaults on Israeli soldiers. This is not a smart move and achieves nothing, as often the soldiers are pushed to a corner and have to shoot back.
You need to check out the fucking bodycount!!! On one side of this conflict there are children, armed with rocks, and a pitiful few dangerous fanatics, and on the other side the world's like 4th largest, and without a doubt most brutal, army, armed with the most terrible weapons imaginable. Who's the bigger terrorist, you think? The fucking bodycount is explainable and normal, when considering the nature of the mob attacks and the way terrorists hide in civilian locations, endangering their surroundings. Its also the fact that at least 4 large organized networks of terror are operating in order to form large terror strikes - and Israel is acting against them all: obviously resulting in many killed. If their terror fails and they kill few civilians - that's a good thing.
Israel is a criminal state, with a criminal, racist, constitution. That's a funny claim, as Israel does not have a constitution. Israel does have base laws which are somewhat analogous to constitutional laws. The set of base laws in Israel is one of the most humane and Democratic set in the world.
There is ONE way to peace in the Middle East, and that is to start over. Clean the slate. Make a new Israel, based on equal rights, for ALL. This means coexistence between the Israelis and Palestinians, which was proven impossible, over and over.
War will never ever bring peace. Repression won't either. This is why Israel wants to negotiate. Did you ever read what Israel is willing to give the Palestinians in Camp David? The Palestinians refused with no compromise of their own, and started the Intifada instead!
Palestinians are not blameless, but lets face it, they react to a situation they are put in by Israel. Bombing dozens of citizens to death, or shooting at random people, is NOT a reaction. Not a justified one anyhow. Especially not when the other side is negotating in attempt to better the situtation (Just look at Barak's proposals in Camp David, etc.).
How would you feel living in a refugee camp without a nation of your own? Pretty bad, but that doesn't mean I will blow myself on dozens of innocent civilians!
How willing would you and your neighbours be to negotiate with an occupier who violates international law, demolishes your homes and cries victim at the inevitable backlash? I would be VERY willing to do anything to get me out of the situation, and negotiation is the ONLY way out of it.
Terror is not a way out of it - it must not be, because terror may not prevail.
Israel is the one to have accepted the Palestinian identity in the UN's division plan, and accept a situation of two states, one next to another. Guess what? The Palestinians refused and all arab neighbours attacked the newly created Israel.
Later in 1967, Israel was under attack again, and as part of its defense, Israel conquered territories. These territories are until today known as the occupied territories.
Bogus-idealogy settlers settled in there, and built their homes. The Palestinians have terrorized Israel in attempt to force it out of those territories in the Intifada, various terror acts, etc.
The response to these terror acts, often by unknown attackers, and sometimes suiciding attackers, is to demolish their homes, or act against their senders, in the sometimes only way possible in the circumstances: elimination.
Israel was forced into the territories. Israel is forced in there, and cannot, must not submit to terror.
What you are suggesting is submittal to terror, whereas the real solution is both sides achieving an agreement. Any other solution will not resolve the conflict, and violence will continue.
Yet another misconception of yours is that separation is so easy. If Israel one-sidedly separated itself from the Palestinians, it would have to separate their separate territories from one another, thus requiring some way of allowing passage - which is a security hole for terrorists to use.
Another issue is the fact Israel is supplying resources (mainly water) to the Palestinians and would have to cease doing this in such a solution, being worse off than now.
And perhaps your largest misconeption: the ball is in the Palestinian side: They are keeping the violence alive, Israel has TRIED to stop it, but it was simply continued by the other side. Submitting to terror is not the answer: Just look at what happened in Lebanon. In a much simpler situation, Israel left without an agreement, and then soldiers were abducted, and the citizens of the northern Israel are afraid for their lives in case of a terrorist infiltration.
Oppcos is not directly related to EROS, but is very much inspired by its model.
Its plan is to create a simple and functional system, that can later be improved in terms of performance or low-level design. To achieve this, it will provide a high-level programming interface through layers of libraries, allowing the internal system structure to 'violently' change, as many low-level design decisions knowingly select simplicity over sanity/good-design.
The idea of simplicity above all as the first implementation stage, is inspired by Linux 0.01's success in its achieving functionality, and recruitment of developers.
Oppcos's lack of documentation is a direct result of the fact it is written by one programmer (me) with only weekends to work on it, making it quite unreasonable to spend this time writing docs, rather than coding:)
Oppcos is really just an educational/fun experience, or I'd better spend my time working on the EROS code base.
The operating system design I truly believe in, is a Vapour-like one, whereas I still like the EROS-like one, for the purpose of running unsafe languages in a secure, sane environment.
