[cap-talk] gauntlet - one way IPC considered useless, practical
MLS?
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Sat Jan 21 13:49:43 EST 2006
Rob J Meijer wrote:
>>I wrote:
>>
>>>Suppose that a process A wants to tell processes B and C to perform some
>>>actions P_B and P_C respectively, and be assured that all effects of P_B
>>>happen before effects of P_C. B and C do not know anything about each other.
>>>There are only a few possible ways to implement this:
>
> If you remember that:
>
> a) Two way comunication channels can be composed of two one way
> communication channels.
> b) B could in time exist as different incarnations.
> c) incarnations of B can have a one-way IPC channel to A for as long
> as they don't read any secret.
> d) Only on reading a secret would the B->A channel be revoked.
> e) If a B incarnation chooses to it can have itself die and be respawned
> with the B->A channel restored in the next incarnation but with non of
> its possible secret related state intact.
>
> than you would see that the problem is actualy much smaller than you
> think it is. Dropping state time and time again is expensive, but it is
> a solution.
It is a solution in some cases. What about all the cases in which it is
not, because B needs to retain its state?
I don't think I'm overestimating the problem of building an entire system
using the techniques you're suggesting, at all. The costs, in terms of
complexity, unreliability and inefficiency, are enormous, and the benefits
too small.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list