I find it somewhat ironic that the only shell on NT I've found that supports NTFS streams is cygwin bash... Now if only I could figure out how to list the streams in a file.
Or is he suggesting that everyone should always make a copy of a document before editing it, just in case? Wouldn't THAT seem terrible unintuitive?
He's not suggesting the user do that. He's suggesting that the filesystem do that. Hell, VMS did that almost from day 1. All you need is a "revert" option for everything, have it pop up a timeline (outlook's timeline bar UI is decent for this, might need to compact it some) and pick the document the way it was at a particular time. The only trick is to pick discrete versions out when there's no explicit checkpointing option. Hiding the window (assuming "close" is obsolete) could be considered one checkpoint-worthy event. Mostly what you need is a good ability to drill down on versions and an interface that makes this easy (and that may be the hardest problem yet)
So by 5.0, MySQL's technology will have joined the 1980's, mostly. They'll "look" at other basic features. How about views for example? In Oracle, I can write stored procedures in java. In PostgreSQL, I can write 'em in perl. Both give me MVCC as well as traditional locking, not to mention packages, user defined types, views, and oh yeah, triggers. Referential integrity is not a damn boondoggle.
MySQL's a great sorta-SQL frontend to sleepycat, but I am sick unto death of hearing how everything should be moved to it. This sort of nonsense has real repurcussions, when I'm forced to work with a blunt tool because of the "buzz" it gets that it simply doesn't deserve at all.
My emphasis was on "constitutional" more than "republic". In theory, it takes a whole lot more than a simple vote to override rights guaranteed by the constitution. Notwithstanding cynical asides about how federal statute pretty much disregards the constitution when it's inconvenient, it's SUPPOSED to take a rather concerted effort to pointedly alter the constitution, and require a supermajority of states to do so.
... did the abrogation of other people's rights become a matter of polling one's constituents? Look semitic? Practicing muslim? Now being searched and fingerprinted is official policy. Check out the wrong books at the library? Official policy to notify the authorities.
I don't give a tinkers damn that my neighbors said this treatment was okay, even if they outnumber me. A constitutional republic is not about two wolves and a sheep voting on what's for dinner.
That is perfectly valid C. On most systems, that will even link and run without complaint. Some systems with ancient preludes won't take it. Such systems generally won't like the perfectly valid int main(int argc, char **argv, char **env) convention either.
> Often, this is because of a misconfigured web server installation that doesn't recognize the.zip extension
Dude, let's imagine you're at a helpdesk. "This is because of a misconfigured web server"...
Bah. And why should the web server have to recognize every damn weird-ass type by file extension in the world? If they want to do it right, they should make the order configurable, e.g.:
* Use my local type settings
* Use the type given by the web server
* Use type __x-foobar/xyzstuff__
With the usual list widget and up/down buttons that lets you change the order of items And why the hell not have/etc/magic type support in this handler configuration? CDE had this for eons in dtmail.
frm.USERNAME... vs: document.getElementById("USERNAME")... gee wiz, can I have MORE functions to be required to use, with no apparent benefit?
Plus, your example is simply wrong. getElementByID scans the "id" attribute, not the name attribute, the latter being a necessary part of a form element. There's often multiple forms on a page that have elements with the same name (search forms with multiple search methods, for example). Basically, you need XPath to return a useful node with minimal syntax for scanning, and while I love the hell out of xpath, it isn't well supported because it's brand spanking new in DOM.
So you want people to use more syntax with less functionality to do the exact same thing. Huh.
This isn't a very good analogy. When you go to a non-dhtml web page, are you dissapointed, or othwise negatively affected specifically because they aren't using DHTML?
Well, yeah, I'd really like the filtering and sorting and thread grouping and so forth to be client-side on slashdot. Never gonna happen, because it ain't DHTML. Screwdriver? Damn newfangled inventions, why can't people be happy with this here hammer. Works for me every time, good old hammer.
The Navy's "smart ship" was running NT4, and it was their application that crashed when it threw an unhandled exception, while the rest of the system hummed along merrily.
The NSA is no longer developing SELinux. MS made 'em stop.
Bounties and cracking contests are complete snake oil, and have nothing to do with the security of software. That I may offer a $1000 bet on guesses on how much change is in my pocket says nothing about how much change is in my pocket (perhaps more than a thousand bucks though? yah right). It might motivate a few hackers to try for the prize. A bigger prize might motivate a lot more. But the prize itself is a handwave.
