[cap-talk] Capability accounting
Jed at Webstart
donnelley1 at webstart.com
Wed Jun 21 16:27:39 EDT 2006
At 09:38 AM 6/20/2006, David Hopwood wrote:
>Jed at Webstart wrote:
>...
> > In my experience (others may and I hope do differ) this second #2
> > (accounting) has been less well developed in capability systems. In
> > fact I'd be quite interested to explore a thread on accounting in object
> > capability systems if anybody else has an interest in the topic.
>
>Authority should (and does in a capability system) belong to processes,
>not people; as a special case, resource authorities should also belong to
>processes, not people.
Hmmm. Certainly capabilities exist at the process level. People have
no means to invoke capabilities in the meat world. However, people
do manipulate capabilities with process proxies. Also for some
resources such as this "account" object, I believe people get
more intimately involved because they pay for the resources,
something that still happens more in the meat world.
>A difference from most other authorities, is that when a group of processes
>share a quota, it is the sum of their resource usages that is limited. It
>may be common for such groups to correspond to the set of processes in a
>user's login session (or all sessions for a user if the system allows more
>than one). However, that is just a special case.
A special case, but as you say common and for a reason. I would
say more than "just" a special case, though perhaps that's quibbling.
>The arguments in favour of allowing resource authorities to be freely
>delegated, as opposed to placing user-based restrictions on such delegation,
>are the same as for any other authority. It is also important to support
>attenuation of resource authorities -- for example generating an authority
>for a reduced quota from one that specifies a larger quota.
I agree, and that's what we implemented in NLTSS. We had no
guidance to work from (1979). It doesn't seem to me that enough
resource accounting has been done in capability systems to
develop any sort of best practice.
> > If nobody else is interested I'd at least like to hear why not -
> > e.g. because they believe it's a solved problem or because they
> > believe it's intractable or otherwise not productive.
>
>I don't believe it's a solved problem, and I do think it's an important
>problem. OTOH, I don't think it's less well developed in capability operating
>systems than in conventional operating systems. It is pretty badly developed
>in most conventional OSes, at least the ones that are widely used.
>
>(I agree that resource accounting needs more work in capability languages.
>Act2 and Act3 had "sponsors" representing resource authorities, but that
>does not seem to have been taken up by more recent cap languages.)
Perhaps I should let you respond to the high level questions I posed in the
my response to Norm's message and we can see where this discussion
goes from there. Sorry to have noticed your message out of sequence David.
That was inadvertent.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list