> You might consider having a separate "scratch" file system not backed up by > a WORM. Anything transient you put in scratch. Anything precious you put > in the WORMed file system. Yes, we had that on our system the years I was at Murray Hill, and it worked pretty well for large things that we wanted to keep arround indefinitely, but which we didn't want to waste WORM space on, e.g., because they could be recreated if needed (such as 50MB PDF files of someone's product manual, or detailed (voluminous) logs that were collected continuously of which only the newest couple weeks' worth were useful). [To Boyd's comment - this is the difference from the regular cache mechanism. I can keep things in this explicitly un-WORMed region indefinitely. We had some files there for years. The log files we'd reset every year or so.] Such an arrangement is a voluntary mechanism that requires explicit thought by the user. Works pretty well for those who both (a) know what they're doing and (b) are mindful of the WORM dynamics. What I'm after now is a way to deal with users who are less informed and/or less mindful. (Which is to say, normal users. :-) How would I (or anyone) manage a large Plan 9 installation with a large user base? Best scheme I've been able to come up with so far is a two-pronged approach: 1. impose economic accountability for (disk) resource consumption and 2. provide technical constraints (guard rails) to protect the system (and possibly the users themselves) against wayward users I'm hopeful that the new muid capability in 9P2000 & associated fileserver may provide a crucial hook for building both of these into the system. But I don't have a complete picture (yet) of how to do that. Or whether this is the right way to tackle the problem. In general, I don't like systems to second guess the users and try too intrusively to protect them from their own actions. [Hmm - same goes for governments and *their* users . . . but that's a matter for another forum.] So the key issue is probably more a matter of protecting the *system* from the users. Do we need disk quotas? What other options do we have? Freely interacting with large numbers of users while having *no* protection? [The CDC still recommends against that, last I heard.] A "morning-after" command to recover from particularly egregious mistakes - e.g., by removing stuff from the WORM *after* the dumps (since we know it's not *really* a WORM any more)? (Egads. How could we ever live with ourselves again after such a violation of the model?) ??? Paul plus@cosym.net