[cap-talk] A challenge for membranes
Jonathan S. Shapiro
shap at eros-os.com
Mon Feb 18 09:38:08 EST 2008
There is a problem with the membrane pattern that I do not recall seeing
discussed.
A membrane implements a single (set of) policies. To the extent that it
does so, it implements the interests of some particular "manager" of a
collection of rights.
A single process may participate in operations where restrictions
imposed by multiple managers may need to be respected.
In consequence, it does not seem to me that the "cell" guarded by a
membrane can successfully be viewed as an undivided entity.
This raises a design challenge:
1. In order for a membrane to operate properly, it must impose
a boundary that can only be crossed by traversal of that membrane.
This can be generalized to strictly hierarchical arrangements of
membranes, but not to general graphs of membranes.
2. In any situation requiring that multiple membranes be honored
simultaneously, a general graph appears to be required.
Is there any reason to believe that this apparent conflict is
resolvable?
shap
More information about the cap-talk
mailing list