[e-lang] What is defensive consistency?
zooko at zooko.com
Fri Nov 2 12:11:35 EDT 2007
On Nov 2, 2007, at 1:36 AM, David Wagner wrote:
> In the case of a single object that is intended to be defensively
> consistent, I can think of three kinds of defensive consistency:
> a) Every method call stands on its own.
> b) All method calls to a single instance of the server are assumed to
> come from clients with a common interest. Thus, if the server is ever
> invoked by a caller that fails to establish the documented
> then that server instance is released from all obligations from
> there on.
> (Of course, other instances of the same class are not released from
> their obligations.)
This is the pattern that we are using in the tahoe project .
The contract that a server has with a particular agent is
encapsulated into an object (hosted on the server), and the server
gives that agent a reference to the object. Then the natural scope
of defensive consistency is that object.
Make sense? It feels right to me.
> c) The server object might build some special method of
> authenticating its
This gets into the question of "tracking the bases of the reference
arrows" (i.e., who is the caller), vs. "tracking the pointy ends of
the reference arrows" (i.e., which object). I think there are some
unsolved puzzles in there, but in the main, object-capabilities tend
toward the extreme of "all tracking is tracking of pointy ends and
not bases". See Horton  for an example of how that extreme stance
approaches the problems fo which other people use the bases of arrows.
More information about the e-lang