Re: [9fans] one reason ideas from Plan 9 didn't catch on

[presotto@closedmind.org]

[-- Attachment #1: Type: text/plain, Size: 974 bytes --]

I tried twice with XOS and Demos/MP.  XOS was a traditional capability system,
Demos a less traditional and more usable one.  XOS was mine, Demos/MP from
Los Alamos/Stanford.  Demos is described in an old SOSP (in the 70's),
XOS in a OSR in the 80's.  We had the usual problem with persistence;
garbage collecting the capabilities, revoking old capabilities, building
tools to walk the arbitrary graphs that resulted and make some sense of
them, ...  Even something like tar turned into a major pain in the backside
to build.  When you gave someone a capability, you had to do a transitive
closure of the access of that capability to figure out what you were giving
away or restrict the capability to be intransitive.  The result was
a lot more copying.

On the positive side, access control was nicer.  Unfortunately, that was the
only plus.

I keep believing that capabilities are a good idea but the concept requires
someone better than me to implement.

[-- Attachment #2: Type: message/rfc822, Size: 2626 bytes --]

From: Eyal Lotem <eyal@hyperroll.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] one reason ideas from Plan 9 didn't catch on
Date: Wed, 14 Nov 2001 09:52:54 GMT
Message-ID: <3bf1a2de@news.bezeqint.net>

anothy@cosym.net wrote:

> no, not at all. i was talking strictly from the point of view of trying to
> explain the systems to someone. the per-process namespaces are where
> most people get stuck in their understanding.

Per-process namespaces are very much like per-process capability pools, but
allow processes to express requests they are not authorized to, as well as
requiring a clumsy namespace-access interface.  What advantages do you find
to this, over pure capability systems?  With capabilities, your requests
are in terms of the capabilities you have (aka: Directly in terms of your
authority), without having to 'name' them in a namespace.

In other words, if you go through to process-grained security, with the
more correct approach to security of visibility, and the terms of the
requests themselves, why not go all the way, with pure capability systems?
Getting rid of traditional file systems has other big pluses.

I personally think that if Plan 9 implemented a pure capability system, and
orthogonal persistency as early as it implemented its design, it could have
caught on, and be a lot more secure/efficient.