alt Hacker NewsHave you, or anyone, ever lived with such a system?
For human beings, they sound like a nightmare.
We're already getting a taste of it right now with modern systems.
Becoming numb to "enter admin password to continue" prompts, getting generic "$program needs $right/privilege on your system -- OK?".
"Uh, what does this mean? What if I say no? What if I say YES!?"
"Sorry, $program will utterly refuse to run without $right. So, you're SOL."
Allow location tracking, all phone tracking, allow cookies.
"YES! YES! YES! MAKE IT STOP!"
My browser routinely asks me to enable location awareness. For arbitrary web sites, and won't seem to take "No, Heck no, not ever" as a response.
Meanwhile, I did that "show your sky" cool little web site, and it seemed to know exactly where I am (likely from my IP).
Why does my IDE need admin to install on my Mac?
Capability based systems are swell on paper. But, not so sure how they will work in practice.
Replies
That is because they are badly designed. A system that is better designed will not have these problems. Myself and other people have mentioned some ways to make it better; I think that redesigning the entire computer would fix this and many other problems.
One thing that could be done is to specify the interface and intention instead of the implementation, and then any implementation would be connected to it; e.g. if it requests video input then it does not necessarily need to be a camera, and may be a video file, still picture, a filter that will modify the data received by the camera, video output from another program, etc.
This is only a problem when implemented by entities who have no interest in actually solving the problem. In the case of apps, it has been obvious for years that you shouldn't outright tell the app whether a permission was granted (because even aside from outright malice, developers will take the lazy option to error out instead of making their app handle permission denials robustly), every capability needs to have at least one "sandbox" implementation: lie about GPS location, throw away the data they stored after 10 minutes, give them a valid but empty (or fictitious) contacts list, etc.
> My browser routinely asks me to enable location awareness. For arbitrary web sites, and won't seem to take "No, Heck no, not ever" as a response.
Firefox lets you disable this (and similar permissions like notifications, camera etc) with a checkbox in the settings. It's a bit hidden in a dialog, under Permissions.
>Have you, or anyone, ever lived with such a system?
Yes, I live with a few of them, actually, just not computer related.
The power delivery in my house is a capabilities based system. I can plug any old hand-made lamp from a garage sale in, and know it won't burn down my house by overloading the wires in the wall. Every outlet has a capability, and it's easy peasy to use.
Another capability based system I use is cash, the not so mighty US Dollar. If I want to hand you $10 for the above mentioned lamp at your garage sale, I don't risk also giving away the title to my house, or all of my bank balance, etc... the most I can lose is the $10 capability. (It's all about the Hamilton's Baby)
The system you describe, with all the needless questions, isn't capabilities, it's permission flags, and horrible. We ALL hate them.
As for usable capabilities, if Raymond Chen and his team at Microsoft chose to do so, they could implement a Win32 compatible set of powerboxes to replace/augment/shim the standard file open/save system supplied dialogs. This would then allow you to run standard Win32 GUI programs without further modifications to the code, or changing the way the programs work.
Someone more fluent in C/C++ than me could do the same with Genode for Linux GUI programs.
I have no idea what a capabilities based command line would look like. EROS and KeyKOS did it, though... perhaps it would be something like the command lines in mainframes.