The art of progress is to preserve order amid change and to preserve change amid order.
Alfred North Whitehead
Upgrades are a challenge with persistent state. An upgrade generally involves replacing old behavior with new behavior, perhaps preserving state. Sometimes the new object is based on different foundations. Capability systems do not provide a uniform way to do this. It is not always possible to upgrade a system component at an arbitrary time.
Here are some reasons for upgrades:
A program designed to learn your idiosyncrasies (subtly adapt to you) is unlikely to yield its secrets, even if its designer intended it to do so. A speech recognition program that learns to understand you is likely to keep its learning in a proprietary form that other programs could not understand even if the data were not secret and proprietary to the owner of the old program. A new program by the same author has some hope of starting where the old program leaves off. A money object will be unlikely to abandon its fiduciary responsibility to the central bank.
While there are no general solutions there are a few schemes that serve particular situations.
It should be rather easy for new behavior to begin with the state of old objects that:
A slightly more complex protocol may be used when the state or its format is proprietary. A new object that is trusted by the old object may acquire a capability to the old object that is stronger than that held by the user. Via this new capability, the object keeps no secrets. This new capability can be had thru rights amplification from the creator of the old object if prior arrangements have been made with some agency with authority over those proprietary issues. This scheme may impact the design of the apartment.
Another problem arises when the object to be replaced is unknown to the user but is used by other programs. Here the user relies on the object to be upgraded, but only indirectly. If the user relies on B which relies on C which needs an upgrade, and the user still relies on B’s author to support B, then the transaction appears to the user as an upgrade to B. There are several scenarios here depending on who knows what when and who has a reputation on the line. More on that later perhaps.