02:43 <ehmry> zgrep: hyperfekt: i think genode is less about standardizing an API or methods of permissions and more about allowing policies to be better distributed and localized

02:48 <ehmry> the key is not having global ACLs

03:14 <zgrep> Ah, interesting... though I would guess that it does this by enforcing a particular method with which such policies/permissions to be defined?

03:19 <ehmry> zgrep: yes, at a kind of generic and abstract level :)

03:20 <ehmry> but for example, enforcing file-system permissions is done by effectively using `chroot` or disabling all write permissions, which doesn't seem very fined grained but is simple to implement and understand

03:22 <ehmry> and if you wanted to implement a shim that injected something like users or group, that is possible but the burden is on you to do it properly

03:46 <zgrep> I'd assume the easiest way to shim user/group-style things would be to have each user have their own chroot-style thing, and designate special shared folders for shared things. At least for filesystems.

03:46 <zgrep> Oh, okay. I was thinking more in terms of access to things, such as a slice of memory or disk, or access to send TCP packets, and wasn't thinking about awkward fine-grained slicing of user or group permissions.

03:50 <zgrep> (Though that's not the exact same thing, it's probably close enough.)

03:57 <zgrep> Maybe I should be asking this in #genode as opposed to here.

03:57 <zgrep> ehmry: Hm. But at what... "levels" are the lines drawn? At what point do you decide that something gets a unique API? From my (incomplete if not incorrect) understanding, there's an overarching components+isolation+inter-component-communication concept that everything is based off of, and then there's more application-specific API's (built atop the general and abstract one) for filesystem access, and VM setup, and window management,

03:57 <zgrep> etc.

04:01 <ehmry> zgrep: there are a few interfaces defined for stuff like block devices, FS, ethernet and windowing, but they are all quite simple

04:03 <ehmry> and if you want to enforce polices at the level of IP or TCP ports then you have to use the router component

04:03 <ehmry> and yes, there is also #genode

04:06 <ehmry> also, https://git.sr.ht/~ehmry/genodepkgs, which is some alpha nix+genode stuff

10:48 <IdleBot_85f8451c> Re: standartise on a single API — I think we have already seen how well it goes with init, and here we have a much better justification for a mission creep. So no.

12:12 <hyperfekt> i'm not even going to engage with that

12:14 <ehmry> well we've also seen how well its gone with POSIX

12:24 <ehmry> now the hip new standard is KVM

20:47 <pie_> not strictly related, but excellent talk https://invidio.us/watch?v=fdO4VN1IDI0 , or essay (i havent read the essay yet) https://blog.troutwine.us/2017/02/10/build-good-software/