@icedquinn @dangerdyke @p @yassie_j > i'm not sure wdym unix is designed in a way that can't be hardened. openbsd does it all the time. grsec did quite well, its just they were tired of working on it for free and the linux foundation had zero interest in merging it when it was donated.

The UNIX model of memory-unsafe C APIs is asking for trouble and memory-unsafe monolithic kernels have major ambient authority concerns.

OpenBSD claims to have few remotely exploitable bugs in the default install, but that same systems *requires* additional software to be useful for most purposes people want it for, so the default install's claims & state don't exactly mean much beyond that it meets at least the lowest bar one should apply to OSes.

Converting a system to using capability addressing pervasively instead of the C APIs would break compatibility with POSIX & UNIX, so it is consequently impossible to properly harden UNIX.