[e-cvs] cvs commit: e/doc/download/0-8-10delta index.html
markm@eros.cs.jhu.edu
markm@eros.cs.jhu.edu
Fri, 14 Dec 2001 14:05:22 -0500
markm 01/12/14 14:05:22
Modified: doc/download/0-8-10delta index.html
Log:
highlights
Revision Changes Path
1.6 +62 -1 e/doc/download/0-8-10delta/index.html
Index: index.html
===================================================================
RCS file: /cvs/e/doc/download/0-8-10delta/index.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- index.html 2001/12/14 07:46:51 1.5
+++ index.html 2001/12/14 19:05:22 1.6
@@ -140,7 +140,7 @@
<blockquote>
<p>eDesk is a desktop and designed-to-be-secure(*) computing environment
- built on the E platform, for the installation an running of <i>caplets</i>
+ built on the E platform, for the installation and running of <i>caplets</i>
-- capability-based applets/applications that run with only the authority
that has been explicitly given to them.</p>
<p>A secure computing architecture means little for its human users unless
@@ -211,7 +211,68 @@
Term</a> expressions and patterns.</p>
<hr>
<p>(*) For XML, let's say instead "perceived as simple".</p>
+ </blockquote>
+ <h3>Taming the Java API with *.safej Files</h3>
+ <blockquote>
+ <p>One of the more controversial aspects of E's history is our decision
+ to build on the Java platform, among other things, in order to inherit
+ its great wealth of libraries. The biggest problem with this plan is
+ that the Java libraries were not designed according to capability discipline
+ or style. The good news is that good modular object code is often very
+ close to being good capability code, and much of the Java API that we
+ wished to inherit was indeed close in this sense. So, in most cases,
+ closing the remaining gap was more a matter of <i>taming</i> (or domesticating,
+ or housebreaking) rather than wrapping or replacing with a redesign.</p>
+ <p>Historically and still, this taming is done by hard coding within the
+ E implementation. (Actually, it is partly data driven, by only by hard
+ coded tables scattered through the E implementation.) This has worked
+ for the scale of taming we have so far made implicitly available to
+ *.emaker and *.caplet files, but is woefully inadequate for the actual
+ needs of caplets. Caplets are generally interactive, and so need access
+ to a substantial portion of the AWT and Swing APIs. These are too large
+ for taming by hard coding.</p>
+ <p>Instead, MarcS wrote a tool, the <i>capAnalyzer</i> (not yet released,
+ but expect it soon), with which he interactively examined the relevant
+ portions of the AWT and Swing APIs. The results of the analysis of each
+ class are present, though unused, in this delta release as a Term tree
+ in a *.safej file available in the e.jar as a resource:</p>
+ <blockquote>
+ <pre>? println(<resource:java/awt/AWTEvent.safej> getText())<br>class(name("java.awt.AWTEvent"),<br> method(static("true"),<br> signature("new(Event)"),<br> suppress("true"),<br> comment),<br> method(static("true"),<br> signature("new(Object, int)"),<br> suppress("true"),<br> comment),<br> method(static("false"),<br> signature("setSource(Object)"),<br> suppress("true"),<br> comment),<br> method(static("false"),<br> signature("getID()"),<br> suppress("true"),<br> comment),<br> method(static("false"),<br> signature("toString()"),<br> suppress("true"),<br> comment),<br> method(static("false&qu!
ot;),<br> signature("paramString()"),<br> suppress("true"),<br> comment),<br> byproxy,<br> selfless,<br> byconstruction,<br> persistent,<br> safe("false"),<br> comment)</pre>
+ </blockquote>
+ <p>Some parts of this are currently placeholders for expected taming info
+ yet to come -- the <code>byproxy</code>, <code>selfless</code>, <code>byconstruction</code>,
+ and <code>persistent</code> attributes, that will say whether instances
+ of the class should be considered by E to have these properties. (Note
+ that <code>byconstruction</code> and <code>persistent</code> both will
+ require the class to be <code>Serializable</code>. <code>byproxy</code>
+ excludes <code>selfless</code> or <code>byconstruction</code>.) "true"
+ and "false" should not have quotes around them (my mistake).
+ If a comment is present, it isn't for the purpose of a Javadoc comment
+ on the method or class itself -- which we also perhaps need to capture
+ in a resource, for use in interactive help -- but rather a comment explaining
+ this taming decision, also perhaps useful in interactive help as an
+ addendum to the Javadoc comment. Such a comment, if present, would be
+ shown as a "comment" terms with a string argument.</p>
+ <p>The most important field is the "<code>safe</code>" attribute.
+ This says whether the class itself should be made implicitly importable
+ by using the universally accessible <code><import:...></code>
+ expression. If not, then the class is still importable by <code><unsafe:...></code>,
+ which is available only in the privileged scope. The API of a class
+ and its instances are to be tamed by the above description regardless
+ of how it was imported.</p>
+ <p>This delta release does not yet process these <code>*.safej</code>
+ files at all. It still does its taming only by the far more conservative
+ manual hard coding. As a result, the caplet environment contains unsafe
+ <i>scaffolding</i> code -- code with grants to a caplet instance the
+ ability to import untamed AWT and Swing classes. Until this scaffolding
+ code is removed, we can only say that the caplet environment was architected
+ to be secure, not that it is actually secure. We include the <code>*.safej</code>
+ files in this release anyway so that y'all can have a look and double
+ check our taming decisions before we make them operational. If you find
+ any taming decision to even be puzzling, please let <a href="webmaster@erights.org">us</a>
+ know.</p>
</blockquote>
+
<h1><a name="variants"></a>Variants and Subsets of E</h1>
<p>A complete <font color="#009000"><em><b>E</b></em></font> system is persistent,
distributed, and capability-secure both within and between processes.