[sugar] Multiple documents

Bert Freudenberg bert at freudenbergs.de
Fri Jul 27 20:00:46 EDT 2007


Thank you Michael, this at least makes the security side more clear  
to me. A few comments interspersed below:

On Jul 27, 2007, at 22:13 , Michael Stone wrote:

> Now, to try to give the Security Team's perspective on the questions
> below:
>
>> The questions of how multiple activity instances are handled in Sugar
>> remains open. And even the way it is handled now is going to be
>> replaced "soon" with those security containers which from what I
>> heard yet appear to make it even harder to create efficient
>> solutions. In the earlier days of Sugar it appeared as if an activity
>> implementation would be allowed to manage its instances on its own.
>> Step by step this has been made harder. Now it appears to be required
>> that every instance is a separate process that starts and lives on
>> its own in its virtual container. Which is way inefficient, I
>> seriously hope I misunderstand intentions. But requests for detailed
>> plans have not been answered either.
>
> In philosophy, our design goal is to encourage activity designers  
> to use
> dynamic Activity instances running in separate containers to the
> extent that resource constraints allow because doing so enables us to
> statically provide better protection against viral documents, against
> data that crashes the activity instance, and against accidental
> breaches of privacy caused by inadequately fine collaboration
> granularity.
>
> In practice, however, we won't prevent activities from employing a
> factory scheme to better share resources at the expense of degrading
> our ability to provide the protections described above and at the
> additional conceivable expense of degrading the quality of the
> accounting statistics we are able to provide to the various resource
> consumption managers (e.g. disk quotas, OOM killer, etc)

So if an activity would like to handle multiple instances in one  
container or even one process, that would be fine. Great, this gives  
us some more options :)

> In the long run, we hope to do an end run around the issue by
> inventing a mechanism to share many resources across containers, by,
> for example, regarding containers as prototype-objects that can be
> descheduled (halting all processes inside the container), cloned
> (installing a lazy copy-on-write resource sharing strategy), and then
> rescheduled. Unfortunately, however, this is a research topic, not an
> implementation strategy.

Short of that ... I understand that system files (executables,  
libraries, data files etc.) that an activity needs to access will be  
shared between containers, that is, they are on disk only once and  
are "projected" into the the container's virtual file system.

Say each instance of an activity loads a file into memory, and a  
portion of this memory would not be written to. So copy-on-write  
could be used on these memory pages between instances, meaning as  
long as a page is not written to they would be shared an in memory  
only once. What would an activity have to do to enable this sharing  
of in memory file copies? I mean, without containers it could just  
fork off new instances after loading the file. But maybe by just  
mmapping the file would achieve the same across containers?

>> If I understand the Sugar philosophy correctly, we won't have
>> multiple documents per activity. If we want to have multiple
>> documents opened at the same time, these would be multiple instances
>> of the same activity.
>
> Philosophically speaking, yes. In practice, however, its up to the
> activity author and the datastore folks to negotiate what constitutes
> a "document" (what I would call an 'Activity instance in the static
> sense').
>
> Practically speaking, do keep in mind the requirements that Bitfrost
> imposes on how the datastore and the filesystem may be accessed by
> Activity instances in the dynamic sense.

... like that it requires each file (datastore entry) only be opened  
by a Sugar dialog.

For example - how could I make a slideshow of all images in the  
datastore? Could an activity request this kind of "mass access"?

>> And if so, what would one activity instance have to to do to create
>> a new instance?
>
> Instruct sugar to create a new instance, by using the API provided in
>
>   sugar/activity/activityfactory.py

Well, as long as an activity can provide its own factory that surely  
is simple.

On a slightly related topic - supposed an activity went the "single- 
process" way, handling all instances in one process (which given the  
fullscreen nature of Sugar is not at all unreasonable IMHO), do you  
see any reason to require a separate X window per instance?

Thank you for taking the time and writing this up.

- Bert -



More information about the Sugar mailing list