2) On the argument someone said that its just another reason to seperate church and state: Why? Do you want all atheists in power? Oh wait, atheism IS a religion in a sense. The point is, there is no such thing as seperation of church and state.
If Atheism is a Religion, then Health is a Disease.
Sharon did horrible things in the past, but is now governing with completely legitimate means. When Palestinians die, its almost always due to some anti-terror act, meant to prevent the next bombing of dozens of innocent people.
Cease the one-sided view of Israeli policies, and start looking at both sides: What would you do if every day several innocent civilians are murdered by gunshot terrorism, bombing-terrorism, and you KNOW who is behind it, but the Palestinian authority does NOTHING about it?
Linux and WinNT/2K/XP have pretty much the same security models.
That model is the ACL (Access Control Lists) model. No, I don't mean that in the NT sense, but the more general sense, of attaching some user permission data on every object.
This model is a failure on the Windows platform, and what many *nix users fail to realize - is that it is a failure on the *nix platform as well.
This model is far from the principle of least prievelege, and code gets a LOT more privelege than it needs. Even the restrictions that are placed on programs are placed in fail-open ways using chains of error-prone conditionals, and often by the program itself, and it may fail to do so.
What is the alternative, you ask?
Pure capability systems. Mathematically provable systems that do NOT attach user lists to objects, and do NOT use error-prone if-conditional chains.
Such systems allow implementing the principle of least privelege, they allow fail-close restriction of code, by handing it the exact capabilities it needs to run.
Such systems also allow more fine-grained, more flexible security, AND with higher-performance, and more simplicity. They do all these WITHOUT having to trust the webserver or MP3 player software to place constraints on itself properly, and WITHOUT requiring a security-killer thing like a super-user for standard system operation.
How do capability systems do all these great things, you ask? Well - they are simply a much smarter way for systems to operate. Instead of each process having a large set of actions it can request the OS to take, each process holds a set of 'capabilities' (Think of them as open file descriptors that are never actually open()'d or close()'d). Such capabilities represent access to a specific object. In order to communicate with another process, you need to hold a capability to talk with that process. If that capability includes the right to send capabilities as well, it means you can hand your capabilities to that other process, too. In order to play sound, you need a capability to write to the sound device.
All of this is simply implemented as method calls on the capability object, much like a file descriptor. Some capabilities are implemented by the kernel, some by other processes, implemeting high-level objects. The important thing about capabilities is that they are a necessary and sufficient condition to access an object.
Capabilities provide for fine-granulity highly-flexible high-performance (the only test is that a capability is valid) security systems that are not only much more flexible, and faster, but are also PROVABLY MORE SECURE than ACL systems, and are much more powerful, and even simpler to implement correctly (consider the tests needing to take place, compared to the *nix way of the chained if conditionals required to see if a process is not restricted from some resource access).
In summary, as long as we all use ACL systems, be those Windows or *nix, we should fear worms, viruses, and other security hazards. When pure capability systems get the attention they deserve, and we as users get running systems, we will be able to lay our eyes off bugtraq, and remove worry from our sysadmin heart:)
Why is step 2 there unless you also have to understand a lot of extra technical details about the system and match them to what the README says? And then start getting lots of lots of new packages, that are dependant on.. or not get them, and have it compile anyhow - with some functionality disabled due to lack of some library you didn't know it was beneficial to have..
Not to mention upgrading this stuff later..
In other words: a PAIN.
Use Ports or apt-get, they really make things easier.
This is because a web server has to have access to sockets...or how would it communicate via a network? Of course, from what you say EROS has the capability to restrict access to communication facilities. Of coure, it is possible for a webserver to drop root priviliedges after binging to port 80. At this point it is restricted to accessing only those sockets which ALL applications/processes have access to. EROS may be able to go further and explicitly allow access to individual sockets, but that may be a disdavantage. You are missing the point. Sure there are tricks and trickery to make your webserver limit access to things, but there are fundumental problems in the *nix approach to such limitations:
A) You trust the webserver to correctly limit access (fail-open), whereas in EROS you only give the webserver the access it requires (a capability to the specific port/etc).
Even if the webserver is malicious, in EROS its not a problem.
EROS does NOT require a superuser or has such fail-open facility.
B) In *nix boxen, the restrictions are placed and implemented as a chains of if-conditionals (ACL-type security), which are very error-prone (as we all know by reading bugtraq) and very hard to debug, and about 15 if's in a chain are required if you want to get close to correspondence to the principle of least privelege. In EROS, keys identifying objects and the rights to access them are held by processes, and a single test is required for every activation of a facility (if(key-is-valid)...).