Dan writes secure code, and is a great fellow for giving it away, even if personality-wise he makes Theo look cuddly by comparison. It's also nice that he puts his money where his mouth is. But the prize is still meaningless. Hard facts like the demonstrable security of the libc replacement his stuff ships with are where I put my stock.
feh, if there's one thing i'd rather jump on it'd be slash's inability to edit remove your own comments (.5e has a good compromise system for this). i'm not following my own advice, and haven't given mason a look recently. just mod my comment down or ignore it or something...
really though, if i'm going to get into the land of web template engines again, it'll be writing custom taglibs for jsp. not my first choice of template engines, but it would have the advantage that i could just drop my taglibs into what everyone else is using, for better or worse.
> Uh, for almost every single thing you mention here there is a Mason equivalent.
Being church-turing complete, there's an unlambda equivalent to everything I mentioned as well. Why don't you look at TT2 before you leap to the defense of something I'm not even trying to attack. I certainly looked at Mason when looking for things to improve about TT2.
As a kid, I just sort of took it for granted that my big one-pixel adventurer could be eaten by a ravenous dragon duck, sit in the stomach of said satiated dragon duck that would get picked up by a bat that would carry the now airborne satiated dragon duck around and eventually impale the dragon duck on an arrow sword, leaving me alone, immobilized, and undigested in the belly of a grounded full dead dragon duck.
Myself and a friend wrote an operating environment with a windowing system in flash years ago. Multiple overlapping resizeable windows, each one running its own movie. Even got focus right. Couldn't trap the TAB key tho, which cycled focus through every single widget on the stage, including some ones off-screen that weren't supposed to ever be visible. Used LiveConnect to communicate with a java applet that extended its capabilities to include networking and so forth.
It's really damn difficult doing stuff like that in a language runtime that has no ability to block. With every thread of execution as a timeline and no real synchronization primitives, it was multithread hell. Worked tho -- except it had so much actionscript, it tended to run into weird idiosyncrasies of the Flash bytecode loader. Then there was the fact that LiveConnect was a buggy useless piece of non-reentrant crashy garbage. It was a proof of concept that complex stuff could be done in flash without using Director/Shockwave... but personally, I'd recommend using Director/Shockwave.
> So, what features and/or functionality in TT is so much better than Mason in your opinion?
The internals of TT2 are amazingly hackable, and provide one of the most useful examples of OOP reuse. It's like a textbook study in design patterns that work. For example, it took me only a few hour's hacking to subclass one class (I forget the name, it's been a while) to create mason-like search behavior for [% INCLUDE %]. Just syntax-wise, TT2 tends to look cleaner -- you don't have to have weird looking noise like <% } > ending all your blocks. You can even change the delimiters from [% foo %], e.g. the metatext %%foo%%, mason's lt;% foo %> or anything else you want, within reason (the parser can get confused).
Anyway, all those intangibles aside, TT2 is a complete language in its own right -- looks a bit like python, come to think of it -- so you can do even complex logic without embedding perl. When you do embed perl, you can simply 'print' in a perl block, and it will be output to the HTML (I wrote that part, though it's admittedly pretty trivial). In mason, you have to append to a string. If you need to really mess with the internals, you can embed [%RAWPERL%] blocks that are a straight eval. You can enable and disable PERL and RAWPERL blocks from the invocation, a nice way to set policy when using it in mod_perl.
TT2 has INCLUDE not just for files, but for BLOCK definitions as well. You not only can define blocks, but functions and macros in the TT2 language. You can include arbitrary perl modules and use them in the TT2 language. You can take the output of any block and filter it with user-defined processors using unix pipe syntax. With [%WRAPPER%] you can do a reverse-include, taking the current doc and including it as the value of a magic variable in another document. Variables defined in the TT2 language have lexical scope, and you can choose to include a template in a new scope with [%INCLUDE%] or in the current scope with [%PROCESS%]. TT2 even has some amount of OOP, with [%VIEW%] constructs, which are sort of blocks on steroids. I still haven't completely wrapped my head around views, and they're still kind of primordial at this time, but they seem to be aimed at Mason's strength: components.
Mason's component model is still superior to TT2, and I was writing a mod_perl system for TT2 that would have addressed that, but I haven't been too active with it lately (read: the year and a half or so). Mostly I've been pining for someone to port TT2 to python, actually. I don't see it as a contest of "Mason sucks, TT2 rules", I just have personal preferences, and would gladly like to see both systems giving each other healthy competition.
BTW, Slash uses TT2, though not nearly to its full potential.
