Argh, when throwing out a quick note just before going to bed it is all too easy to contribute more confusion than clarity.
I wrote: On Sat, Mar 13, 2010 at 9:32 PM, Zooko O'Whielacronx <[email protected]> wrote: > > No! This is a widespread myth. The problem is fundamental to a *sharing* > system. A capability system that makes sharing very hard would not have this > problem, and a non-capability system that makes sharing very easy would have > this problem. You may now be wondering if it is possible to have a capability system that makes sharing very hard. (Or if it is possible to have a non-capability system that makes sharing very easy.) I think wondering too much about that leads to a semantic rathole—when is a capability system not a capability system? (c.f. allmydata.com's user interface) What I should have said is just this: No! This is a widespread myth. The problem is fundamental to a *sharing* system. The system Toby was using offers a very convenient gesture to share write access, which is identical (except for context) with the very convenient gesture to share read access. By the way I have made this exact same mistake three times now (with my blog). We can make it easier to avoid this mistake by making it less convenient to share write access, or by making write-access-sharing and read-access-sharing gestures different, or by making the write-access-sharing-contexts and read-access-sharing-contexts more recognizably different. The first two times that I made this mistake on my blog I then added one of these improvements to my blog software. You can see the current results here: http://testgrid.allmydata.org:3567/uri/URI%3ADIR2%3Alq5unk3sdmwqckzey573b35paa%3Azshb54dvy4jmpdxjlptn6ttm4m7awi7xf7hqtwmvjriy6ryeb7ya/wiki.html (Explore that UI and see how write-access-context and read-access-context differ.) My point is that we have this problem not because we used the capability access control model, but because we made sharing maximally easy in the first version of the user interface, and now we need to figure out how to make sharing less easy, or more context dependent, or something. I do hope that with the new crop of Tahoe-LAFS front-ends, such as Toby's, we will explore the UX design space and find good improvements! Regards, Zooko _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
