kenton at google.com
Fri Mar 5 12:55:19 PST 2010
On Fri, Mar 5, 2010 at 9:21 AM, David Wagner <daw at cs.berkeley.edu> wrote:
> Object capabilities are often understood to include the following:
> * A design practice of building abstractions with encapsulation.
> * Programming on a platform (e.g., language, OS) that is free of
> ambient authority.
> * Ensuring that access to all security-relevant resources can be
> done only via unforgeable references (capabilities).
My point here is that your latter two points (which seem like the same point
to me) really boil down, in OO terms, to "don't use singletons". As it
turns out, there is now widespread agreement among OO programmers that
singletons should not be used. The problem is that most platform libraries
(designed before people understood the dangers of singletons) still expose
the filesystem and other resources as singletons.
For people who already agree that singletons are bad, it should not be that
hard to convince them that they should use a platform API that avoids
singletons, and perhaps even a programming language that bans them. Once
they do that, they're now writing capability-based code.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cap-talk