Consider Template Toolkit instead. The above example transliterated looks like:
[% noun = 'World' %] [% PERL %]
# perl ugliness, but there may be a tt2 split op. note cache means nothing like mason's cache
@{$cache->{time}} = split/[\s:]/, localtime; [% END %] Hello $noun, [% IF time[3] < 12 %] good morning [% ELSE %] good afternoon [% END %]
Mind you, I'd have put it in variables in another block, so the message would look like:
Hello $noun, $greeting
I personally don't use the $foo syntax, and prefer [% foo %] instead, but TMTOWTDI in TT2. TT2's power just blows mason away, and it's not all that difficult to get it doing mason-like persistence things when you combine it with Tie::MLDBM.
99.9% of spammers interpreted that as nothing at all. I haven't seen any spam with ADV or any such permutation thereof hit my hotmail box at any time. Tagging messages is still a non-option -- it's costing millions in server space alone. The way they're sent, even single-store solutions like Exchange don't help. Now I'm seeing spams of 50K per message. Legitimize that in any fashion, and kiss bandwidth goodbye.
No Linux interface that exists today provides unified system usability.
Or for that matter, windows. KDE has its faults, to be sure, but Konq provides better integration than even Windows. In Windows, I can only see folders on the left pane in explorer. In Konquerer, I can at my option see files, and view all kinds of content, from HTML to text to postscript, in the right hand pane. I can rubberband a bunch of files in ftp and drag them to the desktop. The control center includes system management (to some degree), whereas in windows, you use a completely separate app, MMC. Granted, Windows is carrying along legacy cruft, and would probably make every control panel a MMC snap-in nowadays, but they don't even provide an adaptor.
The user experience on windows is pretty disjointed too. But I don't think Unix (it's more than Linux, folks) exactly has further to go than Windows. It's just broken in different places.
The problem is that the FILESYSTEM itself cannot allocate a smaller amount of bytes than, say, n. So, if you have a program that is n-1, it still takes up n bytes. So, it's really not all that practical in 99.999999% of uses (that includes boot disks.)
This is why you stuff them all into one file. Everything in FreeBSD's/stand is a hardlink to the same file (which is just big enough to fit on one floppy). Busybox has the same philosophy.
I saw an interesting e-mail the other day that proposed a solution to junk snail mail. Lots of companies send you junk mail with a postage-paid reply envelope, right? If you take that envelope and stuff it with unrelated junk mail from a different company, seal it up and send it on it's merry way, the junk mailer pays the postage TWICE (once to you, and again back to them), you force them to sort through their mailbox just like you do, and you help out the cash-strapped U.S. Postal Service at the same time.
This is a myth, usually of the "tape it to a brick" variety. If you make it go over the prepaid postage amount, they will simply trash it.
But really, it needs to get out of the ivory tower and start giving us examples that work. The Confused Deputy is about compilation, sounds like it was an issue from a VAX box from the 80's, and not only is so utterly irrelevant to Joe User, it's not even all that terribly accessable a metaphor to people using gcc!
The erights folks are using more accessable examples (a web browser), but in their examples paint a picture of the land of popup hell, where every app has to ask to do every single operation. Write to one file, one popup. Write to another file, another popup. Open your address book, another popup. Experience shows that users click "yes" or "ok" on popup dialogs or whatever button they can just to make the damn things go away and make them stop coming back. My own mother would ask me, "how do I keep this from asking me these questions all the time?".
I know it doesn't have to work this way -- an installer can give an app a pre-set list of capabilities that one should be able to verify, log, change, audit, revoke, etc. Roles can be created out of capability groups to put some of the ease of ACL's back into the equation. But their their own example stories don't even make that clear. It's ivory tower, all about security theory without an ounce of human factors other than "the user will learn" and some laughable user education story about POLA.
The average server is reasonably secure right now, since it performs dedicated tasks and is administered by what one presumes are trusted people. It's the desktop that's providing fertile ground for attacks. Thousands of infected desktops hitting one server, and well, wouldn't it be nice if those desktops were secure? They won't be if security doesn't take the human factor into account.
chroot(2) has been called a "jail" for longer than the jail(2) call has been around. jail(2) just generalizes the concept (though I'm not a fan of how they bound it to network interfaces instead of some other declared entity like a mount point or even a pseudo-device)
Slashdot Mirror
I find it somewhat ironic that the only shell on NT I've found that supports NTFS streams is cygwin bash... Now if only I could figure out how to list the streams in a file.
