Guido van Rossum wrote:
[Moving a discussion about capabilities to where it arguably belongs]
Thanks Guido. I'll respond to Ben here.
The point about capabilities is that mere possession of a capability is all that is required to exercise it. If you start adding security checkers to them, then you don't have capabilities anymore.
Right. Jeremy keeps remining me of this point. Zope 3 uses proxies in a way that doesn't conform to this definition. Zope proxies proxy an object to be protected *and* a policy object called a "checker". The checkers used in Zope perform checks at access time. One could, instead, perform the checks when the proxies are created or earlier and use checkers that simply allowed some names or operations and not others. IOW, you could certainly implement a strict capability model with Zope proxies.
BTW, if you would like to explain why you don't think bound methods are the way to go on python-dev, I'd love to hear it.
I'll give an answer similar to Guido's but with a different emphasis.
I'm an object zealot. :) I like working with object oriented systems. I don't want to lose that and, thus, I don't want computation to be reduced to passing around basic values and functions. I want to be able to pass around objects with interfaces. Zope proxies make it easy to define a capability in terms of an interface. I think this is really important for object-oriented systems.
Another feature of Zope proxies that I think is important is that they automate creation of proxies. When you get an attribute from a proxy, the value is proxied. (Actually, the checker decides whether the value is proxied. Zope checkers proxy all objects except basic objects such as numbers, strings, and None.) When you perform an operation on a proxied object, the result is proxied. This means that the code being proxied doesn't have to be aware of proxies, capabilities, or a security model.
Note that when you access a method on a proxied object, the method itself is proxied. All you can to with a proxied method is call it, get it's name, and convert it to a string. This is true even of the proxied method is passed to unrestricted code.
I agree that we all need restricted execution to work better than it does now. I was hoping that we could colaborate at a higher level as well.