On 5 Feb 2014, at 10:58, David Drysdale <drysdale at google.com> wrote:
The main merit of the current approach is that it is simple and easy-to-understand, even if we don't like all of its consequences. When combining the properties of a capability system with a conventional UNIX OS design, that's about as good as it gets. We pondered for quite a while how to deal with "descriptors inherited from descriptors" and most of the variations aren't much fun, as they require additional rights masks and hence increase the potential for developer confusion leading to security surprises. I'm happy to keep having the conversation as I also agree that the current API isn't great, though.