This is because a web server has to have access to sockets...or how would it communicate via a network? Of course, from what you say EROS has the capability to restrict access to communication facilities. Of coure, it is possible for a webserver to drop root priviliedges after binging to port 80. At this point it is restricted to accessing only those sockets which ALL applications/processes have access to. EROS may be able to go further and explicitly allow access to individual sockets, but that may be a disdavantage. In EROS/Vapour/pure cap. systems, each process has a pool of capabilities it can use. A capability is a reference to an object, that allows accessing this object. The only test for an operation's execution is that the capability to operate it is valid. This is very safe, and can be mathematically proven. Try to mathematically prove *nix boxen if-conditional chains.
And none of these systems are proven as the original AC commenter was trying to suggest. While some things are proveable secure (as in theory can show that it is secure e.g. some encryption algorithms), sometimes the IMPLEMENTATION is flawed. Now since these systems were written by people in academia and are not in widespread use, no one knows how well implemented they are, even if there are SECURE CONCEPTUALLY. These systems are so much simpler, that implementing them correctly is much much easier.
Making flaws in the security implementation of capability protection is much more difficult than flaws in the if-chains of *nix, and even if the implementation is flawed, it shall be fixed in a constant amount of time, as the security system is of a small constant size (the code implementing capabilities, that is), whereas in *nix, security is an ever-lasting huge pile of code that grows with the rest of the code, with new if-chains written for every new piece of code.
One question I DO have is this: how does EROS have such fine grained control over EVERY SINGLE thing a process may do WITHOUT lots and lots of overhead? With thousands of processes in a system, ACLs could potentially grow to enormous sizes and incur long delays while verify that the process has access to certain priviledges. Nothing is for free. This is why the UNIX model is simplistic: because security cannot make the system unusable. If the system is too SLOW there is no point in having it at all. Getting rid of said system would be the ultimate security: nothing to break into...but would there be a point? This is exactly what you're missing! EROS does NOT use ACL's. ACL's are what EROS is fighting against and trying to replace. EROS uses the capability model, which is of HIGHER performance, of mathamatically provable security, AND much more flexibility!
And what about systems more archaic like: OS/390, OS/400, VMS? Don't they have the same ACL stuff as EROS (wasn't EROS designed as an improvement with os/390 in mind)? NO. Eros does NOT use ACL's. ACL's are the root of all security problems.
The idea is that EROS, by design, cannot be broken into.
If you break into a unix or Windows webserver - you have access to network sockets. You have access to the file systems. You have access to communicate with other processes. You have far more access than the webserver really needs. You can use this access to control the machine, and you can use this access to gain control of other processes.
This is practically impossible in a pure capability system - where the webserver merely has access to read HTML's, get timer ticks, write to the system logger, and write to port 80. Break into the webserver - and you can corrupt the site's website. Break into any other process - and you get the little access that process required.
In Vapour - you cannot buffer overflow the processes. You cannot generate any pointer/buffer-errors. There is nothing you can do to maliciously touch memory/code in any way not explicitly expressed by source. I would say this means loss of all hope of ever breaking into Vapour.
These systems are not just better-implemented *nix boxen, they are fundamentally different.
Linux is interesting because the are so many groups exploring alternative security models: privileges, acls, subdomain, SELinux, etc. This can't be a serious effort without any exploration of Pure capability systems. To me, that is the obvious security model.
Shapiro has done extensive work documenting it, and even proving related stuff (I'm not into the exact details of his proof, but he proved part of his EROS design mathematically correct). EROS is a pure capability system, and I hope that in the future, people will utilize it as the obvious security solution.
Python, LISP variantes (CL, Scheme pop to mind), Smalltalk, and even relatively-safe C++ programming (never using C arrays, but rather using safe array classes such as vectors, etc.)..
Perhaps a little offtopic, but I'm currently pondering a language where one proves his code correct via logic-code that is written side-by-side with the existing code, with mechanic(compiler)-testing of the proof, verifying it is indeed correct. This ofcourse will not work for all programs, where low-level thread control is required, and proof of correctness is near-impossible, but mostly a side-effect-less style can be used (not completely functional though), allowing high-level control of threading, or sometimes avoiding threading altogether. Achieving 100% compatability with a rather-simple mathamatical specification of a server, guarantees the server will work for all cases and never fail. This is obviously useful for many other software fields.
and emphasizes that security is ongoing, not defeating any single problem.
