Re: CVS commit: src/crypto/external/bsd/netpgp/dist

To: Alistair Crooks <agc%pkgsrc.org@localhost>
Subject: Re: CVS commit: src/crypto/external/bsd/netpgp/dist
From: David Holland <dholland-sourcechanges%netbsd.org@localhost>
Date: Wed, 6 May 2009 00:16:45 +0000

On Tue, May 05, 2009 at 11:38:36PM +0000, David Holland wrote:
 > Having things fail silently or go into a fugue state is not an
 > improvement, particularly in security code. So I'd qualify all this by
 > saying that end-to-end behavior should always be fail-stop.

Since this is apparently not that clear:

If an object (piece of hardware, daemon process, whatever) fails, it
can either stop (exit, shut off, etc.) or sit there catatonically. Or
maybe continue to operate incorrectly.

Such objects are, one way or another, part of larger systems. If the
system has recovery or restart logic, stopping on failure allows that
logic to go into action. If the system does not have such logic, there
won't be further service without manual intervention regardless of
whether the object stops.

For this reason objects should nearly always stop on critical
failures. And, in cases where availability matters, objects whose
stoppage would result in problems should be provided with restart
logic.

I thought this was a general principle of reliable/HA system design,
but apparently it's not as widely understood/believed/recognized
as I thought. Or something. :-|

-- 
David A. Holland
dholland%netbsd.org@localhost

References:
- Re: CVS commit: src/crypto/external/bsd/netpgp/dist
  - From: Perry E. Metzger
- Re: CVS commit: src/crypto/external/bsd/netpgp/dist
  - From: Alistair Crooks
- Re: CVS commit: src/crypto/external/bsd/netpgp/dist
  - From: David Holland

Prev by Date: Re: CVS commit: src
Next by Date: re: CVS commit: src/sys/conf
Previous by Thread: Re: CVS commit: src/crypto/external/bsd/netpgp/dist
Next by Thread: Re: CVS commit: src/crypto/external/bsd/netpgp/dist
Indexes:

Home | Main Index | Thread Index | Old Index