[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Prototype of object capability in Emacs
|
From: |
Stefan Monnier |
|
Subject: |
Re: Prototype of object capability in Emacs |
|
Date: |
Sat, 19 Feb 2022 16:55:50 -0500 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) |
> The way it works: ocaps-make-world makes a “powerless” isolated object graph
> (except initially passed in capability).
> ocaps-import takes an object from ambient environment, and remove any
> capability
> not presented in the world bound to special variable ocaps-world.
I don't quite understand where are the capabilities in your system.
Maybe it's just a question of vocabulary.
For me a capability is bit like a pointer, and I need to provide it
whenever I want to do a particular operation which requires special
authorization, as evidence that I have the right to perform it.
AFAICT, what your package does is something more like what I'd call
a container.
A big problem with the approach you're following is that it's very
difficult to make sure the container doesn't leak.
E.g. providing access to the `current-global-map` function would already
end up giving access directly or indirectly to a vast array of functions
from the main obarray.
Something along these lines might be appropriate for insecure
containers, designed to avoid accidentally stepping on each other's toes
(maybe for concurrency purposes, for example), but if the purpose is to
run potentially dangerous code, I wouldn't ... trust it.
Stefan
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Prototype of object capability in Emacs,
Stefan Monnier <=