At Sat, 29 Apr 2006 21:28:47 -0400, "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote: > > On Sat, 2006-04-22 at 20:05 +0200, Marcus Brinkmann wrote: > > At Sat, 22 Apr 2006 13:57:18 -0400, > > "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote: > > > If the server is malicious, the presence of a "notify on drop" bit (or > > > even a "notify on container destroy" bit) is insufficient to achieve the > > > robustness that you are looking for. > > > > Why do you think so? As far as I know, I have not yet made my case > > for why I think that it may be sufficient. > > The problem is that a malicious server may indefinitely hold a reply > capability without invocation. It will not drop the capability, and it > will not die.
This is not the problem I have considered. It is also a problem, but a slightly different one. > > There seem to be, > > admittedly narrow, but still useful (for us), design patterns for > > which this mechanism is sufficient to successfully argue about > > invariants of the system. > > The pattern you argue for is sufficient to catch *some* forms of error. > It is not a sufficient defense against malice. I am perfectly aware of that. > My observation: any solution that deals with the broader cases of malice > will subsume the narrower cases of error-catching. My starting point was not malice, but bugs. Thanks, Marcus _______________________________________________ L4-hurd mailing list L4-hurd@gnu.org http://lists.gnu.org/mailman/listinfo/l4-hurd
