religious wars

[Scott Schwartz schwartz@galapagos.cse.psu.edu]

I agree with most of what Dave wrote; here's my 2¢.

| If one takes Vadim's argument to the extreme, he
| should eliminate passwords internally since he
| has adequate protection, trusts everyone
| internally, and plan 9 is just a toy system.
| We ran that way ourselves for years
| (till management started using Plan 9 and wanted
| something better to keep us from seeing
| their secret stuff).

Lots of things about the system, and unix before it, reflect this mode
of development.  Consider file permissions: user/group/other is
adequate in uncomplicated circumstances, but in the typical university
setting access control lists would make life much easier,
particularly because the people you trust with particular files or
directories varies so much and so dynamically.

Also, there's a difference between any-user and unauthenticated-person
that user none doesn't seem to capture.  Shipping the system with
telnetd allowing "none" to log in from anywhere strikes me as a
mistake.  Allowing anonymous 9p connections is worrysome too.  AFS does
better, since it lets you restrict what unauthenticated users are
allowed to look at (easy with ACLs).

| Out biggest fear is that this pressure will make
| passwords a default mechanism.  We'ld rather see
| people working on getting Unix and DOS to use 
| better security or making Plan 9 security
| tighter like adding expontial key exchange than
| to add options to Plan 9 to make it less secure.
| Just the ability to do passwords in the clear is
| the first step down a very steep slope.  Climbing
| back up again is real hard.  We have a chance for
| a system that never goes that route, why blow it.

I very strongly agree with this.  In the unix world most people (and
vendors) aggressively avoid kerberos, s/key, and other things that
would improve our lives.  Plan 9 is a rare and valuable example of
doing things better and easier.  When I show it off to visitors I
always point that out.