At Sat, 22 Apr 2006 13:57:18 -0400, "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote: > If the server is malicious, the presence of a "notify on drop" bit (or > even a "notify on container destroy" bit) is insufficient to achieve the > robustness that you are looking for.
Why do you think so? As far as I know, I have not yet made my case for why I think that it may be sufficient. There seem to be, admittedly narrow, but still useful (for us), design patterns for which this mechanism is sufficient to successfully argue about invariants of the system. > Since the feature you are requesting is "best effort", it definitely > does NOT permit you to reason about the cases you mention. The only > effective way to manage these issues is with watchdogs. Watchdogs are > unfortunate for other reasons, but at least they do not perturb the rest > of the architecture. Can you elaborate on what watchdogs do? In particular, how they differ from timeout-based solutions. Thanks, Marcus _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
