(Illustration by Gaich Muramatsu)
The question really comes down to how much do we trust venus. If we trust venus to do the right thing, then a lot of checks in the kernel are superfluous. If venus is seriously untrusted we probably need even more checks. The kernel should not trust venus. A general rule in NetBSD at least is that no user process should be able to crash the kernel. So full validation of all pioctl data is in order. Besides following the kernel/user rule above, this would mean that we are more likely to find bugs sooner. This heads towards the design-by-contract notions in Eiffel, and I think that's a good thing. I have never regretted writing validation code - enough of it trips and shows a bug that it is faster than debugging without it! Besides, venus has been known to have a bug or two over the years! -- Greg Troxel <gdt_at_ir.bbn.com>Received on 2003-09-12 09:21:27