[Python-Dev] Capabilities (we already got one)

Ken Manheimer klm@zope.com
Tue, 1 Apr 2003 17:35:10 -0500 (EST)

On Tue, 1 Apr 2003, Ka-Ping Yee wrote:

> On Tue, 1 Apr 2003, Zooko wrote:
> > I think that in restricted-execution-mode (hereafter: "REM", as
> > per Greg Ewing's suggestion [1]), Python objects have
> > encapsulation -- one can't access their private data without their
> > permission.
> >
> > Once this is done, Python references are capabilities.
> Aaack!  I wish you would *stop* saying that!
> There is no criterion by which a reference is or is not a capability.
> To talk in such terms only confuses the issue.

I take the above, with a bit of license, to mean that REM enables
encapsulation for python objects, so they are closer to being safe to
use as capabilities.  Subsequent posts suggest that encapsulation
isn't actually achieved, but that's not the issue here - the issue, as
i understand it, is how to talk about enabling capability-based safety
in python code.

> It is possible to program in a capability style in any Turing-complete
> programming language, just as it is possible to program in an object
> style or a functional style or a procedural style.  The question is:
> what does programming in a capability style look like, and how might
> Python facilitate (or even encourage) that style?

I think the last part is, more specifically, "what measures need to be
taken to enable safe use of python objects for capability style

> To say that activating restricted execution mode causes things to
> "become" capabilities is as meaningless as saying that adding a feature
> to the C language would suddenly turn an arbitrary C program into an
> object-oriented program.

I'm not near as clear about all this as you seem to be, but i have the
feeling the statements are not as meaningless as you're suggesting.
I *do* think that getting more clear about what the questions are that
we're trying to answer would be helpful, here.

One big one seems to be: "What needs to be done to enable effective
("safe"?) use of python object (references) as capabilities?"  I've
seen answers to this roll by several times - i think we need to settle
them, and collect the conclusions in a PEP.  And we need to identify
what other questions there are.

One more probably is, "how do we use python objects as capabilities,
once we can ensure their safety?"  And maybe it'd be helpful to
elaborate what "safety" means.


  Alan Turing thought about criteria to settle the question of whether
  machines can think, a question of which we now know that it is about
  as relevant as the question of whether submarines can swim.
                                          -- Edgser Dijkstra