I agree this is true on *nix/Windows-like systems. But what about a system where every piece of code runs with a simple environment allowing it only the minimal privelege it needs? (EROS)
What about a system that extends this idea further, and makes sure that all code is compiled from a safe language? A system with no buffer overflows or pointer errors/overruns? (Vapour)
I believe that a system like EROS would make actual breakins/control of a distant computer practically impossible.
I believe that a system like Vapour would make ANY remote malicious operation practically impossible, if implemented right.
Note that if you break into an EROS system's web server and even if you get some of your code to run on the remote host - the worst you can do is read HTML's and distribute content on port 80 (or whatever ports the server had access to), but nothing else.
You can't really get any mailicious code to remotely run on a Vapour system at all.
True Security IS defeating a single problem - that problem is the *nix fail-open design, and the lack of principle of least privelege. (In terms of security, Windows is a very similar design, both using ACL-type security, of attaching lists of "user"-based access to objects).
Most non-geeks I show KDE to, think it looks much better than Windows. Often they ask "Hey where did you get that awsome theme for Windows?", on the default KDE apperance.
You suffer from the common ignorance most Linux users who are disappointed do.
Your case seems lighter though, all you're missing is apt, and the nice frontends:
kpackage, gnome-apt, aptitude, etc. (never requiring opening a shell, and automagically getting all required componenets, easily upgrading and handling all software management, much simpler than Windows actually).
Slashdot Mirror
fork() is not all *nix has got.
There's also vfork() for performance, pthreads, etc.
Under Linux specifically, there's clone().
What can CreateProcess do that pthreads/fork cannot do portably?
If this is not nil, what can it do that clone() cannot do?
Writing an interpreter is not quite equivalent to macros/reader macros. Also, implementing a LISP interepreter, with macros, reader macros and other LISP semantics will NOT be trivial in ML :)
The resulting program you may have, if you write it, may be the winner-language, but that doesn't make ML the winner, as you wont' be able to use it from within ML itself, it will be a separate language.
Well, I think that when designing an OS, you shouldn't yet worry about the shell you're gonna run. I also think that while it may be a good idea to ponder what language to use for the OS itself, it shouldn't really make a difference for the users of the OS, that should be able to use any safe language they want on top..
:)
:)
The tweaking should still be possible, provided that the interface provided to safe languages is completely compatible between all safe languages.
If the OS is modular/generic enough, one would be able to create emacs-on-steroids, or a simple *nix-behaving shell on top, and the OS designer himself should not worry about it
I myself don't believe in *nix compatability, btw, because *nix is bad news, and lack of such support will give rise to interesting new replacements
capability based, orthogonally persistent, :)
Ooh, an orthogonally persistent pure capability operating system, written in a safe language, is my long-term OS dream..
I also plan on writing an OS like that sometime.
However, I don't believe this OS should be more than a basis for more work. For example, it shouldn't define that the text interface should be Scheme, or whatever, and it shouldn't enforce a specific language (LISP), but rather just allow any language that supports capabilities (unforgable object references), and is safe (no unsafe manual memory management).
Emacs is written in C??
As far as I know, emacs has a small C core, basically just running an elisp interpreter, on top of which everything is written in ELISP..
Do you think that these advantages are fundamentally impossible to achieve in a typed setting?
Common LISP has optional static typing, as far as I know..
The advantages have nothing to do with typing.
In LISP, one can write macros and reader macros to have Python, perhaps ML, or any other language run. This means that LISP encompasses all other languages through writing some macros, and is thus as powerful as them all, combined.
Please, go and check the several UN resolutions regarding this matter. That is international law.
Again, international law forbids murder of women and children.
Arafat's support of terror is by no means valid resistance. NO TERROR IS VALID.
Also there is one reason why the term "occupied territories" is used.
Because they are occupied and they are territories?
Israel didn't roam in there, it was forced in there by an attack from there.
I will not mention Amnesty International. Oh! I did. Damn.
Try looking at the whole picture, you seem to be blind to the most important facts:
- UN division program, rejected by Palestinians, while Israel accepts it.
- Israel being attacked by all surrounding arab countries in its inception.
- Israel is attacked again and again throughout the years, defending itself while occupying strategic territories.
- Israel signs peace agreements with Egypt, Jordan, and initiates a process with the Palestinians.
- Israel makes an unprecedented offer to the Palestinians, to divide Jerusalem, return to 67-like lines agreeable on the Palestinians, but the Palestinians reject it with no offer of compromise of their own.
- The Palestinians start the violence that gets hundreds of violent Palestinians killed, dozens of innocent Palestinians, and dozens of innocent Israelis.
Try being a little more objective.
