[cap-talk] Persistence as a category, danger, PLASH
James A. Donald
jamesd at echeque.com
Thu Mar 13 22:02:29 EDT 2008
Jed Donnelley wrote:
> One thing I will mention about these non-persistent
> (Port?) systems is that I don't believe they
> substantively solve any "danger" aspect of
> capabilities. Even though capabilities may disappear
> on a system restart, that is no reason to assume that
> they are substantially less "dangerous". Systems may
> not restart for a very long time (months, years?).
All the more reason to make capabilities even more
fragile - for example, the capability should expire if
any of the relevant processes shut down.
LAMP systems are able to run for months in part because
they continually spawn new processes and shut them down.
Making a process that can endure indefinitely, requires
some way of getting rid of state. For example, a
service should have sessions, those sessions should time
out, and in timing out, lose all state, and thus all
possibility for bad state. A session that is inactive
for a long time should be eliminated or suffer
aggregation, and a session that is continuously active
for a long time should eventually be forced into
inactivity. If such forcing into inactivity is
unacceptable, it should launch a new session whose state
is related to the state of the original session, but
whose state is guaranteed to be internally consistent
and to contain the minimum necessary startup
information.
More information about the cap-talk
mailing list