[e-lang] POLA and deserialization
David Wagner
daw at cs.berkeley.edu
Wed Aug 8 10:45:04 EDT 2007
Kevin Reid writes:
>> I'm tempted to say that a constructor for a DeepFrozen object (if
>> passed only DeepFrozen arguments) has no authority worth mentioning[1]
>
>Such a constructor could certainly have authority.
>
>def makeFoo() {
> def value := entropy.nextSwiss()
> return def foo implements DeepFrozen {
> to get() { return value }
> }
>}
I'm not familiar with the result of nextSwiss(), but I'm going
to assume it is just bits. If so, under the approximation of authority
I'm used to using, I don't see any authority there. foo contains some
bits. That doesn't provide any more authority than the integer 17
or the bitvector 011101, does it?
>Perhaps you want that the maker itself should be DeepFrozen? This is
>closer but still not sufficient, as you suspect.
I don't immediately see why it would be necessary, as any variable from
the lexically enclosing scope(s) must be DeepFrozen for foo to be
DeepFrozen.
>An object can be DeepFrozen and yet hold authority: for example, an
>unsealer, or a stamping auditor. DeepFrozen merely indicates that the
>object is not a communication channel.
Okay, thank you. In Joe-E, I think we'd say that Powerless things
have no authority; I find it tricky to remember what the translation
to E's concepts is. (Or is that mistaken, too?)
>E currently takes the approach of safety by construction*: the things
>available by <import> don't have any authority worth mentioning
>because they are produced by evaluating source in an environment with
>no authority worth mentioning.
>
>* Is there a proper term for this?
I don't know. I think what you are saying is that the universal scope
provides no authority. This is a crucial aspect of avoiding ambient
authority, isn't it?
More information about the e-lang
mailing list