At Sat, 22 Apr 2006 10:22:25 -0400, "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote: > > Moreover, your semantics > > (issueing notifications on destruction only, not on overwrite), break > > down completely if the callee is malicious (for example because it has > > been compromised). > > Marcus: have some more beer. You are not thinking clearly. > > ANY time that a client sends to a hostile recipient, the client cannot > rely on ANYTHING. It cannot rely on getting a correct answer. It cannot > rely on getting a well-formed answer. In fact, it cannot rely on getting > an answer at all! > > The only solution to this is that clients must not rely on unreliable > code for anything at all. This is axiomatic.
Neal can confirm that I predicted a couple of days ago that you will give this answer. But it is you who is not thinking clearly: I have not said that the client should rely on unreliable code for anything. I have said that the client should rely on the kernel to send a notification when the reply capability is dropped. I also claim that such a guarantee allows me to state invariants of the system that allow me to reason about the ability to recover from bugs or hostile behaviour in some use cases. I don't have time to continue this discussion formally. Thanks, Marcus _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
