[e-lang] What is defensive consistency?

zooko zooko at zooko.com
Fri Nov 2 12:11:35 EDT 2007

On Nov 2, 2007, at 1:36 AM, David Wagner wrote:

> In the case of a single object that is intended to be defensively
> consistent, I can think of three kinds of defensive consistency:
> a) Every method call stands on its own.
> b) All method calls to a single instance of the server are assumed to
> come from clients with a common interest.  Thus, if the server is ever
> invoked by a caller that fails to establish the documented  
> preconditions,
> then that server instance is released from all obligations from  
> there on.
> (Of course, other instances of the same class are not released from
> their obligations.)

This is the pattern that we are using in the tahoe project [1].

The contract that a server has with a particular agent is  
encapsulated into an object (hosted on the server), and the server  
gives that agent a reference to the object.  Then the natural scope  
of defensive consistency is that object.

Make sense?  It feels right to me.

> c) The server object might build some special method of  
> authenticating its
> clients.

This gets into the question of "tracking the bases of the reference  
arrows" (i.e., who is the caller), vs. "tracking the pointy ends of  
the reference arrows" (i.e., which object).  I think there are some  
unsolved puzzles in there, but in the main, object-capabilities tend  
toward the extreme of  "all tracking is tracking of pointy ends and  
not bases".  See Horton [2] for an example of how that extreme stance  
approaches the problems fo which other people use the bases of arrows.



[1] http://allmydata.org
[2] http://www.erights.org/elib/capability/horton/

More information about the e-lang mailing list