purse deposit and the Cambio

Ka-Ping Yee ping@lfw.org
Sat, 19 Jun 1999 08:35:14 -0700 (PDT)


On Sat, 19 Jun 1999, Mark S. Miller wrote:
> 
> [-] "depositInto" gets the trust issues wrong.

[+] Your explanation is clear to me now.

Perhaps this suggests a maxim: "be wary of return values from objects
you don't trust".  In general, it seems that you'll usually be passing
untrusted objects in messages (you want to be careful about giving
away trusted objects to Darth), and getting return values from trusted
objects (you want to be careful about untrusted objects that may lie to
you).  Does that sound like a good principle?

Maybe a smart source editor for E should even notice which variables
are local and which variables are passed into a particular object
definition, and colour the identifiers differently.  That way, one
can be trained to feel suspicious when one sees a particular colour
next to :=.

> Not only does Darth get all the JoeBucks previous customers had paid to this 
> Cambio, Darth also gets all the BettyBucks that this Cambio pays in exchange 
> for 300 JoeBucks.  The contrast between these two blocks of code is probably 
> a good example for explaining capability programming principles.

[+] Yes, this is an excellent example.  It has improved my understanding
a lot.  My question yields no new information for you, but i'm still
glad this got written down.



-- ?!ng

"If I have not seen as far as others, it is because giants were standing
on my shoulders."
    -- Hal Abelson