I mean how many people really want to throw their lives away just to make an irrational point, that they know won't change anything for them, just make a lot of other people miserable.
There are many hundreds just waiting to suicide on Israeli targets..
Suicide bombings have been common in Israel since about '93 or '94..
There is one place invaded.
And why is that place invaded? Because that place attacked Israel, and Israel has no option but to remain there to protect itself from such attacks.
The refugees come from one die of the conflict only.
Obviously, as they have no country. Why? Because they refused to the UN settlement of 47, dividing Palestine into Israeli and Palestinian territories, into two countries.
The Israelis agreed, but ofcourse you don't find that worth mentioning.
Only one side is violating international law (with the support of a country that fights for international freedom).
Oh really? Is it not against international law to murder innocent men, women and children?
You should get your facts straight.
because, in fact, the constitution reads: ... blahbalh"
"blahbalh... with full support and recognition of arab rights
That's not the constitution, that's the declaration of independence, as well as some of the base laws that are somewhat analogous to a constitution.
"Sharon did horrible things in the past, but is now governing with completely legitimate means."
So bin Laden should not be held responsible for the embassy bombings, or other past crimes then, since these things also happened 'in the past'?
What? I don't see how you could have misunderstood me so badly. Sharon is NOW using legitimate means, and in the past has done illegetimate things. Assisnating murderers which are NOT dealt with by those responsible (Arafat) and cannot otherwise be handled - is as legitimate as murdering civilians is illegitimate.
Sharon is responsible for the massacre of thousands of civilians, and should not, NEVER ever, be forgiven.
What?? Sharon is directly responsible for the murder of dozens. He is accused of being indirectly responsible for not preventing the murder of thousands. That's not quite the same as murder, definitely not the same as proven murder. As a comparison, the secretary of the UN Kofi Annan is responsible for not preventing the murder of many thousands in Africa, yet nobody gives much of a damn.
This argument is fucking depressing. Shooting children in the street is NOT preventing terrorism. It IS terrorism, and it spawns even MORE terrorism.
Children are rarely harmed, and when they are, its an unfortunate incident, that is inevitable when the only means you have is elimination of terrorists. This means that if other means could be applied, children wouldn't have to be harmed. Those other means are arrest and otherwise disabling the terrorists' ability. Unfortuantly, only arafat can do this, and he is not doing this, indirectly causing children to be harmed.
"What would you do if every day several innocent civilians are murdered by gunshot terrorism, bombing-terrorism"
This is EXACTLY what is happening to the Palestinians, EVERY DAY!
No, it is exactly what happens to Israelis, every day. Palestinians who get killed are terrorists, or innocent civilians terrorists hide behind.
Humiliation, murder, beatings, bombings, kidnappings, it goes on and on and on.
Some Israeli soldiers are downright evil to Palestinians, and should be placed in jail: they humiliate and beat Palestinians. However, bombings, kidnappings, and 'murder' are methods applied against terrorists and terrorist senders, as Israel has NO other means against them, as they have Arafat's support.
Another incident in which Palestinians get killed, is when they form large mob-assaults on Israeli soldiers. This is not a smart move and achieves nothing, as often the soldiers are pushed to a corner and have to shoot back.
You need to check out the fucking bodycount!!! On one side of this conflict there are children, armed with rocks, and a pitiful few dangerous fanatics, and on the other side the world's like 4th largest, and without a doubt most brutal, army, armed with the most terrible weapons imaginable. Who's the bigger terrorist, you think?
The fucking bodycount is explainable and normal, when considering the nature of the mob attacks and the way terrorists hide in civilian locations, endangering their surroundings. Its also the fact that at least 4 large organized networks of terror are operating in order to form large terror strikes - and Israel is acting against them all: obviously resulting in many killed. If their terror fails and they kill few civilians - that's a good thing.
Israel is a criminal state, with a criminal, racist, constitution.
That's a funny claim, as Israel does not have a constitution. Israel does have base laws which are somewhat analogous to constitutional laws. The set of base laws in Israel is one of the most humane and Democratic set in the world.
There is ONE way to peace in the Middle East, and that is to start over. Clean the slate. Make a new Israel, based on equal rights, for ALL.
This means coexistence between the Israelis and Palestinians, which was proven impossible, over and over.
War will never ever bring peace. Repression won't either.
This is why Israel wants to negotiate. Did you ever read what Israel is willing to give the Palestinians in Camp David? The Palestinians refused with no compromise of their own, and started the Intifada instead!
Get your facts straight.
Palestinians are not blameless, but lets face it, they react to a situation they are put in by Israel.
