Eric Jacobs
> A pure capability-based system wouldn't need to have an open() function
> because that operation doesn't exist: a process either already has a
That's arguable. Prometheus doesn't have open() but I was quite surprised
when I found that out. I started by extending the Plan 9 model and open()
wasn't eliminated until I switched the foundation of my model from an
imperative style to an object-oriented style.
> connection handles around. The only way a process could get an open
> connection handle would be from another process which had it (or a
> superset of it). We would never need to ensure that somebody has
> rightful access via access lists because there's no way they could pull
> a handle out of thin air. They must have gotten it from somebody who
> did have access.
You can't have a pure capabilities-based system unless you have multiple-
containment. And you can't have multiple-containment unless you have
bidirectional links between data objects; if you try to do without it,
Very Bad Things happen.
-- "Clandestinism is not the usage of a handful of rogues, it is a formalized practice of an entire class in which a thousand hands spontaneously join. Conspiracy is the normal continuation of normal politics by normal means." -- OglesbyReceived on Thu Apr 1 00:33:45 1999
This archive was generated by hypermail 2.1.8 : Thu Sep 22 2005 - 15:12:56 PDT