Or is he suggesting that everyone should always make a copy of a document before editing it, just in case? Wouldn't THAT seem terrible unintuitive?
He's not suggesting the user do that. He's suggesting that the filesystem do that. Hell, VMS did that almost from day 1. All you need is a "revert" option for everything, have it pop up a timeline (outlook's timeline bar UI is decent for this, might need to compact it some) and pick the document the way it was at a particular time. The only trick is to pick discrete versions out when there's no explicit checkpointing option. Hiding the window (assuming "close" is obsolete) could be considered one checkpoint-worthy event. Mostly what you need is a good ability to drill down on versions and an interface that makes this easy (and that may be the hardest problem yet)
So by 5.0, MySQL's technology will have joined the 1980's, mostly. They'll "look" at other basic features. How about views for example? In Oracle, I can write stored procedures in java. In PostgreSQL, I can write 'em in perl. Both give me MVCC as well as traditional locking, not to mention packages, user defined types, views, and oh yeah, triggers. Referential integrity is not a damn boondoggle.
MySQL's a great sorta-SQL frontend to sleepycat, but I am sick unto death of hearing how everything should be moved to it. This sort of nonsense has real repurcussions, when I'm forced to work with a blunt tool because of the "buzz" it gets that it simply doesn't deserve at all.
My emphasis was on "constitutional" more than "republic". In theory, it takes a whole lot more than a simple vote to override rights guaranteed by the constitution. Notwithstanding cynical asides about how federal statute pretty much disregards the constitution when it's inconvenient, it's SUPPOSED to take a rather concerted effort to pointedly alter the constitution, and require a supermajority of states to do so.
... did the abrogation of other people's rights become a matter of polling one's constituents? Look semitic? Practicing muslim? Now being searched and fingerprinted is official policy. Check out the wrong books at the library? Official policy to notify the authorities.
I don't give a tinkers damn that my neighbors said this treatment was okay, even if they outnumber me. A constitutional republic is not about two wolves and a sheep voting on what's for dinner.
That is perfectly valid C. On most systems, that will even link and run without complaint. Some systems with ancient preludes won't take it. Such systems generally won't like the perfectly valid int main(int argc, char **argv, char **env) convention either.
> Often, this is because of a misconfigured web server installation that doesn't recognize the .zip extension
...
/etc/magic type support in this handler configuration? CDE had this for eons in dtmail.
Dude, let's imagine you're at a helpdesk. "This is because of a misconfigured web server"
Bah. And why should the web server have to recognize every damn weird-ass type by file extension in the world? If they want to do it right, they should make the order configurable, e.g.:
* Use my local type settings
* Use the type given by the web server
* Use type __x-foobar/xyzstuff__
With the usual list widget and up/down buttons that lets you change the order of items And why the hell not have
frm.USERNAME ... vs: document.getElementById("USERNAME") ... gee wiz, can I have MORE functions to be required to use, with no apparent benefit?
Plus, your example is simply wrong. getElementByID scans the "id" attribute, not the name attribute, the latter being a necessary part of a form element. There's often multiple forms on a page that have elements with the same name (search forms with multiple search methods, for example). Basically, you need XPath to return a useful node with minimal syntax for scanning, and while I love the hell out of xpath, it isn't well supported because it's brand spanking new in DOM.
So you want people to use more syntax with less functionality to do the exact same thing. Huh.
This isn't a very good analogy. When you go to a non-dhtml web page, are you dissapointed, or othwise negatively affected specifically because they aren't using DHTML?
Well, yeah, I'd really like the filtering and sorting and thread grouping and so forth to be client-side on slashdot. Never gonna happen, because it ain't DHTML. Screwdriver? Damn newfangled inventions, why can't people be happy with this here hammer. Works for me every time, good old hammer.
The Navy's "smart ship" was running NT4, and it was their application that crashed when it threw an unhandled exception, while the rest of the system hummed along merrily.
The NSA is no longer developing SELinux. MS made 'em stop.
You seem to have your evils switched.
Bounties and cracking contests are complete snake oil, and have nothing to do with the security of software. That I may offer a $1000 bet on guesses on how much change is in my pocket says nothing about how much change is in my pocket (perhaps more than a thousand bucks though? yah right). It might motivate a few hackers to try for the prize. A bigger prize might motivate a lot more. But the prize itself is a handwave.
