[e-lang] What is defensive consistency?
zooko
zooko at zooko.com
Fri Nov 2 12:11:35 EDT 2007
On Nov 2, 2007, at 1:36 AM, David Wagner wrote:
> In the case of a single object that is intended to be defensively
> consistent, I can think of three kinds of defensive consistency:
>
> a) Every method call stands on its own.
...
> b) All method calls to a single instance of the server are assumed to
> come from clients with a common interest. Thus, if the server is ever
> invoked by a caller that fails to establish the documented
> preconditions,
> then that server instance is released from all obligations from
> there on.
> (Of course, other instances of the same class are not released from
> their obligations.)
This is the pattern that we are using in the tahoe project [1].
The contract that a server has with a particular agent is
encapsulated into an object (hosted on the server), and the server
gives that agent a reference to the object. Then the natural scope
of defensive consistency is that object.
Make sense? It feels right to me.
> c) The server object might build some special method of
> authenticating its
> clients.
This gets into the question of "tracking the bases of the reference
arrows" (i.e., who is the caller), vs. "tracking the pointy ends of
the reference arrows" (i.e., which object). I think there are some
unsolved puzzles in there, but in the main, object-capabilities tend
toward the extreme of "all tracking is tracking of pointy ends and
not bases". See Horton [2] for an example of how that extreme stance
approaches the problems fo which other people use the bases of arrows.
Regards,
Zooko
[1] http://allmydata.org
[2] http://www.erights.org/elib/capability/horton/
More information about the e-lang
mailing list