Eliot Miranda wrote:
> I argue that therefore adding the mirror primitives does not
> materially make the situation any worse than it already is, but does
> give one an accurate debugger, and accurate process termination.  I
> argue that the mirror primitives are in some sense isomorphic in their
> insecurity to the existing meta facilities (such as open access to
> thisContext), but that in practice the openness of the meta-system has
> not presented a security problem; images and processes are still
> sealed, and secure applications which do not allow the import or
> execution of arbitrary code can still be deployed even though they
> contain apparently insecure code because they do not provide a path
> such that externally that unsafe code can be activated, and because
> internally those applications do not misuse the
> encapsulation-violating facilities such as instVarAt:put:.

Not only agreed but I will go one step further by claiming that if 
anyone ever tries to build a secure system they will soon find that an 
absolutely necessary step is to use mirrors for accessing critical 
object/vm state. Reliance on a correct implementation of #basicAt: is 
not an option if the objects must be assumed to be hostile.

Cheers,
   - Andreas