Gary, Yioryos, Here are a couple of thoughts for you on isolation issues. (I have thoughts on the Journal issues too but I'll save them for another occasion.)
>> Step 3 is to introduce marks (hyperlinks?) in Read and Write where hovering >> over you get the tag opened to tell you what is about, and clicking >> transposes >> you to the relevant book/app-mark > > As noted already this would seem to break Sugars's security model, activities > need to be sand-boxed from each other, one activity is not allowed to resume > another. Yea, back to Journal, again! ;) Let's think about this a bit more deeply. As I see it: The key idea that Bitfrost offers is that system software needs to make it easy for the authors of benign apps to protect human interests. (A number of useful features are then proposed toward this end.) The key idea that Rainbow offers is that accounts are a good device for isolating processes. Within this problem domain, the key idea of Sugar is that people engage in fairly discrete sessions of activity which may be started, stopped, resumed, and isolated from one another. Significant isolation is possible because data rarely needs to move from session to another and, when it does, the motion may be orchestrated through a supervisor. Note, however, that the idea is that it doesn't matter much what actual processes run within a given session or whether there are many windows or one, many documents or none, many hosts contacted or none, etc. Indeed, we shouldn't worry so much about whether Browse invokes Read in order to render a downloaded PDF or whether Chat invokes Browse when the human operator clicks on a hyperlink -- Browse already had complete control over the contents and distribution of the PDF and Chat already had complete control over the text of the URI that Browse will see. Instead, what does matter is the ability to control what happens *when* Browse or Chat or Read becomes circumstantially malicious. What matters then is the ability of the human operator and the system supporting them to manage the mappings of I/O resources to sessions -- that is, crudely, of the "start new" vs. "resume" problem. :) Thoughts? Regards, Michael _______________________________________________ Devel mailing list [email protected] http://lists.laptop.org/listinfo/devel
