Allowing an activity to be launched multiple times in parallel
Gary C Martin
gary at garycmartin.com
Wed Oct 29 22:51:57 EDT 2008
On 30 Oct 2008, at 00:23, Benjamin M. Schwartz wrote:
> 1. Bitfrost requires that each instance be isolated from every other.
> Each instance only has access to the Journal items to which the user
> explicitly granted it access. Allowing multiple "apparent
> instances" to
> share data behind the scenes represents a privilege-combining attack.
> This is especially apparent if one instance has been launched with
> P_NETWORK but not P_CAMERA, and the other has been launched with the
> reverse privileges.
> 2. A key feature of the Sugar Activity system is that writing
> is _easy_. The goal is to minimize the amount of work required to
> an Activity. Asking Activity authors to juggle multiple virtual
> creates tremendous complexity that is likely to produce bugs even when
> performed by experts (e.g. Browse), for no user-visible gain.
> 3. Two separate Activity instances already share a great deal,
> the Linux kernel automatically uses CoW to keep only one copy of
> memory needed by multiple processes. Each Write instance uses no
> CPU when
> idle, so RAM is the only overhead.
And a No 4. I'd like to add to Benjamins list. Stability. If one blows
I'd hate to loose documents in other instances. I'm sure all us multi-
tab power web surfers have the whole stack fall out from under us from
time to time due to one flakey web site (I was so glad when Safari
offered a 'reopen all windows from last session' option).
More information about the Devel