[cap-talk] More Heresey: ACLs not inherently bad

[Mark Seaborn]

"Jonathan S. Shapiro" <shap at eros-os.com> wrote:

> On Thu, 2008-09-18 at 20:38 +0100, Mark Seaborn wrote:
> > If you mean that today's decentralised SCMs don't treat files and
> > directories as mutable objects to be access-controlled, I entirely
> > agree with you.  I think that is a good feature.  Treating files and
> > directories as mutable objects with their own internal history is a
> > characteristic of centralised SCMs; I much prefer the model of
> > decentralised SCMs.  With DSCMs, it is branches that are subject to
> > access control.
> 
> What SCM model you prefer, and whether or not I share your preference,
> isn't really pertinent to the concrete problem instantiation I set
> forth, which corresponded to what you describe above as a centralised
> SCM implementing access controls.
> 
> I'm not disagreeing with your opinion here, but asserting that
> requirements not to your liking do not need to be addressed is not a
> satisfactory response.

I was not asserting that the requirements were not to my liking.

As far as I can tell, the 6 requirements you listed on
http://www.eros-os.org/pipermail/cap-talk/2008-September/011633.html
are satisfied by the DSCM gatekeeper I suggested.

It makes no difference whether you use a centralised SCM or a
decentralised SCM for the purpose of these requirements.

You don't need ACLs *or* capabilities to satisfy your requirements.
You never need to treat versioned files and directories as objects.
All you need is for your centralised SCM repository to check filenames
in changesets.

What I was taking issue with was your statement that "today's SCMs
aren't at all easy to implement credibly on pure capability systems",
which I still don't understand.

Mark