[cap-talk] On revocation and the use of wrappers and In Defenseof Identities
Jonathan S. Shapiro
shap at eros-os.com
Thu Dec 7 08:41:08 CST 2006
On Thu, 2006-12-07 at 14:57 +0100, Marcus Brinkmann wrote:
> > The server can always refuse if a given capability has been delegated
> > too many times.
>
> As Neal said. Or: "What's too many?" [1]
I appreciate the humor, but there is a serious problem here in the OS
context. If wrapping or delegation involves building a data structure,
my bet is that data structure will grow linearly in the number of
delegations.
In order for the OS to have bounded-time operations, it MUST set a bound
on the number of steps it will take in any given operation.
Brinkmann and Walfield's "Critique of the Hurd" complains that EROS
imposes such a limit (He states it incorrectly at 4. The actual number
is 20), but fails to contemplate the consequences of his preferred
alternative (unstated, but presumed to be "no traversal limit"). The
absence of a limit entails loss of bounded-time atomicity and potential
infinite loops in the forwarding structures that the kernel cannot
effectively guard against.
RANT
Nobody likes having the bound, but I confess I get annoyed by that
particular critique. It comes up surprisingly often, but I have *never*
observed the critic to either consider the alternative or propose a
viable replacement mechanism.
I'm not annoyed at Neal or Marcus. I just get tired of hearing one-sided
reasoning on this issue.
END RANT
More information about the cap-talk
mailing list