Side-effect free containers for E
Wed, 9 Aug 2000 10:09:37 -0700
> Due to the inefficiency of the Const containers, most E programmers
> will only use the Flex versions. This introduces a number of potential
> security pitfalls.
Just to keep perspective on things, this problem is not quite as bad as it
seems. There is one particular reason why programmers will use Const
containers even in the current E, and that one use is in a place where
security issues arise.
Specifically, when shipping containers between vats in a distributed
system, Const containers quickly pay for themselves by allowing you to use
synchronous calls for the contents rather than having to rely on eventual
sends and their heavier syntactic/programming burden.
This is not to say a const-only system would not have benefits, it is merely
to help properly scope the severity of the problem.
Also, remember that one of the goals of E is to lure people in from outside
our current community. One point in favor of flex containers is that people
coming from outside the security world will expect to see such things, and
would be surprised by their absence. Once people are inside our community,
of course, they will realize quickly, with their increasing enlightenment,
what they should do (and what features of E they should avoid) when they are
building real secure systems :-)
I have not yet built a program in E in which the existence of flex
containers threatened my security architecture: I have used flex containers
when they made sense and did not violate my security requirements, and not
used them when they did violate my security. As long as E supports styles of
programming that enable security for applications that need it, I believe it
is okay for E to support styles of programming that don't prohibit insecure
styles for applications that don't.
Bottom line, unless the transition for an ordinary programmer from
flex/const containers to Hydro containers is as easy as falling off a log
(and I don't know the Hydro containers so I don't know, would the transition
be that easy?), I would have to oppose this change.