[cap-talk] Selling capabilities programming

James A. Donald jamesd at echeque.com
Tue Jul 17 22:26:58 EDT 2007 

Jonathan S. Shapiro wrote:
 > David's response suggests to me that he is thinking
 > about language-based issues (therefore a local cap
 > system) in which GC is used to decide when an object
 > may be reclaimed. In a language-based system,
 > capabilities are the only object references, so being
 > able to GC them is important.
 >
 > What I think this misses is that it would be flatly
 > silly for a language-based system to use cryptographic
 > or sparse capabilities.

I agree entirely that a language that does not permit
code to be written which violates capability constraints
should not be written using sparse capabilities.

But nothing much is ever going to be written in such a
language:  The justification for capabilities arises
when one has a great deal of software written by an
alarmingly large number of people, and are therefore
concerned that some of that software may deliberately or
inadvertently do bad things, or inadvertently do bad
things which bad people can utilize to intentionally do
bad things.  Thus it can never be the case that it is
useful to write any small set of software in a
capabilities language, and since a set of utilities must
be small before it is large ...

Critical mass problem.

The best use case I can see for such a language is as
the scripting language for a shell in a capabilities
based operating system, where it is largely used to
script utilities written in C++, C and assembler.

One way around the critical mass problem would be for
the military to sponsor a gigantic rewrite.  My
interpretation of the history of technology is that the
military is a great *customer* for leading edge
technology, but anything created *by* the military, or
any large government department, is no good, and thus
the result of such a rewrite would be no good.  Others,
however, interpret history differently.

On my interpretation of the history of technology, one
would first need to produce a Bitfrost like desktop,
aimed at the high end rather than the low end, and once
it was reasonably useful and usable, might *then* sell
it to the military.   You are not going to get a
contract to produce such a desktop, and if you did, you
would get a contract to produce an unusable desktop and
not be permitted to produce a desktop than anyone would
want to use.   Before you get anywhere selling desktop
written in a capabilities language to the military, it
would have to be a great deal more impressive than
anything that has been produced so far, and sufficiently
good that the military would not screw it up too much.

More information about the cap-talk mailing list