[e-lang] POLA and deserialization

Kevin Reid kpreid at mac.com
Wed Aug 8 11:24:05 EDT 2007 

On Aug 8, 2007, at 10:45, David Wagner wrote:
> Kevin Reid writes:
>>> I'm tempted to say that a constructor for a DeepFrozen object (if
>>> passed only DeepFrozen arguments) has no authority worth  
>>> mentioning[1]
>>
>> Such a constructor could certainly have authority.
>>
>> def makeFoo() {
>>   def value := entropy.nextSwiss()
>>   return def foo implements DeepFrozen {
>>     to get() { return value }
>>   }
>> }
>
> I'm not familiar with the result of nextSwiss(), but I'm going
> to assume it is just bits.  If so, under the approximation of  
> authority
> I'm used to using, I don't see any authority there.  foo contains some
> bits.  That doesn't provide any more authority than the integer 17
> or the bitvector 011101, does it?

It isn't that foo contains bits, it's that makeFoo has and uses an  
authority (entropy). Perhaps I should have used an example of, say,  
writing the arguments provided to a file.

>> Perhaps you want that the maker itself should be DeepFrozen? This is
>> closer but still not sufficient, as you suspect.
>
> I don't immediately see why it would be necessary, as any variable  
> from
> the lexically enclosing scope(s) must be DeepFrozen for foo to be
> DeepFrozen.

Whether the product is DeepFrozen is irrelevant: the maker itself can  
have authority which it uses when invoked, which would be the  
original "something happens when I unserialize this object" situation.

>> An object can be DeepFrozen and yet hold authority: for example, an
>> unsealer, or a stamping auditor. DeepFrozen merely indicates that the
>> object is not a communication channel.
>
> Okay, thank you.  In Joe-E, I think we'd say that Powerless things
> have no authority; I find it tricky to remember what the translation
> to E's concepts is.  (Or is that mistaken, too?)

There is no standard E equivalent to Powerless.

It would be, I think, DeepFrozen (no communication channel) combined  
with a proof that the object is universally accessible (not identity- 
based authority such as a stamp) and contains no components not  
universally accessible (e.g. a sealer or unsealer holding a stamp).

>> E currently takes the approach of safety by construction*: the things
>> available by <import> don't have any authority worth mentioning
>> because they are produced by evaluating source in an environment with
>> no authority worth mentioning.
>>
>> * Is there a proper term for this?
>
> I don't know.  I think what you are saying is that the universal scope
> provides no authority.

Yes.

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>

More information about the e-lang mailing list