[Python-Dev] Capabilities

Ben Laurie ben@algroup.co.uk
Thu, 03 Apr 2003 11:43:10 +0100


Zooko wrote:
> In the capability way of life, it is still the case that access to the ZipFile 
> class gives you the ability to open files anywhere in the system!  (That is: I'm 
> assuming for now that we implement capabilities without re-writing every 
> dangerous class in the Library.)  In this scheme, there are no flags, and when 
> you run code that you think might misuse this feature, you simply don't give 
> that code a reference to the ZipFile class.  (Also, we have to arrange that it 
> can't acquire a reference by "import zipfile".)

It would probably be helpful to explain what you (or, at least, I) would 
do if you (I) were writing from scratch, rather then "taming" the 
existing libraries. In this case, Zipfile would require a file 
capability to be passed to it at construction time, and so would become 
non-dangerous, which is, I think, where Guido is coming from.

The risk only occurs because we want to not rewrite the whole library, 
just to wrap it, and its important to understand that this isn't really 
the "proper" way to do it (though, of course, the ZipFile class is not 
unlike any of the other non-capability things we'd have to wrap anyway, 
given a non-capability OS underneath, it just happens to be one that 
_can_ be rewritten if we want to rewrite it).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff