Hmm...I didn't think about this security issue. And even if we may do some verification in IR(say, CPS or lower level), it's insufficient to avoid security issue, since front-end implementation may use cross module function to mimic primitives for other languages.

Now I think maybe front-end writer has to write their own sandbox with (ice-9 sandbox) if any necessary. :-)

Best regards.

2017年4月17日 16:07，"Andy Wingo" <wingo@pobox.com>写道：

On Sat 15 Apr 2017 19:23, Nala Ginrut <nalaginrut@gmail.com> writes:

> Could you please add #:from keyword to evil-in-sand box to indicate
> the language front-end? Don't forget there's multi-lang plan. :-)

In theory yes, but I don't know how to make safe sandboxes in other
languages. ice-9 sandbox relies on the Scheme characteristic that the
only capabilities granted to a program are those that are in scope.
Other languages often have ambient capabilities -- like Bash for example
where there's no way to not provide the pipe ("|") operator. I think
adding other languages should be an exercise for the reader :)

Andy