On Wednesday 15 August 2001 13:04, Noel J. Bergman wrote:
> Right now people tend to treat an image as a sandbox.  "If you break
> it, create a new image."
>
> In the spirit of further evolving the concept of protecting parts of
> the environment, what would it take limit access to trusted receivers
> from untrusted senders?  This would effectively allow building
> "sandboxes" inside of Squeak, although that is just a subset of the
> consequences.

Since we already need some kind of viewpoint or package system (as 
suggested by Dan Ingalls. BTW, is anyone going to do the comparison he 
asked for?), we could build a capability-like system on top of that.

If we have an object A, some other objects won't have a reference to it 
and won't be able to access it at all. Others will have a reference to 
a limited perspective and so won't be able to send any messages that 
change it. Still others will have a reference to a more complete 
perspective and will be able to make a mess (I am supposing we trust 
them not to do so).

This is much more flexible than the typical capability read/write bits 
and will also allow A to be seen from a MathPackage perspective as well 
as from a FrogGame perspective.

Of course, just having the infrastructure isn't enough. You then have 
to set up all the references just right and that is a lot of work!

-- Jecel