[EROS-Arch] Package handling...
Jonathan S. Shapiro
shap@cs.jhu.edu
Wed, 28 Mar 2001 08:42:30 -0500
Joerg Bornschein wrote:
>
> There may be solutions to these other problems that I am unaware of.
>
> I think the most important unsolved(?) problem is that constructors don't
> know whether there are instances running or not....
There is a large, dangerous snark here.
Forget about the security implications for a moment. Consider first the
implications of warranty.
If I build a program that relies on a component, I have tested my
program against a particular version of that component. The updated
component may be better, but it may or may not have been tested under
the same assumptions as my program, and it may or may not *work* in my
program. Therefore, the component must not be updated in the context of
my program until my program agrees to the update.
This means that update must be performed on a "pull" rather than a
"push" model. My application must somehow be notified that an update is
available, and must then decide whether to accept it or not.
Update is an option that wants to remain open. You may ship an update.
The application vendor may later test it and say "okay, that update is
okay for my app". The app vendor may then ship an app patch that says
the update is okay, after which the app may consent to the update.
However, forcible update is not the right thing.
Jonathan