[cap-talk] Concening entry "ambient authority" in Wikipedia
James A. Donald
jamesd at echeque.com
Wed Jun 10 17:12:53 EDT 2009
Marcus Brinkmann wrote:
>> All systems will, for performance reasons already, optimize some capability
>> accesses in hardware or software, to a varying extent, depending on what the
>> designers of these systems consider to be safe. Most will agree on side
>> effect free actions like number calculations, private anonymous memory and
>> global read-only memory. Many will agree on wall time. The designers of Java
>> chose to include global variables. The designers of Mach choose to give every
>> process a capability to itself (mach_proc_self). The designers of Unix chose
>> to include the file system, among other things. But I don't see how the term
>> ocap-model tells us where this line is or should be drawn.
David-Sarah Hopwood wrote:
> This is a matter of common sense. Side-effect-free calculations isolated
> to a single subject are definitely on the safe side of the line; anything
> that permits communication with arbitrary other processes is definitely on
> the unsafe side. That is, the line is pretty clearly defined in practice.
I would say that the criterion is not safety, but communication. A
capability in the programming sense is always a channel issuing commands
to something outside, such as the file system or the windowing system.
A capability in this sense is an authority bearing channel of
communication, such as a file handle or window handle, and the ends of
this channel can be passed around through other capabilities.
A "capability" is an authority bearing channel of communication that can
be passed through other capabilities.
More information about the cap-talk
mailing list