From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: Prototype of object capability in Emacs
Date: Sat, 19 Feb 2022 16:55:50 -0500
Message-ID: <jwv1qzyttv4.fsf-monnier+emacs@gnu.org>
References: <9069C6C8-B901-4F7C-B950-168AFDD119C6@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="35534"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux)
Cc: "emacs-devel@gnu.org" <emacs-devel@gnu.org>,  Mattias
 =?windows-1252?Q?Engdeg=E5rd?= <mattiase@acm.org>
To: Qiantan Hong <qhong@mit.edu>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Feb 19 22:57:53 2022
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1nLXjl-00093m-6m
	for ged-emacs-devel@m.gmane-mx.org; Sat, 19 Feb 2022 22:57:53 +0100
Original-Received: from localhost ([::1]:44324 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1nLXjj-0000y6-NC
	for ged-emacs-devel@m.gmane-mx.org; Sat, 19 Feb 2022 16:57:51 -0500
Original-Received: from eggs.gnu.org ([209.51.188.92]:60308)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1nLXhv-00088X-Na
 for emacs-devel@gnu.org; Sat, 19 Feb 2022 16:55:59 -0500
Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:15087)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1nLXhs-0007wx-BV
 for emacs-devel@gnu.org; Sat, 19 Feb 2022 16:55:58 -0500
Original-Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 4151280628;
 Sat, 19 Feb 2022 16:55:53 -0500 (EST)
Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id D5507804E6;
 Sat, 19 Feb 2022 16:55:51 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1645307751;
 bh=gWwRn84+QzjwusTbKsWKte83eY+NS7c+lITREyqq0uc=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=deVECODU6Wbsgd/kbgHaRZ1AWVdeZzpOpaWJimmvTfByP057trTA2PV3y8a3XHkXA
 h3p6CBrMGz8QK7GJzkPKOFj0cIVN1HKjU7xqNHzV2W1Ius8eD8DoI57wuO7W5XKgim
 be1apzA68rN1ONoUZgJQGYm1fwa9mvVIWo847pvTggeOrEOVyG1txaiZIWdIUXN0dW
 Mf7XSAV5i4lA+Roo12WmAeTdq5RQ36mIoE2xV/7oX8V/eVO9YOi/6pnVipN35URc2h
 JoIoUQwOj1zqIHc9hOqJAzWBp1/43tpNQLJ5PhnEppJ8wIB+9yqyiN+XTQJbJorDJU
 0DJm3S+kf2ZtA==
Original-Received: from ceviche (unknown [45.72.237.157])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 9EE8C120201;
 Sat, 19 Feb 2022 16:55:51 -0500 (EST)
In-Reply-To: <9069C6C8-B901-4F7C-B950-168AFDD119C6@mit.edu> (Qiantan Hong's
 message of "Thu, 16 Sep 2021 23:09:22 +0000")
Received-SPF: pass client-ip=132.204.25.50;
 envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca
X-Spam_score_int: -42
X-Spam_score: -4.3
X-Spam_bar: ----
X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:286494
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/286494>

> The way it works: ocaps-make-world makes a =E2=80=9Cpowerless=E2=80=9D is=
olated object graph
> (except initially passed in capability).=20
> ocaps-import takes an object from ambient environment, and remove any cap=
ability
> not presented in the world bound to special variable ocaps-world.

I don't quite understand where are the capabilities in your system.
Maybe it's just a question of vocabulary.
For me a capability is bit like a pointer, and I need to provide it
whenever I want to do a particular operation which requires special
authorization, as evidence that I have the right to perform it.

AFAICT, what your package does is something more like what I'd call
a container.

A big problem with the approach you're following is that it's very
difficult to make sure the container doesn't leak.

E.g. providing access to the `current-global-map` function would already
end up giving access directly or indirectly to a vast array of functions
from the main obarray.

Something along these lines might be appropriate for insecure
containers, designed to avoid accidentally stepping on each other's toes
(maybe for concurrency purposes, for example), but if the purpose is to
run potentially dangerous code, I wouldn't ... trust it.


        Stefan