[cap-talk] Another "core" principle - Brinkmann

[Marcus Brinkmann]

At Thu, 28 Dec 2006 18:19:03 -0800,
Jed Donnelley <capability at webstart.com> wrote:
> 
> At 05:34 PM 12/28/2006, Jonathan S. Shapiro wrote:
> >On Fri, 2006-12-29 at 01:25 +0100, Valerio Bellizzomi wrote:
> > > >Precisely. If the model ignores this, it's both non-believable and fails
> > > >to model observability correctly.
> > >
> > >
> > > Can you expand on Observability ?
> > > I will read your reply tomorrow, heading to bed now :-)
> >
> >Suppose that I (a keeper of the space) can write a mapping slot. You (a
> >client of the space) cannot read the capability in that slot, but you
> >can traverse it. By reading the thing that it points to, you can
> >determine that the capability in that slot has been altered.
> 
> On a meta note I'll mention that I'm often unhappy with what I
> regard as the varied nuances of descriptor type object-capability
> operating systems because they can provide so many different
> sorts of capability communication mechanisms.  The implementors
> of such systems seem to regard this opportunity to vary the
> interface as valued flexibility.  To me it argues against
> consistency in the object-capability paradigm and works against
> any hope for a consistent object-capability message.

It's undeniable that such fragmentation occurs whenever the capability
model hits the real world.  We have too many examples.

To me this suggests that the greatest common divisor of all capability
models is simply insufficient to solve many real world problems.
Think of the nuances as bug fixes.

I can understand your dismay at this conflict, but I have my doubts
that the solution is to "fix" the real world rather than the
capability systems.  Economy of mechanisms is an important goal, but
not for the sake of the mechanisms themselves.

Thanks,
Marcus