Re: Fwd: Re: The Perils of Pluggability

[Jonathan S. Shapiro]

On Mon, 2005-10-10 at 21:24 +0200, ness wrote:
> > Hello,
> > 
> > On Sun, Oct 09, 2005 at 01:23:29PM -0400, Jonathan S. Shapiro wrote:
> > 
> >>On Sun, 2005-10-09 at 10:14 +0200, ness wrote:
> >>
> >>>I guess one of the design goals of the Hurd is to NOT depend on the
> >>>implementation of a server. As far as I know, we don't want to ask "is
> >>>the implementation of this server trustible?" but ask "is the source
> >>>where I got this cap trustible?". We want to allow the user to replace
> >>>system components. To e.g. run a new task that uses a different proc
> >>>server. So the user says that to it's shell and the shell gives the
> >>>right cap to the newly created task. But marcus identified sth. like
> >>>your "identify" operation as necessary, AFAIK.
> 
> You mix up two things here (or me). Identify (or
> cmp/map_lookup/whatever) says whether the cap a client passed to a
> server was mapped by the server (in kernel-based caps). See
> http://os.inf.tu-dresden.de/pipermail/l4-hackers/2005/002140.html.

Ah. We are talking about two different identify operations. In EROS, the
identify operation tells you whether the service *named* by a capability
is the service you think it is.

In particular, if I hold a capability to the constructor for service X,
and you pass me a capability to service X, I can ask the constructor if
the capability names a process that it created.

I can see that we will need to be explicit about which identify
operation we mean in the future. Thanks for making this clear.


shap