Allowing an activity to be launched multiple times in parallel

Gary C Martin gary at
Wed Oct 29 22:51:57 EDT 2008

On 30 Oct 2008, at 00:23, Benjamin M. Schwartz wrote:

> 1. Bitfrost requires that each instance be isolated from every other.
> Each instance only has access to the Journal items to which the user  
> has
> explicitly granted it access.  Allowing multiple "apparent  
> instances" to
> share data behind the scenes represents a privilege-combining attack.
> This is especially apparent if one instance has been launched with
> P_NETWORK but not P_CAMERA, and the other has been launched with the
> reverse privileges.
> 2. A key feature of the Sugar Activity system is that writing  
> Activities
> is _easy_.  The goal is to minimize the amount of work required to  
> write
> an Activity.  Asking Activity authors to juggle multiple virtual  
> instances
> creates tremendous complexity that is likely to produce bugs even when
> performed by experts (e.g. Browse), for no user-visible gain.
> 3.  Two separate Activity instances already share a great deal,  
> because
> the Linux kernel automatically uses CoW to keep only one copy of  
> read-only
> memory needed by multiple processes.  Each Write instance uses no  
> CPU when
> idle, so RAM is the only overhead.

And a No 4. I'd like to add to Benjamins list. Stability. If one blows  
I'd hate to loose documents in other instances. I'm sure all us multi- 
tab power web surfers have the whole stack fall out from under us from  
time to time due to one flakey web site (I was so glad when Safari  
offered a 'reopen all windows from last session' option).


More information about the Devel mailing list