[Python-Dev] Re: Capabilities

Jim Fulton jim@zope.com
Sun, 09 Mar 2003 06:01:18 -0500

Guido van Rossum wrote:
> [Moving a discussion about capabilities to where it arguably belongs]

Thanks Guido. I'll respond to Ben here.

> [Ben Laurie]
>>The point about capabilities is that mere possession of a capability is 
>>all that is required to exercise it. If you start adding security 
>>checkers to them, then you don't have capabilities anymore.

Right. Jeremy keeps remining me of this point. Zope 3 uses proxies
in a way that doesn't conform to this definition. Zope proxies
proxy an object to be protected *and* a policy object called a "checker".
The checkers used in Zope perform checks at access time.  One could,
instead, perform the checks when the proxies are created or earlier
and use checkers that simply allowed some names or operations and not
others. IOW, you could certainly implement a strict capability model
with Zope proxies.


>>BTW, if you would like to explain why you don't think bound methods are 
>>the way to go on python-dev, I'd love to hear it.

I'll give an answer similar to Guido's but with a different emphasis.

I'm an object zealot. :) I like working with object oriented systems.  I don't
want to lose that and, thus, I don't want computation to be reduced to passing
around basic values and functions.  I want to be able to pass around objects
with interfaces.  Zope proxies make it easy to define a capability
in terms of an interface. I think this is really important for
object-oriented systems.

Another feature of Zope proxies that I think is important is that they
automate creation of proxies. When you get an attribute from a proxy,
the value is proxied. (Actually, the checker decides whether the value
is proxied. Zope checkers proxy all objects except basic objects such
as numbers, strings, and None.) When you perform an operation on a proxied
object, the result is proxied.  This means that the code being proxied doesn't
have to be aware of proxies, capabilities, or a security model.

Note that when you access a method on a proxied object, the method itself is
proxied. All you can to with a proxied method is call it, get it's name, and
convert it to a string. This is true even of the proxied method is passed to
unrestricted code.

I agree that we all need restricted execution to work better than it does
now.  I was hoping that we could colaborate at a higher level as well.


Jim Fulton           mailto:jim@zope.com       Python Powered!
CTO                  (888) 344-4332            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org