. the best system design is to simply identify the dimension of design,
and let people experiment .
. a priority dimension, however, is security vs freedom:
. users need a prefabricated configuration that is secure,
and another one that is fast .
. the secure way is to automate security;
ie, for users to get some freedom,
they have to specifically request kernel programming mode;
in that case,
there could still be some degree of safety with a report mode,
that would indicate your system is experimental,
and to use its data with caution
(similar to a warning given when new version of software is beta) .
. processes communicate via a sequence of expr'tree.pointers
(ie, symbolic expressions as in lisp,
rather than strings as in TCL) .
. one way to implement this communication
is like the Singularity shared mem'model:
instead of copying data between process spaces,
the processes implicitely share memory;
but, modularity is enforced symbolically,
by having the system ensure that every chunk in shared memory
is owned by no more than one process at any given time .
. that mem'model assumes that 2 or more processes want to
share in the modifying of some chunk .
. there are also some caveats to multiple readers
having access to a chunk: the writes must be atomic
so that readers don't have access to blurred transition states .
. another way to implement ipc (interprocess comm')
is the way that ajax or git is used on the web:
each process has it's own copy of a database that is virtually shared
by a journaling system:
you are making changes locally via a list of commands,
and then broadcasting that list to all sharers,
so that they can run those commands on their own local copies .
. the secure way to handle ipc pointers
is to have the system be the go-between:
when a process creates a pointer,
it is relative to chunk it is in .
. if a pointer is meant for other processes,
as when one sends another some mail containing an address,
that address is an url -- the only way it can be used is by
calling up the ipc system and asking it to
run a command on a given url .
. the system can then check for permitted capabilities,
as well as address validity .