Dan writes secure code, and is a great fellow for giving it away, even if personality-wise he makes Theo look cuddly by comparison. It's also nice that he puts his money where his mouth is. But the prize is still meaningless. Hard facts like the demonstrable security of the libc replacement his stuff ships with are where I put my stock.
feh, if there's one thing i'd rather jump on it'd be slash's inability to edit remove your own comments (.5e has a good compromise system for this). i'm not following my own advice, and haven't given mason a look recently. just mod my comment down or ignore it or something...
really though, if i'm going to get into the land of web template engines again, it'll be writing custom taglibs for jsp. not my first choice of template engines, but it would have the advantage that i could just drop my taglibs into what everyone else is using, for better or worse.
> Uh, for almost every single thing you mention here there is a Mason equivalent.
Being church-turing complete, there's an unlambda equivalent to everything I mentioned as well. Why don't you look at TT2 before you leap to the defense of something I'm not even trying to attack. I certainly looked at Mason when looking for things to improve about TT2.
As a kid, I just sort of took it for granted that my big one-pixel adventurer could be eaten by a ravenous dragon duck, sit in the stomach of said satiated dragon duck that would get picked up by a bat that would carry the now airborne satiated dragon duck around and eventually impale the dragon duck on an arrow sword, leaving me alone, immobilized, and undigested in the belly of a grounded full dead dragon duck.
Myself and a friend wrote an operating environment with a windowing system in flash years ago. Multiple overlapping resizeable windows, each one running its own movie. Even got focus right. Couldn't trap the TAB key tho, which cycled focus through every single widget on the stage, including some ones off-screen that weren't supposed to ever be visible. Used LiveConnect to communicate with a java applet that extended its capabilities to include networking and so forth.
... but personally, I'd recommend using Director/Shockwave.
It's really damn difficult doing stuff like that in a language runtime that has no ability to block. With every thread of execution as a timeline and no real synchronization primitives, it was multithread hell. Worked tho -- except it had so much actionscript, it tended to run into weird idiosyncrasies of the Flash bytecode loader. Then there was the fact that LiveConnect was a buggy useless piece of non-reentrant crashy garbage. It was a proof of concept that complex stuff could be done in flash without using Director/Shockwave
> So, what features and/or functionality in TT is so much better than Mason in your opinion?
The internals of TT2 are amazingly hackable, and provide one of the most useful examples of OOP reuse. It's like a textbook study in design patterns that work. For example, it took me only a few hour's hacking to subclass one class (I forget the name, it's been a while) to create mason-like search behavior for [% INCLUDE %]. Just syntax-wise, TT2 tends to look cleaner -- you don't have to have weird looking noise like <% } > ending all your blocks. You can even change the delimiters from [% foo %], e.g. the metatext %%foo%%, mason's lt;% foo %> or anything else you want, within reason (the parser can get confused).
Anyway, all those intangibles aside, TT2 is a complete language in its own right -- looks a bit like python, come to think of it -- so you can do even complex logic without embedding perl. When you do embed perl, you can simply 'print' in a perl block, and it will be output to the HTML (I wrote that part, though it's admittedly pretty trivial). In mason, you have to append to a string. If you need to really mess with the internals, you can embed [%RAWPERL%] blocks that are a straight eval. You can enable and disable PERL and RAWPERL blocks from the invocation, a nice way to set policy when using it in mod_perl.
TT2 has INCLUDE not just for files, but for BLOCK definitions as well. You not only can define blocks, but functions and macros in the TT2 language. You can include arbitrary perl modules and use them in the TT2 language. You can take the output of any block and filter it with user-defined processors using unix pipe syntax. With [%WRAPPER%] you can do a reverse-include, taking the current doc and including it as the value of a magic variable in another document. Variables defined in the TT2 language have lexical scope, and you can choose to include a template in a new scope with [%INCLUDE%] or in the current scope with [%PROCESS%]. TT2 even has some amount of OOP, with [%VIEW%] constructs, which are sort of blocks on steroids. I still haven't completely wrapped my head around views, and they're still kind of primordial at this time, but they seem to be aimed at Mason's strength: components.
Mason's component model is still superior to TT2, and I was writing a mod_perl system for TT2 that would have addressed that, but I haven't been too active with it lately (read: the year and a half or so). Mostly I've been pining for someone to port TT2 to python, actually. I don't see it as a contest of "Mason sucks, TT2 rules", I just have personal preferences, and would gladly like to see both systems giving each other healthy competition.
BTW, Slash uses TT2, though not nearly to its full potential.
