Reply To: Mill security model: The main attraction

Besides what has been revealed in the talks already, we are actively working to extend and improve the Mill security model. We know that in the long run it will be a Good Thing.

But frankly, we are also worried that in the short run it may not be a Good Thing at all. Far too many programs are out there that are full of security holes that nobody has fallen into yet, or at least they aren’t talking. If the Mill has always-on security (and we feel that security you can shut off isn’t security) then programs will fail on the Mill that “work” on other machines. And Mr. Clueless will be all over the web, posting that Mills are broken because his (obviously bug-free) program works fine on other chips. We wouldn’t survive a reputation for flakiness, deserved or not.

If you think these worries are far-fetched, all I can say is that I remember the transition to MMUs, and hearing people file reports about failing hardware, with comments like “What is this crap about segv?”.

There is a rule of thumb in business, and Mill Computing is a business after all, that for the first sale you must give the user what he thinks he wants, while for the second sale you must have given him (in the first sale) what he actually needed. That makes for subtle design issues. We’ll do our best, and I hope you will be around to balance Mr. Clueless and his rants.