# How Much Confinement Do We Want? **_NOTE:_** **I am absolutely sure this is incredibely incomplete and/or wrong.** ## Introduction There has been a lot of traffic on the l4-hurd list lately. A good bit of this is related to the question this entry is about: How much confinement do we want? The idea not to implement the full confinement was (accidently?) raised by marcus, who planned to raise it _somewhen_, but not yet. Still, he did, and now we have to manage the situation. ## Terminology In this section I try to sketch some terminology that came up _during_ the discussion. ### Creator Creator we call the creator of the confined (constructor) object.[2] ### Instantiator Instantiator we call the user of the confined (constructor) object. [2] ### Encapsulation Encapsulation means that information (including authority) cannot be extracted from a program without its consent. This is a restriction on "read in" behavior. [3] ### Confinement Confinement means that a program cannot communicate outward through unauthorized channels. This is a restriction on "write out" behavior. [3] ### non-trivial confinement Marcus: \`\`[non-trivial confinement] is the confined constructor design pattern.'' [1] We speak about non-trivial confinement when creator != instantiator. [2] ### trivial confinement Marcus: \`\`[trivial confinement] is what the Hurd will do'' [1] We speak about trivial confinement when creator == instantiator [2] ### principle of user freedom/autonomity The principle of user freedom and autonomity means the right to use, inspect, alter and copy all resources attributed to/owned by the user.[4] ### freedom of digital information TBD ## The Positions Here I try to sketch the different positions. ### Use and Implement Only Trivial Confinement by Default #### Pros * Follows the principle of user freedom * **add more here** #### Cons * Possibly use cases for non-trivial confinement exist we cannot yet think of. * **add more here** ### Implement Full Confinement and Utilize It #### Pros * There are many years of experience with confinement. * **add more here** #### Cons * It does not follow the principle of user freedom. * **add more here** ## Preliminary Summary Statements * [Jonathan](http://lists.gnu.org/archive/html/l4-hurd/2006-05/msg00018.html) ## A Try to Push the Discussion into a Constructive Direction Marcus started a challenge [5] to find a use case for non-trivial confinement that is interesting for the Hurd and cannot be implemented otherwise. The exact challenge definition can be found in the mail. ---- * [1] * [2] * [3] * [4] * [5] -- [[Main/TomBachmann]] - 01 May 2006