possible 1.0 blocker; bus timeout
david at fubar.dk
Fri Nov 3 10:47:01 PST 2006
On Fri, 2006-11-03 at 13:13 -0500, John (J5) Palmieri wrote:
> The only problem with your approach is the potential to leak the pending
> call forever if it never receives the return reply. To say that D-Bus is
> way too low level to enforce this is to say we allow our users to shoot
> themselves in the foot.
It's already well-controlled that a single user cannot have more than N
outstanding replies in the bus. There will never be any "leak" that you
talk of, because it's cleaned up when the application disconnects.
Obviously applications needs to have brains themselves to cancel a
request, my complaint is that D-Bus tries to be over protective and has
the timeout of six hours either hard coded in the bus source code or in
some system configuration file. It's nice that D-Bus makes it difficult
to write bad code, great!, but some weird time out of six hours that
isn't even documented in the spec
is not that well thought out I think. Do you disagree?
And, sure, bad applications from one uid might deny service to the
message bus other applications with the same uid. And the six-hour limit
does _nothing_ to prevent that, I mean, how useful is it that badly
behaving apps get kicked off after six hours?
(Also, it's not like you would need D-Bus to create such DOS attacks, I
do hope you are aware of that.)
> I personally don't think it is too low level if
> it could cause greater problems (such as leaking inside the bus itself)
> but since this is an application's prerogative then I have no
> objections. I would ask you put a comment in the code saying you are a
> trained professional and kids shouldn't try this at home ;)
Realize that D-Bus _may_ be useless in some situations, e.g if you have
method calls that take more than six hours to complete. This applies to
e.g. the Suspend() method call in HAL (suspend your laptop over night)
but it could as well apply to situations where a message bus is being
used in e.g. a render farm and the rendering operation takes 7 hours to
The question at hand is whether we want that. And to me that's not a
difficult question, it's not like the figure "six hours" has any meaning
whatsoever. And if it does it's not crystal clear to me what it is and
I'd appreciate some feedback on what it means. Thanks.
More information about the dbus