Improving the Application
At one point in the lifetime of IBM’s main frame operating systems, IBM advised customers not to apply most bug fixes until the symptoms of the bug had been experienced by the customer.
A principle explanation for this is that many of the bug fixes had been modifications of behavior of system software whose definition had been ambiguous.
Different application programmers had come to rely on different interpretations of the documentation.
Sometimes the IBM programmers had not been aware of the dual interpretations and changed the official software to match their own interpretation which agreed with some of their customers, but not others.
When you are running a bank it is very important to be able to come up the next morning and changes to system software was a common source of obstacles to finishing the evening computing.
The goal was to understand the meaning of bug fix well before applying it.
That was difficult then and impossible now.
With redundant hardware it is possible now to test upgrades on mission critical applications before losing the ability to run old software.
Keykos kept these lessons in mind in its orthogonal persistence scheme.
In short “no system wide replacement of infrastructure”.
(See this exception.)
Instead a new source of new objects is introduced.
The authority to open the old objects has been retained and the new source may be endowed with this.
Users with objects obeying the old version of the code may choose to upgrade their object by sending a cap for the old object to the new source.
The new behavior may include means to upgrade the state of the old object to a new one.
What could go wrong?
Much can go wrong, but I see no new problems that conventional systems lack.
Some of the insistence that software be upgraded as soon as possible assumes that that software processes raw data from outside the system and such data may be maliciously crafted.
In a system that practices POLA this is rather less of a worry.
An attacker must typically break thru several layers to reach the gold.
Still objects near the edge of the system need closer attention.