Consider Template Toolkit instead. The above example transliterated looks like:
/[\s:]/, localtime;
[% noun = 'World' %]
[% PERL %]
# perl ugliness, but there may be a tt2 split op. note cache means nothing like mason's cache
@{$cache->{time}} = split
[% END %]
Hello $noun,
[% IF time[3] < 12 %]
good morning
[% ELSE %]
good afternoon
[% END %]
Mind you, I'd have put it in variables in another block, so the message would look like:
Hello $noun, $greeting
I personally don't use the $foo syntax, and prefer [% foo %] instead, but TMTOWTDI in TT2. TT2's power just blows mason away, and it's not all that difficult to get it doing mason-like persistence things when you combine it with Tie::MLDBM.
99.9% of spammers interpreted that as nothing at all. I haven't seen any spam with ADV or any such permutation thereof hit my hotmail box at any time. Tagging messages is still a non-option -- it's costing millions in server space alone. The way they're sent, even single-store solutions like Exchange don't help. Now I'm seeing spams of 50K per message. Legitimize that in any fashion, and kiss bandwidth goodbye.
No Linux interface that exists today provides unified system usability.
Or for that matter, windows. KDE has its faults, to be sure, but Konq provides better integration than even Windows. In Windows, I can only see folders on the left pane in explorer. In Konquerer, I can at my option see files, and view all kinds of content, from HTML to text to postscript, in the right hand pane. I can rubberband a bunch of files in ftp and drag them to the desktop. The control center includes system management (to some degree), whereas in windows, you use a completely separate app, MMC. Granted, Windows is carrying along legacy cruft, and would probably make every control panel a MMC snap-in nowadays, but they don't even provide an adaptor.
The user experience on windows is pretty disjointed too. But I don't think Unix (it's more than Linux, folks) exactly has further to go than Windows. It's just broken in different places.
Pfff! And I wanted to have my aterm at a weird angle.
You want Fresco (nee Berlin nee Fresco, it's the amazing rubber name)
The problem is that the FILESYSTEM itself cannot allocate a smaller amount of bytes than, say, n. So, if you have a program that is n-1, it still takes up n bytes. So, it's really not all that practical in 99.999999% of uses (that includes boot disks.)
/stand is a hardlink to the same file (which is just big enough to fit on one floppy). Busybox has the same philosophy.
This is why you stuff them all into one file. Everything in FreeBSD's
> Apparently many of those guys are now working at Remedy
... yah I think in HTML :)
First thing I thought was "damn, I can't think of a bigger mismatch than demoscene coders working for Remedy Corp"
I saw an interesting e-mail the other day that proposed a solution to junk snail mail. Lots of companies send you junk mail with a postage-paid reply envelope, right? If you take that envelope and stuff it with unrelated junk mail from a different company, seal it up and send it on it's merry way, the junk mailer pays the postage TWICE (once to you, and again back to them), you force them to sort through their mailbox just like you do, and you help out the cash-strapped U.S. Postal Service at the same time.
This is a myth, usually of the "tape it to a brick" variety. If you make it go over the prepaid postage amount, they will simply trash it.
But really, it needs to get out of the ivory tower and start giving us examples that work. The Confused Deputy is about compilation, sounds like it was an issue from a VAX box from the 80's, and not only is so utterly irrelevant to Joe User, it's not even all that terribly accessable a metaphor to people using gcc!
The erights folks are using more accessable examples (a web browser), but in their examples paint a picture of the land of popup hell, where every app has to ask to do every single operation. Write to one file, one popup. Write to another file, another popup. Open your address book, another popup. Experience shows that users click "yes" or "ok" on popup dialogs or whatever button they can just to make the damn things go away and make them stop coming back. My own mother would ask me, "how do I keep this from asking me these questions all the time?".
I know it doesn't have to work this way -- an installer can give an app a pre-set list of capabilities that one should be able to verify, log, change, audit, revoke, etc. Roles can be created out of capability groups to put some of the ease of ACL's back into the equation. But their their own example stories don't even make that clear. It's ivory tower, all about security theory without an ounce of human factors other than "the user will learn" and some laughable user education story about POLA.
The average server is reasonably secure right now, since it performs dedicated tasks and is administered by what one presumes are trusted people. It's the desktop that's providing fertile ground for attacks. Thousands of infected desktops hitting one server, and well, wouldn't it be nice if those desktops were secure? They won't be if security doesn't take the human factor into account.
chroot(2) has been called a "jail" for longer than the jail(2) call has been around. jail(2) just generalizes the concept (though I'm not a fan of how they bound it to network interfaces instead of some other declared entity like a mount point or even a pseudo-device)