On Tue, 2006-04-25 at 13:16 +0200, Marcus Brinkmann wrote: > In the move-only-and-send-exactly-once model, there is no > communication possible between A and B if S properly handles the reply > capabilities. If S does _not_ properly handle the reply capabilities, > all bets are off anyway. That would just be an exploit of a bug in S, > not of the system architecture.
Yes. This is true in the "move-only" model also. Whether the capability is "send-at-most-once" is orthogonal. A caution about "send-exactly-once": there is no such thing. One of the things that we should try to preserve is the possibility of extending capabilities across a network. It is well known that (1) "send-exactly-once" cannot be implemented across a network, and (2) if a watchdog terminates a connection, there is a fundamental race: the server will not know that the session is gone until it tries to reply, which may be after it completes the operation. All of this is true because of network partitions. *Because* we want to preserve this possibility, I think that this is also the correct baseline architecture for local failures. If we introduce a cancellation mechanism, we must understand that cancellation is best-effort, and not guaranteed. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