Bombing dozens of citizens to death, or shooting at random people, is NOT a reaction. Not a justified one anyhow. Especially not when the other side is negotating in attempt to better the situtation (Just look at Barak's proposals in Camp David, etc.).
How would you feel living in a refugee camp without a nation of your own?
Pretty bad, but that doesn't mean I will blow myself on dozens of innocent civilians!
How willing would you and your neighbours be to negotiate with an occupier who violates international law, demolishes your homes and cries victim at the inevitable backlash?
I would be VERY willing to do anything to get me out of the situation, and negotiation is the ONLY way out of it.
Terror is not a way out of it - it must not be, because terror may not prevail.
Israel is the one to have accepted the Palestinian identity in the UN's division plan, and accept a situation of two states, one next to another. Guess what? The Palestinians refused and all arab neighbours attacked the newly created Israel.
Later in 1967, Israel was under attack again, and as part of its defense, Israel conquered territories. These territories are until today known as the occupied territories.
Bogus-idealogy settlers settled in there, and built their homes. The Palestinians have terrorized Israel in attempt to force it out of those territories in the Intifada, various terror acts, etc.
The response to these terror acts, often by unknown attackers, and sometimes suiciding attackers, is to demolish their homes, or act against their senders, in the sometimes only way possible in the circumstances: elimination.
Israel was forced into the territories. Israel is forced in there, and cannot, must not submit to terror.
What you are suggesting is submittal to terror, whereas the real solution is both sides achieving an agreement. Any other solution will not resolve the conflict, and violence will continue.
Yet another misconception of yours is that separation is so easy. If Israel one-sidedly separated itself from the Palestinians, it would have to separate their separate territories from one another, thus requiring some way of allowing passage - which is a security hole for terrorists to use.
Another issue is the fact Israel is supplying resources (mainly water) to the Palestinians and would have to cease doing this in such a solution, being worse off than now.
And perhaps your largest misconeption: the ball is in the Palestinian side: They are keeping the violence alive, Israel has TRIED to stop it, but it was simply continued by the other side. Submitting to terror is not the answer: Just look at what happened in Lebanon. In a much simpler situation, Israel left without an agreement, and then soldiers were abducted, and the citizens of the northern Israel are afraid for their lives in case of a terrorist infiltration.
Oppcos is not directly related to EROS, but is very much inspired by its model.
:)
Its plan is to create a simple and functional system, that can later be improved in terms of performance or low-level design. To achieve this, it will provide a high-level programming interface through layers of libraries, allowing the internal system structure to 'violently' change, as many low-level design decisions knowingly select simplicity over sanity/good-design.
The idea of simplicity above all as the first implementation stage, is inspired by Linux 0.01's success in its achieving functionality, and recruitment of developers.
Oppcos's lack of documentation is a direct result of the fact it is written by one programmer (me) with only weekends to work on it, making it quite unreasonable to spend this time writing docs, rather than coding
Oppcos is really just an educational/fun experience, or I'd better spend my time working on the EROS code base.
The operating system design I truly believe in, is a Vapour-like one, whereas I still like the EROS-like one, for the purpose of running unsafe languages in a secure, sane environment.
2) On the argument someone said that its just another reason to seperate church and state: Why? Do you want all atheists in power? Oh wait, atheism IS a religion in a sense. The point is, there is no such thing as seperation of church and state.
If Atheism is a Religion, then Health is a Disease.
Sharon did horrible things in the past, but is now governing with completely legitimate means. When Palestinians die, its almost always due to some anti-terror act, meant to prevent the next bombing of dozens of innocent people.
Cease the one-sided view of Israeli policies, and start looking at both sides: What would you do if every day several innocent civilians are murdered by gunshot terrorism, bombing-terrorism, and you KNOW who is behind it, but the Palestinian authority does NOTHING about it?
Linux and WinNT/2K/XP have pretty much the same security models.
:)
That model is the ACL (Access Control Lists) model. No, I don't mean that in the NT sense, but the more general sense, of attaching some user permission data on every object.
This model is a failure on the Windows platform, and what many *nix users fail to realize - is that it is a failure on the *nix platform as well.
This model is far from the principle of least prievelege, and code gets a LOT more privelege than it needs. Even the restrictions that are placed on programs are placed in fail-open ways using chains of error-prone conditionals, and often by the program itself, and it may fail to do so.
What is the alternative, you ask?
Pure capability systems. Mathematically provable systems that do NOT attach user lists to objects, and do NOT use error-prone if-conditional chains.
Such systems allow implementing the principle of least privelege, they allow fail-close restriction of code, by handing it the exact capabilities it needs to run.
