[E-Lang] expression-style syntax is insecure? (was: multiple-domain language, plus Super Newbie is lost without "The Dot" (was: down with `define' (was: newbie syntax: picayune points from a prejudiced programmer)))

[zooko@zooko.com]

> > I read some (all?) of the e-lang list threads about the ":any" "reveal
> > operator", but if I were a naive newcomer I would not have read those
> > threads, and I might well prefer to have an explicit, required `return'
> > keyword, which is perfectly familiar to all C, C++, Java and Python
> > programmers, and thus make type annotations optional, instead of having
> > expression-style, which is not familiar and which I don't like anyway.
> 
> I am confused. Earlier it sounded like you needed to have
> no-assertion-means-return-a-value, but here it sounds like you need
> something longer than what E currently requires:


Sorry for being unclear.  What I was proposing is something that 
I explained more clearly just now in another message: that E give up on
being an "expression-style" language in which the value of the last
thing evaluated is automatically returned and become a "return keyword
required" language.



In addition to the advantages in terms of brevity and familiarity
(described in the message that I just sent), this would make E more
secure.


With the default being ":any", authority can be accidentally leaked
from code in an unintentional return value.  With the default being
":void", then authority does not unintentionally leak from a ":void"
function, but it *does* still unintentionally leak from an ":any"
function, for example:


// If there are no rabbits, or if you don't want any rabbits right now,
// then we'll start the process of making new rabbits and return no
// rabbits at this time.

// pass `true' if you want rabbits

to getOrSpawnRabbits(wantrabbits) :any {
    if myRabbitPen hasRabbits && wantrabbits {
        myRabbitPen pluckSomeRabbits()
    } else {
        myFavoriteRabbit jumpIntoPen()
    }
}


The problem is that unbeknownst to the author of this function,
`myFavoriteRabbit jumpIntoPen()' returns a reference to
`myFavoriteRabbit'.  (Why, I don't know.  Perhaps it shouldn't, but
that code was written by someone else and they presumably want it to do
that for some reason.  In any case it isn't a security leak, because I
can't call `jumpIntoPen()' on myFavoriteRabbit unless I already have a
reference to it.)


But `getOrSpawnRabbits()' now has both a bug (when used by "good" code)
and a security leak (when used by "bad" code), because
"myFavoriteRabbit" is not supposed to be handed out along with the
normal rabbits!  Presumably the honest code simply pets him and hands
him back, which is a performance loss and a potential but but not a big
deal, but BAD code.  Oh my oh my, the consequences of letting someone
else get their hands on myFavoriteRabbit are just to terrible to name.


So it seems to me that the security flaws spawned by the ":any" default
were not really a problem with the default setting, they are a deeper
problem with the expression-style language, which means that "You
automatically hand out access to whatever you were just doing, unless
you remember not to.".


Regards,

Zooko