[squeak-dev] new VM directory structure for 5.3

tim Rowledge tim at rowledge.org
Sun Jan 12 19:29:08 UTC 2020



> On 2020-01-12, at 2:04 AM, K K Subbu <kksubbu.ml at gmail.com> wrote:
> 
> There is too much coupling between Squeak and its host in the FileDirectory classes. Squeak (vm+image) is a full-fledged virtual machine and should be sandboxed from its underlying host.
> 
> Each plugin punches a hole through this barrier. As long as the plugin is a consumer of host services (e.g. fonts) it is fine, but if it involves writes/updates (like in FileDirectory) sandboxing needs to be enforced. For a multi-platform machine like Squeak, leaking host-specific details like pathnames or keyboard codes into the image should be a big no no.

I think I disagree with that. There are certainly cases where you want to have some variety of sandbox around your system - I guess a deployed application may be an example. And for all its probable faults, that is what the SecurityPlugin is an attempt to provide. 

But for my development tool I want total access. 

For handling the host specific matters I'd prefer as much as possible for the vm to *not* deal with them but to have system specific *image code*. It isn't always practical, certainly, but having code to convert OS specific keyboard info to what we want is much, much, more flexible than sticking a lot in the vm where we can't fix issues so quickly.  

For file access I'd much prefer the image code to call out to host apis via ffi/alien/systemcall than have a complex of not terribly flexible plugins wrapping it up opaquely. Eliot & I did that decades ago and it was very useful. Of course, there are places where it's simply too painful due to complex OS dances that involve calling back callback interrupt handler handlers that handle callbacks by interrupting... something.

In fact, trying to improve that opacity was why plugins got invented in the first place; Andreas & I wanted a way to wrap vm code in a way that meant we could update *parts* of the vm rather than all of it at once. That's why external plugins (are supposed to) over-ride internal ones. And of course that is a weakness of the SecurityPlugin concept, since I can simply put a version that skips over any checks into the appropriate directory and end-run the checks.

Oh and {insert generic long term whine about awful state of filename/directory stuff} whine, whimper.

tim
--
tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
Strange Opcodes: FART: Fill Accumulator from Result if True




More information about the Squeak-dev mailing list