From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Andy Wingo Newsgroups: gmane.lisp.guile.devel Subject: extensibility, compatible changes, and ocap security Date: Sat, 10 Dec 2011 19:26:53 +0100 Message-ID: <87iploi8pe.fsf@pobox.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: dough.gmane.org 1323541627 29443 80.91.229.12 (10 Dec 2011 18:27:07 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Sat, 10 Dec 2011 18:27:07 +0000 (UTC) To: guile-devel Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Sat Dec 10 19:27:04 2011 Return-path: Envelope-to: guile-devel@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1RZRdX-0007HJ-Tk for guile-devel@m.gmane.org; Sat, 10 Dec 2011 19:27:04 +0100 Original-Received: from localhost ([::1]:48228 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RZRdX-0004ha-49 for guile-devel@m.gmane.org; Sat, 10 Dec 2011 13:27:03 -0500 Original-Received: from eggs.gnu.org ([140.186.70.92]:52357) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RZRdU-0004hV-BK for guile-devel@gnu.org; Sat, 10 Dec 2011 13:27:01 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RZRdS-00083K-No for guile-devel@gnu.org; Sat, 10 Dec 2011 13:27:00 -0500 Original-Received: from a-pb-sasl-sd.pobox.com ([74.115.168.62]:40616 helo=sasl.smtp.pobox.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RZRdS-00083C-LN for guile-devel@gnu.org; Sat, 10 Dec 2011 13:26:58 -0500 Original-Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id CEF848826 for ; Sat, 10 Dec 2011 13:26:57 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to :subject:date:message-id:mime-version:content-type; s=sasl; bh=e BmHL+j9ZWjGGt+6beXqPHckD/k=; b=oApjiDpKlrriukAzf+TBSEBcyLzmGQ2SH SM2OwkSIpc2FkO7PU7GGqNMFVoGsSkCSxmzVgO8vA7u5SAQOwed1OHSNKn8PQ4Me n6qeFDqJyM0dr8ZN8HSCxssl8RXqImWZYmxQnHnGSNvDCx6y4ImzADLjxFafantc TpiKloAVnA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:to:subject :date:message-id:mime-version:content-type; q=dns; s=sasl; b=RwX LKG8ZeCrV8rQ7RxtUC3rsTE3aq1l5Iu9VtVMuufQbOYNnZT1nOAqwkdOPojYcqNh YBmGQtUDwaSt2Ar7A7Jmkpqh7DkoDy4WHfy1NW+rhfbckkLjq3Oy0dfa/V7SFwFu 9umGFpKuYvji7wGxadqxbk9xZpI2jv6R0lD1jpoU= Original-Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id C8D1F8825 for ; Sat, 10 Dec 2011 13:26:57 -0500 (EST) Original-Received: from badger (unknown [90.164.198.39]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id 13F238824 for ; Sat, 10 Dec 2011 13:26:56 -0500 (EST) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (gnu/linux) X-Pobox-Relay-ID: 8AEAA762-235C-11E1-8C33-65B1DE995924-02397024!a-pb-sasl-sd.pobox.com X-detected-operating-system: by eggs.gnu.org: Solaris 10 (beta) X-Received-From: 74.115.168.62 X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Original-Sender: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.lisp.guile.devel:13032 Archived-At: Hi, I was compiling guile-gnome recently, saw a warning about a srfi-39 binding replacement, and went to go look at srfi-39 in Guile. That's the `parameterize' library, you see. It is unnecessary, given that `parameterize' is now in boot-9, but there is a wrinkle: srfi-39 requires that `current-input-port' et al be implemented as parameters. Currently, `current-input-port' in boot-9 is a procedure of 0 arguments. We can change it so that it has an optional argument, which would be the equivalent of calling `set-current-input-port!' on the arg. However, this effectively gives another /capability/ to anyone that has access to the previously idempotent `current-input-port' procedure: namely, the ability to change the current input port. The question is, can we make this change in the default Guile? (If you don't implement sandboxes for your users, the rest of this mail doesn't apply to you.) After some thinking about this, I think that the answer is "yes". If you are providing an ocap-style environment to untrusted code, then you need to prevent Guile from making extensions to your interface that can compromise your security invariants. We have added optional and keyword args to other interfaces in the past. The kinds of extensions that Guile could make within a stable series are all of the form, "evaluating FOO produced a wrong-number-of-arguments error in guile 2.0.3, but in 2.0.4 we have made it do useful action BAR." We promise that existing uses will still work, so it's not like you have to implement your own environment entirely, but you do need to make a number of proxies (whether as procedure wrappers or identifier-syntax or whatever). So that's what I'm thinking right now. Other thoughts are welcome as well. Happy hacking, Andy -- http://wingolog.org/