[cap-talk] Persistence as a cap value
James A. Donald
jamesd at echeque.com
Thu Mar 20 14:15:10 EDT 2008
James A. Donald:
>>>> The authority given by a project file should begin
>>>> when I open it, and end when I close it. Not very
>>>> persistent at all.
Pierre THIERRY wrote:
>>> OK, so what happens if I close the project and
>>> reopen it? If the projet has no persistent authority
>>> to the files in it, does that mean I have to
>>> manually give it back authority to all these files?
James A. Donald:
>> Think about it.
Sandro Magi wrote:
> The only way I can see to support this, is for the
> powerbox/trusted shell to save its session state with
> the application instance on exit,
I thought I was perfectly clear, but since two people
have managed to misunderstand me in different ways,
obviously I was unclear.
The powerbox user interface pattern is that the
interface is provided by more trusted software, and
grants transient authority to access files to less
trusted software.
A project file means that the user *decides* what goes
into the project. It is a third form of the powerbox
user interface pattern.
Just as one needs trusted software for file selection,
which grants capabilities to less trusted software, one
similarly needs trusted software to manage a project
file, which grants capabilities to less trusted
software: A project file typically consists of a list
of files, and programs to be invoked accessing those
files. The programs to be invoked do not need to be
trusted and do not need, and should not have, durable
capabilities to access those files.
So when the user invokes a project file, what should
happen, to ensure that all software must follow the
behavior that good software should follow, is that a
privileged and trusted program should open the programs
listed in the project file with capabilities to access
the files listed in the project file.
More information about the cap-talk
mailing list