>On Tue, May 08, 2018 at 05:06:19PM +0200, Jeremie Courreges-Anglas wrote:
>> hitch and isync would be the first programs to use this pattern.
>> I'm not sure it makes it easier to *think* about promises made in
>> a program, and I don't see a reason to go down that road.
>drop_promises() was introduced to simplify scenarios such as
>
> if (a)
> if (b)
> pledge("w")
> else
> pledge("x")
> else
> if (b)
> pledge("y")
> else
> pledge("z")
>
>Pledge's semantics forgid dropping a single promise while keeping
>everything else. drop_promise() aids in keeping track of pledge mainly
>for programs that weren't designed with priviledge separation in mind.
>
>After all it's just a string so why not working with it? It's far away
>from being a dirty hack. And even if it's unusual or new, it gets the
>job done.
You may think it is easier in one respect.
But later, if you look at your last invocation, how do you tell what
pledges remain?
Well, you don't.
By making it very clear what are dropping, you make it vague *what remains*.
And *what remains* is the meat of the matter, because that's the kernel
featureset the program may play again.