Such systems also allow more fine-grained, more flexible security, AND with higher-performance, and more simplicity. They do all these WITHOUT having to trust the webserver or MP3 player software to place constraints on itself properly, and WITHOUT requiring a security-killer thing like a super-user for standard system operation.
How do capability systems do all these great things, you ask? Well - they are simply a much smarter way for systems to operate. Instead of each process having a large set of actions it can request the OS to take, each process holds a set of 'capabilities' (Think of them as open file descriptors that are never actually open()'d or close()'d). Such capabilities represent access to a specific object. In order to communicate with another process, you need to hold a capability to talk with that process. If that capability includes the right to send capabilities as well, it means you can hand your capabilities to that other process, too. In order to play sound, you need a capability to write to the sound device.
All of this is simply implemented as method calls on the capability object, much like a file descriptor. Some capabilities are implemented by the kernel, some by other processes, implemeting high-level objects. The important thing about capabilities is that they are a necessary and sufficient condition to access an object.
Capabilities provide for fine-granulity highly-flexible high-performance (the only test is that a capability is valid) security systems that are not only much more flexible, and faster, but are also PROVABLY MORE SECURE than ACL systems, and are much more powerful, and even simpler to implement correctly (consider the tests needing to take place, compared to the *nix way of the chained if conditionals required to see if a process is not restricted from some resource access).
In summary, as long as we all use ACL systems, be those Windows or *nix, we should fear worms, viruses, and other security hazards.
When pure capability systems get the attention they deserve, and we as users get running systems, we will be able to lay our eyes off bugtraq, and remove worry from our sysadmin heart
Why is step 2 there unless you also have to understand a lot of extra technical details about the system and match them to what the README says? And then start getting lots of lots of new packages, that are dependant on.. or not get them, and have it compile anyhow - with some functionality disabled due to lack of some library you didn't know it was beneficial to have..
Not to mention upgrading this stuff later..
In other words: a PAIN.
Use Ports or apt-get, they really make things easier.
This is because a web server has to have access to sockets...or how would it communicate via a network? Of course, from what you say EROS has the capability to restrict access to communication facilities. Of coure, it is possible for a webserver to drop root priviliedges after binging to port 80. At this point it is restricted to accessing only those sockets which ALL applications/processes have access to. EROS may be able to go further and explicitly allow access to individual sockets, but that may be a disdavantage .
...).
.
You are missing the point. Sure there are tricks and trickery to make your webserver limit access to things, but there are fundumental problems in the *nix approach to such limitations:
A) You trust the webserver to correctly limit access (fail-open), whereas in EROS you only give the webserver the access it requires (a capability to the specific port/etc).
Even if the webserver is malicious, in EROS its not a problem.
EROS does NOT require a superuser or has such fail-open facility.
B) In *nix boxen, the restrictions are placed and implemented as a chains of if-conditionals (ACL-type security), which are very error-prone (as we all know by reading bugtraq) and very hard to debug, and about 15 if's in a chain are required if you want to get close to correspondence to the principle of least privelege. In EROS, keys identifying objects and the rights to access them are held by processes, and a single test is required for every activation of a facility (if(key-is-valid)
This is because a web server has to have access to sockets...or how would it communicate via a network? Of course, from what you say EROS has the capability to restrict access to communication facilities. Of coure, it is possible for a webserver to drop root priviliedges after binging to port 80. At this point it is restricted to accessing only those sockets which ALL applications/processes have access to. EROS may be able to go further and explicitly allow access to individual sockets, but that may be a disdavantage
In EROS/Vapour/pure cap. systems, each process has a pool of capabilities it can use. A capability is a reference to an object, that allows accessing this object. The only test for an operation's execution is that the capability to operate it is valid. This is very safe, and can be mathematically proven. Try to mathematically prove *nix boxen if-conditional chains.
And none of these systems are proven as the original AC commenter was trying to suggest. While some things are proveable secure (as in theory can show that it is secure e.g. some encryption algorithms), sometimes the IMPLEMENTATION is flawed. Now since these systems were written by people in academia and are not in widespread use, no one knows how well implemented they are, even if there are SECURE CONCEPTUALLY.
These systems are so much simpler, that implementing them correctly is much much easier.
Making flaws in the security implementation of capability protection is much more difficult than flaws in the if-chains of *nix, and even if the implementation is flawed, it shall be fixed in a constant amount of time, as the security system is of a small constant size (the code implementing capabilities, that is), whereas in *nix, security is an ever-lasting huge pile of code that grows with the rest of the code, with new if-chains written for every new piece of code.
