summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTomBachmann <e_mc_h2@web.de>2006-04-29 20:49:04 +0000
committerTomBachmann <e_mc_h2@web.de>2006-04-29 20:49:04 +0000
commite45b0b80893c504639486391b3b0e35c8fbf7f8d (patch)
tree7e7a6e81d403490e51ba81d4700f29162109f982
parentb3a732cd0002658b08593e73d74f36666cce383e (diff)
none
-rw-r--r--Hurd/DesignPrinciples.mdwn28
1 files changed, 28 insertions, 0 deletions
diff --git a/Hurd/DesignPrinciples.mdwn b/Hurd/DesignPrinciples.mdwn
index 2e449971..d5596d9c 100644
--- a/Hurd/DesignPrinciples.mdwn
+++ b/Hurd/DesignPrinciples.mdwn
@@ -1,9 +1,37 @@
A design principle is a test that lets us **reject** things. Hopefully, when combined with other design principles, it forms a basis for making coherent and consistent decisions about design goals and system features. [1]
+## <a name="Stated_design_principles"> Stated design principles </a>
+
None defined yet, but there seems to be consensus that ngHurd should be a principle-driven design.
+## <a name="Potential_design_principles"> Potential design principles </a>
+
+Here is an incomplete list of potential design principles for the ngHurd. It is taken from [2]. I left out some principles I think do not apply or are not in question. Feel free to add more.
+
+### <a name="Principles_from_the_Multics_Proj"> Principles from the Multics Project </a>
+
+* _Economy of mechanism_: Keep the design as simple as possible.
+* _Fail-safe defaults_: Base access decisions on permission rather than exclusion.
+* _Least priviledge_: Components should have no more authority than they require.
+* _Least common mechanism_: Minimize the amount of shared instances in the system.
+
+### <a name="Commonly_accepted_principles"> Commonly accepted principles </a>
+
+* _Separation of policy and mechanism_
+* _Least astonishment (also known as principle of least surprise):_ The system�s behavior should match what is naively expected.
+* _Complete accountability_: All real resources held by an application must come from some accounted pool.
+* _Safe restart_: On restart, the system must either already have, or be able to rapidly establish, a consistent and secure execution state.
+* _Reproducibility_: Correct operations should produce identical results regardless of workload.
+
+### <a name="Principles_specific_to_EROS"> </a> Principles specific to EROS
+
+* _Credible policy_: If a security policy cannot be implemented by correct application of the system�s protection mechanisms, do not claim to enforce it.
+* _Explicit authority designation_: Every operation that uses authority should explicitely designate the source of the authority it is using.
+* _Relinquishable authority_: If an application holds some authority, it should be able to voluntarily reduce this authority.
+
----
See also:
* [1] <http://lists.gnu.org/archive/html/l4-hurd/2005-11/msg00120.html>
+* [2] EROS: A Principle-Driven Operating System from the Ground Up