l4-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reliability of RPC services


From: Marcus Brinkmann
Subject: Re: Reliability of RPC services
Date: Sat, 22 Apr 2006 20:05:34 +0200
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.4 (i486-pc-linux-gnu) MULE/5.0 (SAKAKI)

At Sat, 22 Apr 2006 13:57:18 -0400,
"Jonathan S. Shapiro" <address@hidden> wrote:
> If the server is malicious, the presence of a "notify on drop" bit (or
> even a "notify on container destroy" bit) is insufficient to achieve the
> robustness that you are looking for.

Why do you think so?  As far as I know, I have not yet made my case
for why I think that it may be sufficient.  There seem to be,
admittedly narrow, but still useful (for us), design patterns for
which this mechanism is sufficient to successfully argue about
invariants of the system.

> Since the feature you are requesting is "best effort", it definitely
> does NOT permit you to reason about the cases you mention. The only
> effective way to manage these issues is with watchdogs. Watchdogs are
> unfortunate for other reasons, but at least they do not perturb the rest
> of the architecture.

Can you elaborate on what watchdogs do?  In particular, how they
differ from timeout-based solutions.

Thanks,
Marcus






reply via email to

[Prev in Thread] Current Thread [Next in Thread]