On Thursday, 3 October 2013 at 22:38:18 UTC, Walter Bright wrote:
On 10/3/2013 2:15 PM, nazriel wrote:
Music player (as example) do not kill people if they fail.
Aborting whole music player just because Visualisation plugin
had access
violation is pointless.
How does the music player know the fault is in the plugin and
it could be safely continued?
Because a music player can ALWAYS safely continue. Worst case
scenario, if behave erratically and is killed by user.
A car firmware kill people if they behave erratically. The right
choice is to kill it if anything look wrong.
A media player won't kill anyone.
A properly designed system with user-supplied plugins that
needed to recover from plugin failure would put those plugins
in a separate process space, so when they crash they cannot
affect the rest of the system. Any other scheme is just a bad
design, although it may be convenient from a developer cost
standpoint to write it that way.
Yes. Anything is a cost benefit tradeoff. The cost of developing
a sandboxing solution is way higher than doing some recovery that
will fail in 1% of the case in a way that won't kill anyone.
And unless phobos get a sandboxing solution builtin, the argument
will stand.
