[support-gang] Fwd: Redesigning: Library, Read, Get-Books, and Content bundles

Michael Stone michael at laptop.org
Sat Jul 24 02:48:15 EDT 2010 

Gary, Yioryos,

Here are a couple of thoughts for you on isolation issues. (I have thoughts on
the Journal issues too but I'll save them for another occasion.)

>> Step 3 is to introduce marks (hyperlinks?) in Read and Write where hovering
>> over you get the tag opened to tell you what is about, and clicking transposes
>> you to the relevant book/app-mark
>
> As noted already this would seem to break Sugars's security model, activities
> need to be sand-boxed from each other, one activity is not allowed to resume
> another. Yea, back to Journal, again! ;)  

Let's think about this a bit more deeply. As I see it:

The key idea that Bitfrost offers is that system software needs to make it easy
for the authors of benign apps to protect human interests. (A number of useful
features are then proposed toward this end.)

The key idea that Rainbow offers is that accounts are a good device for
isolating processes.

Within this problem domain, the key idea of Sugar is that people engage in
fairly discrete sessions of activity which may be started, stopped, resumed,
and isolated from one another. 

Significant isolation is possible because data rarely needs to move from
session to another and, when it does, the motion may be orchestrated through a
supervisor. 

Note, however, that the idea is that it doesn't matter much what actual
processes run within a given session or whether there are many windows or one,
many documents or none, many hosts contacted or none, etc.

Indeed, we shouldn't worry so much about whether Browse invokes Read in order
to render a downloaded PDF or whether Chat invokes Browse when the human
operator clicks on a hyperlink -- Browse already had complete control over the
contents and distribution of the PDF and Chat already had complete control over
the text of the URI that Browse will see.

Instead, what does matter is the ability to control what happens *when* Browse
or Chat or Read becomes circumstantially malicious. What matters then is the
ability of the human operator and the system supporting them to manage the
mappings of I/O resources to sessions -- that is, crudely, of the "start new"
vs. "resume" problem. :)

Thoughts?

Regards,

Michael

More information about the Devel mailing list