[cap-talk] Another "core" principle

Valerio Bellizzomi devbox at selnet.org
Thu Dec 21 17:00:56 CST 2006 

On 20/12/2006, at 16.30, Bill Frantz wrote:

>donnelley1 at webstart.com (Jed at Webstart) on Wednesday, December 20, 2006
>wrote:
>
>>At 03:19 PM 12/20/2006, Bill Frantz wrote:
>>>shap at eros-os.com (Jonathan S. Shapiro) on Sunday, December 17, 2006
>wrote:
>>>
>>> >I'm not sure my concern is valid, but I'm concerned about the
membrane
>>> >pattern. If the consequence of causally dependent capabilities (which
>is
>>> >what membranes build) is that nobody ever dares to revoke a membrane,
>>> >then there is absolutely no point introducing the membranes in the
>first
>>> >place.
>>>
>>>The same issue applies to zapping space banks and the disk format
>>>command.  There is no way to undo their destructive effects.

There is a way to undo formatting, but it is not straighforward, and it is
costly.

>>>
>>>Cheers - Bill
>>
>>While I don't know much about zapping space banks, I'm of course
>>quite familiar with reformatting disks.  If I reformat a disk and that
>>disk had meaningful user data that they need for their work, I go
>>back to work and restore what I reformatted.

Restoring disk data presumes that you have a backup, recovering the
previous magnetic state of a formatted disk is quite a different thing, it
is done by hardware means.

>>
>>In the message above you seem to suggest that if a revocation
>>happens and it stops somebody from doing their work, that's
>>OK.  If the revocation is as intended and the person should no
>>longer have access, then of course it is more than OK, it's
>>what should happen.
>
>I didn't say it is OK to prevent people from doing their work.  What I
>did say is that current systems have very destructive, non-recoverable
>operations, and people have learned to live with them.
>
>It is desirable to have an undo for most operations.  With some membrane
>implementations, it is possible to turn the switch back on after
>communications have been stopped.  Whether just turning things back on
>would be effective depends on whether the objects affected can recover
>when their access comes back.
>
>Another approach would be to have a way of asking, "If I zap this
>membrane/space-bank/disk, what will no longer function?"

The obvious response is: the part of a system that relied on that
membrane/space-bank/disk.


val

More information about the cap-talk mailing list