(I, Zooko, wrote the lines prepended with "> > ".)
Ben Laurie wrote:
In the capability way of life, it is still the case that access to the ZipFile class gives you the ability to open files anywhere in the system! (That is: I'm assuming for now that we implement capabilities without re-writing every dangerous class in the Library.)
It would probably be helpful to explain what you (or, at least, I) would do if you (I) were writing from scratch, rather then "taming" the existing libraries. In this case, Zipfile would require a file capability to be passed to it at construction time, and so would become non-dangerous, which is, I think, where Guido is coming from.
Thank you. You are right about how I would do it, and I think you are right that this fits with Guido's approach, too.
I would make the constructor of the ZipFile class take a file object, and hide (at least from unprivileged code) the option of passing a filename to the constructor. This would make it so that no authority is gained by importing the zipfile module.
http://zooko.com/ ^-- under re-construction: some new stuff, some broken links