top | item 18986867

(no title)

bluetech | 7 years ago

I think object-capabilities are one way to have much safer code reuse. Suppose a dependency exports a class UsefulService. In current languages, such a class can do anything - access the filesystem, access the network, etc. Suppose however that the language enforces that such actions can only be done given a reference to e.g. NetworkService, RandomService, TimeService, FilesystemService (with more or less granularity). Therefore if UsefulService is declared with `constructor(RandomService, TimeService)`, I can be sure it doesn't access any files, or hijacks any data to the network - nor do any of its transitive dependencies.

The method of sandboxing using OS processes + namespaces and what not is too heavy and unusable at such granularity.

The method of per-dependency static permission manifests in some meta-language is also poor.

The method of a single IO monad is too coarse. Also using any sort of `unsafe` should not be allowed (or be its own super-capability).

Obviously there are many tricky considerations. [For example, it is anti-modular - if suddenly UsefulService does need filesystem access, it's a breaking change, since it now must take a FilesystemService. But that sounds good to me - it's the point after all.] But does any language try to do this?

discuss

No comments yet.