[cap-talk] Reducing the authority of a file browser in a capability OS.

Rob Meijer capibara at xs4all.nl
Tue Dec 22 20:56:23 PST 2009 

On Wed, December 23, 2009 00:03, David-Sarah Hopwood wrote:
> Rob Meijer wrote:
>> If the system has some way to
>> restart the instance that created the file (a pseudo persistent
>> process),
>> than this instance would have persistent access to the files it created.
>
> Why should it? If we're just talking about document files, then that's
> excess authority.

The alternative seems to be placing the unattenuated file into the global
namespace prematurely without the user's explicit request to do so,
cluttering up the namespace that this user needs to administer.

In my view the 'least' authority is when the authority resides with the
creator pseudo persistent process until the user 'explicitly' asks for a
(revocable, optionally attenuated) cap to delegate to an other process.
In contrast forcing the user to 'prematurely' put the file into a global
namespace just for the sake of making the powerbox all powerful seems to
me what constitutes excess. For me the ideal user interface would allow me
to ask one pseudo persistent process for an icon representing a revocable
capability that could than be drag-dropped to a second process OR pseudo
persistent process without the intervention of a file chooser type
powerbox
at each end forcing the user to use and clutter this global namespace that
the powerbox is made responsible of.

In cases like this, the powerbox appears to be the singleton of file
system access. At first glance it seems to be much better than the regular
global mutable state single namespace solution, but looking at it closely
makes you come to the conclusion that we are still in fact using that one
big nasty globally shared namespace that is only superficially hidden from
view.

Just as in OO programming private data constitutes less authority than
data maintained ever so carefully by a singleton, so does a file that is
private to the pseudo persistent process that created it constitute less
authority than a file that is maintained ever so carefully by a powerbox.

Rob

Rob

More information about the cap-talk mailing list