On Mon, Dec 29, 2003, Ka-Ping Yee wrote:
On Sat, 20 Dec 2003, Aahz wrote:
Exactly. From my observations of these discussions, there are essentially only two reasons for restricted execution:
* To simplify things by reducing the potential solution space
* To protect a system against a hostile attacker
There is a huge blind spot in your claim. You forgot:
* To limit the damage caused by a bug in your program
* To make your programs have more predictable behaviour
Capabilities are about making clear what parts of your program can and can't do.
My understanding is that capabilities are not the same thing as restricted execution; it's certainly the case that we could provide some kind of capability model that doesn't meet the demands of restricted execution. While your points are valid, they are not points that I've seen brought up before in the context of restricted execution. There are many other programming models that address those issues; why do you think that restricted execution makes a particularly good choice? (Say, as compared to design-by-contract.)
Supposedly there's a middle ground of untrusted but non-hostile code, but what's the point of providing support for that?
Have you ever used a library written by someone else? Have you ever found a bug in something you wrote yourself?
"Untrusted but non-hostile code" is what all of us write every day.
From my POV, that's the context in which we either need to provide truly robust restricted execution or just decide that we can't do it. And as I've pointed out before, restricted execution in the context of something
Well, sure, but if that's the only issue in play, I don't think that the stringent demands of restricted execution are needed. The question is whether the benefits of restricted execution are worth the effort required (and possibly the performance penalty). Not-quite tangent: I was talking to someone a few days ago, an experienced programmer who hasn't yet tried Python (and who I'm trying to persuade -- but he's an old Lisp and Smalltalk hacker who hates B&D syntax). He's also running a web server at home; I commented that if I did that, I'd use a server written in Python because it's more secure. He said that he'd seen more security alerts for Zope than for Apache, which forced me to explain that Zope isn't a web server, it's an application framework that allows people to run arbitrary Python code. like a web server is almost certainly going to require something external to Python in order to prevent excessive CPU and memory usage -- which is an issue that has grown in difficulty given the new prevalence of event-driven programming (instead of forking and threading). -- Aahz (aahz@pythoncraft.com) <*> http://www.pythoncraft.com/ Weinberg's Second Law: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.