[langsec-discuss] a question on code volume

Chris Palmer snackypants at gmail.com
Sun Jan 4 20:41:27 UTC 2015

On Sun, Jan 4, 2015 at 11:05 AM, Rik Farrow <rik at rikfarrow.com> wrote:

> And it's not how I want my car to run, or even my cell phone. Both are
> vastly more complex than qmail, but having my car decide to die while
> I am navigating during rush hour could result in people dying.

Nobody is saying your car should stop running immediately on the first
problem. That's not how qmail works, either. Instead, errors are
logged and propagated up the call tree, and the callers keep trying.
At the top of the call tree is the human operator; but transient and
recoverable errors likely never make it up that high.

And, yes, your cell phone (and laptop) often already does work in that
way: init spawns daemons like rild (radio interface layer daemon) and
watches to see if rild has died.

The proposition is that things like rild should simplify by relying on
the interface guarantee of init ("I will restart you"), rather than
going through contortions (that are themselves likely to create more
bugs or operational mishaps) to try to repair.

This is explained the crash-only paper; nobody is saying "Go ahead and
let people die every time write(2) gets EINTR."


More information about the langsec-discuss mailing list