[cap-talk] Concening entry "ambient authority" in Wikipedia
David-Sarah Hopwood
david-sarah at jacaranda.org
Wed Jun 10 11:47:19 EDT 2009
Marcus Brinkmann wrote:
> All systems will, for performance reasons already, optimize some capability
> accesses in hardware or software, to a varying extent, depending on what the
> designers of these systems consider to be safe. Most will agree on side
> effect free actions like number calculations, private anonymous memory and
> global read-only memory. Many will agree on wall time. The designers of Java
> chose to include global variables. The designers of Mach choose to give every
> process a capability to itself (mach_proc_self). The designers of Unix chose
> to include the file system, among other things. But I don't see how the term
> ocap-model tells us where this line is or should be drawn.
This is a matter of common sense. Side-effect-free calculations isolated
to a single subject are definitely on the safe side of the line; anything
that permits communication with arbitrary other processes is definitely on
the unsafe side. That is, the line is pretty clearly defined in practice.
The designers of Java did not choose to allow global variables as 'safe'
authority within a capability system. They allowed global variables because
they were not trying to build a capability system.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list