Consider the following sequence of events. Server 1, 2, and 3 are up; server 3crashes; server 1 and 2 form a new group; server 2 crashes. Now as we want to tolerate networkpartitions correctly, we forced server 1 to fail. However, this is too strict. If server 1 stays aliveand server 3 is restarted, server 1 and 3 can form a new group, because server 1 must have per-formed all the updates that server 2 could have performed. The rule in general is that twoservers can recover, if the server that did not fail has a higher sequence number, as in this case itis certain that the new member has not formed a group with the (now) unavailable member in themeantime. We will incorporate this improvement in our directory service in the near future.

Inthe PB method, each message appears on the network twice: once to the sequencer and oncefrom the sequencer. Thus a message of length n bytes consumes 2n bytes of network bandwidth.However, only the second message is broadcast, so each user machine is interrupted only once(for the second message).In the BB method, the full message appears only once on the network, plus a very short acceptmessage from the sequencer. Thus, only about n bytes of bandwidth are consumed. On theother hand, every machine is interrupted twice, once for the message and once for the accept