One question I DO have is this: how does EROS have such fine grained control over EVERY SINGLE thing a process may do WITHOUT lots and lots of overhead? With thousands of processes in a system, ACLs could potentially grow to enormous sizes and incur long delays while verify that the process has access to certain priviledges. Nothing is for free. This is why the UNIX model is simplistic: because security cannot make the system unusable. If the system is too SLOW there is no point in having it at all. Getting rid of said system would be the ultimate security: nothing to break into...but would there be a point?
This is exactly what you're missing! EROS does NOT use ACL's. ACL's are what EROS is fighting against and trying to replace. EROS uses the capability model, which is of HIGHER performance, of mathamatically provable security, AND much more flexibility!
And what about systems more archaic like: OS/390, OS/400, VMS? Don't they have the same ACL stuff as EROS (wasn't EROS designed as an improvement with os/390 in mind)?
NO. Eros does NOT use ACL's. ACL's are the root of all security problems.
Functional languages are inherently inefficient and not "computer-scientific" (changing an array item is O(n), for example, instead of O(1)).
Functional languages do NOT mechanically test the proof for correctness.
The idea is that EROS, by design, cannot be broken into.
If you break into a unix or Windows webserver - you have access to network sockets. You have access to the file systems. You have access to communicate with other processes. You have far more access than the webserver really needs. You can use this access to control the machine, and you can use this access to gain control of other processes.
This is practically impossible in a pure capability system - where the webserver merely has access to read HTML's, get timer ticks, write to the system logger, and write to port 80. Break into the webserver - and you can corrupt the site's website. Break into any other process - and you get the little access that process required.
In Vapour - you cannot buffer overflow the processes. You cannot generate any pointer/buffer-errors. There is nothing you can do to maliciously touch memory/code in any way not explicitly expressed by source. I would say this means loss of all hope of ever breaking into Vapour.
These systems are not just better-implemented *nix boxen, they are fundamentally different.
Linux is interesting because the are so many groups exploring alternative security models: privileges, acls, subdomain, SELinux, etc.
This can't be a serious effort without any exploration of Pure capability systems. To me, that is the obvious security model.
Shapiro has done extensive work documenting it, and even proving related stuff (I'm not into the exact details of his proof, but he proved part of his EROS design mathematically correct). EROS is a pure capability system, and I hope that in the future, people will utilize it as the obvious security solution.
Python, LISP variantes (CL, Scheme pop to mind), Smalltalk, and even relatively-safe C++ programming (never using C arrays, but rather using safe array classes such as vectors, etc.)..
Perhaps a little offtopic, but I'm currently pondering a language where one proves his code correct via logic-code that is written side-by-side with the existing code, with mechanic(compiler)-testing of the proof, verifying it is indeed correct. This ofcourse will not work for all programs, where low-level thread control is required, and proof of correctness is near-impossible, but mostly a side-effect-less style can be used (not completely functional though), allowing high-level control of threading, or sometimes avoiding threading altogether. Achieving 100% compatability with a rather-simple mathamatical specification of a server, guarantees the server will work for all cases and never fail. This is obviously useful for many other software fields.
and emphasizes that security is ongoing, not defeating any single problem.
I agree this is true on *nix/Windows-like systems. But what about a system where every piece of code runs with a simple environment allowing it only the minimal privelege it needs? (EROS)
What about a system that extends this idea further, and makes sure that all code is compiled from a safe language? A system with no buffer overflows or pointer errors/overruns? (Vapour)
I believe that a system like EROS would make actual breakins/control of a distant computer practically impossible.
I believe that a system like Vapour would make ANY remote malicious operation practically impossible, if implemented right.
Note that if you break into an EROS system's web server and even if you get some of your code to run on the remote host - the worst you can do is read HTML's and distribute content on port 80 (or whatever ports the server had access to), but nothing else.
You can't really get any mailicious code to remotely run on a Vapour system at all.
True Security IS defeating a single problem - that problem is the *nix fail-open design, and the lack of principle of least privelege. (In terms of security, Windows is a very similar design, both using ACL-type security, of attaching lists of "user"-based access to objects).
Most non-geeks I show KDE to, think it looks much better than Windows. Often they ask "Hey where did you get that awsome theme for Windows?", on the default KDE apperance.
You suffer from the common ignorance most Linux users who are disappointed do.
Your case seems lighter though, all you're missing is apt, and the nice frontends:
kpackage, gnome-apt, aptitude, etc. (never requiring opening a shell, and automagically getting all required componenets, easily upgrading and handling all software management, much simpler than Windows actually).