[cap-talk] More Heresey: ACLs not inherently bad

[Jonathan S. Shapiro]

On Sat, 2008-09-13 at 10:01 -0700, Jed Donnelley wrote:
> 1.  My heart really wasn't much in it - partly because I know
> that Horton can achieve all the ACL value that you seek (though
> of course you may disagree) and

I don't necessarily disagree. I just don't care. I'm looking at a
retrofitting problem, and a ground-up design that would support Horton
just isn't on the table as an option.

> 2.  Partly because I agree with MarcS, AlanK, and others that
> the capability approach (sans Horton) is a cleaner solution..

Probably true, but once again irrelevant to my objectives.

> "...they modify the structure of the graph itself. It is
> required that the parties be able to have different access
> rights on different subgraphs."
> 
> The above can be done with Horton, but I wonder if it
> might help for you to explain why 'they' need to have
> a shared name graph.  Perhaps if I (or we) could
> understand this in more detail somebody (e.g. me)
> could pick up this fallen banner and charge forward.

I suspect that there was a foundational confusion on this point. I was
not proposing that the entire system name graph needs to be shared. It
clearly does not.

I was proposing that there exist mutable data structures having internal
pointer relationships in which the pointer organization is part of the
data structure. That is so blindingly obvious that it shouldn't require
explanation. The problem with maintaining consistency of such structures
in the presence of replication are also blindingly obvious, and have
been repeatedly confirmed by practical implementation. Finally, we have
long since agreed that no feasible design exists for a transitively
extended horton-style membrane in an OS-based capability system.



shap