Matej Kosik wrote:
> However, if I passed reference to the `point' object to you (to your
> code), were I able to stop you (your code) from doing
> 
> 	point class compile: 'x ^ whatever'
> 
> ? If not, then this is not the solution to the original problem. It
> would be necessary to ban the "compile:" class method. And since
> Smalltalk has many crooked lanes, we could again miss some other
> vulnerabilities.

Of course you could prevent hat but the art is in restructuring the 
class libraries to serve this goal. The trivial solution is to override 
over access to the method dictionary by, e.g.,

ConstanstPoint class>>addSelector: selector withMethod: method
	self error: 'Poop'.

or somesuch. That's not enough by far but it shows the general direction 
(Lex has a lot of that in his whitepaper).

> Does `point' have a class? Yes. Its name is
> 
> 	point class
> 
> In my case `Object1'. What would prevent anyone from doing this
> 
> 	(Smalltalk at: #Object1) compile: 'x ^ 10'
> 
> this should again be banned.

This is why I used #newUniclass. In Tweak, this creates an anonymous 
subclass which is marked by an asterisk in front so

	Point newUniclass name -> #'*Point'

and it's not in the global system dictionary either. Of course there are 
currently many other ways of getting your hands at it, like enumerating 
the subclasses of point, or just all objects in memory. All of these 
need to be tamed.

> It must be enforced that something like
> that is impossible. I am afraid that the number of possible
> vulnerabilities is overwhelming. Although this is related to the
> "libraries" rather than to the language, the question is, whether the
> "libraries" can be "tamed" or whether the whole thing should be thrown
> away and everything restarted with security in mind from the begining.
> In E they've done it. I believe. The tendency to keep current languages
> and "adding security" is caused by the fact that we love Smalltalk
> (Python, Ruby, Java, Erlang, ...) and do not want to turn back to it. I
> am not proposing everyone to swich to E, I am not part of the E project,
> I am only amazed, the question is, if we are really concerned with
> security, whether such switch (directly or indirectly) would not be
> necessary. Adding convenience/nice gui/great gui tools to E could be
> possible whereas adding security to Smalltalk/Java/Python/Ruby/Erlang
> may turn out to be
> - - either impossible
> - - or we will end up with essentially some almost E-quivalent (and thus
> contributing to world fragmentation)

The easier thing to do is to introduce an arbitrary layer on top of our 
current system and use that as a baseline for programming. As you 
progress, you move more and more from the layers below (which 
effectively form your TCB) to the layers on top.

Cheers,
   - Andreas