On Wed, Dec 16, 2009 at 2:24 PM, Bert Freudenberg <bert at freudenbergs.de>wrote:

> On 16.12.2009, at 18:43, Eliot Miranda wrote:
>
> In the bright rosy future concoct a convincing story around capabilities or
> mirrors which carefully modulate use of these facilities so they can't be
> misused.
>
>
> That's exactly my point - I don't see how you could do a safe
> capability-based system with those primitives that can work around any
> encapsulation and hence can circumvent any capabilities.
>
> - Bert -
>

Implementing a proper capability based system in squeak is likely to be an
exercise in futility.  However, in a system built from the ground up with a
capability based security model, this is a non issue.  Any code that should
not have access to these primitives would not have access to them.  In such
a system, you would not be able to freely turn any method into a primitive
as you can in squeak...you would need access to a compiler that had those
capabilities...and, invocation of such primitives would require having a
reference to some kernel object that implements those primitive
method...which you would only offer to code that you trusted, or under
circumstances where that level of security wasn't required (i.e. development
or debugging).

- Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20091216/c2d8f84c/attachment.htm