On Thu, 25 Apr 1996, Bill Frantz wrote:
At 10:47 PM 4/24/96 -0700, Rich Graves wrote:
code safely. I'm sorry, I'm just not interested in running untrusted code. Give me digitally signed code that I can trust, or for which the author can at least be held accountable, and I'll be happy.
I, for one, am interested in running untrusted code. If I can run untrusted code, I can greatly reduce my exposure to Trojan horses and bugs. It bothers me that if I run Microsoft Word, it can trash my MacWrite
Both policies make sense in different circumstances; however, refusing to run unsigned code, even though it reeks of FUCKING STATISM is easier verify, and harder to circumvent; We're experimenting with both approaches in Solid Oak (one classloader that rejects unsigned classes, another that works with the security manager to use the signed IDs to make policy decisions where necessary. That approach is the more flexible, but it remains vulnerable to flaws in the policy manager if it is somehow possible to do naughty things without going through the security manager. If you require even untrusted code to be signed you at least have a target-id to send to blacknet for attitude adjustment. One thing that could be retroactively added to the vm pretty easily would be the ability to add capability requirements to methods, and have the class loader automatically generate code to check for those requirements before executing the body of the method Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO