headers
Tyler Close | 1 Sep 2005 22:45
Picon

Re: Draft of Joe-E, a Capability-security subset of Java

On 8/31/05, David Wagner <daw@...> wrote:
> John Carlson <john.carlson3@...> writes:
> >How will you give authority to a Joe-E
> >program?   What can a Joe-E program do without
> >access to native libraries?
> 
> Those are parts we'll work on soon; they are intimately tied in with
> taming, and taming is next on our plate for later this fall.  (The answer
> to the second question is "compute side-effect-free functions" -- but
> our next step will be to work on taming the Java standard libraries,
> so that Joe-E programs can do more, including I/O.)  But we wanted to
> try to start nailing down the language first.

A slightly different question has a much more satisfying answer: "What
can a program do with Joe-E code?". Answer: "Vastly reduce the
per-application code review work."

For example, most of the Java applications I write are written to the
Waterken Server. The architecture of this server has the feature that
the server links to the application code, not the other way around.
(Some fancy introspection code in the server makes this work) This
design results in application code that is just plain Java code, with
no links to _any_ standard libraries. Each new application means
writing more of this plain Java code and reusing the existing server
application. I am hopeful that the Joe-E project will produce a
verifier that I can run on this application-level plain Java code to
automate parts of the code review process and, more importantly, put
some teeth into the assumptions that are made about the flow of
authority within a capability-based design.
(Continue reading)

Permalink | Reply | 501 comments |
headers
Kevin Reid | 2 Sep 2005 00:31

Rename Guard, ValueGuard (was Re: Conflict of principles)

Mark Miller <markm@...> wrote:

> Kevin Reid wrote:
> > If desirable, GuardPattern could expand to it:
> > 
> >   left :int
> > =>
> >   left ? Guard.coerce(int)
> 
> Also, shouldn't the expansion be to the following pattern?
> 
>     left ? ValueGuard.coerce(int, null)

Yes.

> ...
> Kernel-E should only care that guards obey the ValueGuard protocol
> (coerce/2 and expectation that they override __printOn/2) rather than
> being full Guards. The remaining operations defined in Guard are only for
> programmer convenience, not for use by Kernel-E.

Yes.

Also, the names Guard and ValueGuard are leftovers from the SlotGuard
days. I propose renaming ValueGuard to Guard and Guard to -- something
else.

I haven't thought of a decent name for Guard, though; just
ExtendedGuard, SugaredGuard, FancyGuard, etc., which might be true but
don't really say anything.
(Continue reading)

Permalink | Reply | 4 comments |
headers
Mark Miller | 2 Sep 2005 14:10

Re: Rename Guard, ValueGuard (was Re: Conflict of principles)

Kevin Reid wrote:
> Also, the names Guard and ValueGuard are leftovers from the SlotGuard
> days. I propose renaming ValueGuard to Guard and Guard to -- something
> else.
> 
> I haven't thought of a decent name for Guard, though; just
> ExtendedGuard, SugaredGuard, FancyGuard, etc., which might be true but
> don't really say anything.

Agreed. This change should also have minimal impact on existing code. If there
are no objections, I'll do this for the next release.

Unless someone thinks of something better, I'll go with "ExtendedGuard".

--

-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM
Permalink | Reply | 3 comments |
headers
Kevin Reid | 2 Sep 2005 15:22

Re: Rename Guard, ValueGuard (was Re: Conflict of principles)

On Sep 2, 2005, at 8:10, Mark Miller wrote:
> Kevin Reid wrote:
>> I haven't thought of a decent name for Guard, though; just
>> ExtendedGuard, SugaredGuard, FancyGuard, etc., which might be true but
>> don't really say anything.
> Unless someone thinks of something better, I'll go with 
> "ExtendedGuard".

(rambling)

Additional thought: The name, ideally, should convey that the 
additional verbs can be implemented entirely in terms of the base guard 
- that they are shorthands, rather than separate operations.

However, I think it will eventually be important to preserve the 
guard's ability to override those operations to be more than that; for 
example, the guard resulting from this expression can be much more 
efficient if IsAny (previously discussed for replacing the ==-pattern) 
can implement | to define a new IsAny guard instead of an or-guard:

   accum none for item :notNull in dataSource { _ | IsAny[item] }

Hypothesis: eventually, we will want the ability to write "if (g =~ eg 
:ExtendedGuard) { eg } else { __extendGuard(g) }". Thus a guard can 
offer optimized/customized versions of the guard compositions (in which 
I include not/0), or its client can add the default extensions when 
necessary.

This requires a well-defined way to ask an object if it is an 
ExtendedGuard. I have some further thoughts on how to implement this
(Continue reading)

Permalink | Reply | 2 comments |
headers
Dean Tribble | 3 Sep 2005 06:59

Re: Rename Guard, ValueGuard (was Re: Conflict of principles)

I'm confused about what "ExtendedGuards" are.  If they are the guards that
add the infrequently-used operator overloadings, then I would advocate we
just drop them.  I think they were not used enough to justify the surprise
a new programmer will have upon seeing them.  Having them in a toy area 
for cool strange things to tickle the langauge weenies would be great, but 
not more centrally :-)

On Fri, 2 Sep 2005, Kevin 
Reid wrote:

> On Sep 2, 2005, at 8:10, Mark Miller wrote:
> > Kevin Reid wrote:
> >> I haven't thought of a decent name for Guard, though; just
> >> ExtendedGuard, SugaredGuard, FancyGuard, etc., which might be true but
> 
> However, I think it will eventually be important to preserve the 
> guard's ability to override those operations to be more than that; for 
> example, the guard resulting from this expression can be much more 
> efficient if IsAny (previously discussed for replacing the ==-pattern) 
> can implement | to define a new IsAny guard instead of an or-guard:
> 
>    accum none for item :notNull in dataSource { _ | IsAny[item] }

This looks completely unfamiliar to me.  Can you explain?

> Hypothesis: eventually, we will want the ability to write "if (g =~ eg 
> :ExtendedGuard) { eg } else { __extendGuard(g) }". Thus a guard can 
> offer optimized/customized versions of the guard compositions (in which 
> I include not/0), or its client can add the default extensions when 
> necessary.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Kevin Reid | 3 Sep 2005 15:01

Protocol tests are necessary (was Re: Rename Guard, ValueGuard)

On Sep 3, 2005, at 0:59, Dean Tribble wrote:

> I'm confused about what "ExtendedGuards" are.  If they are the guards 
> that
> add the infrequently-used operator overloadings,

Yes.

> On Fri, 2 Sep 2005, Kevin Reid wrote:
>> On Sep 2, 2005, at 8:10, Mark Miller wrote:
>>> Kevin Reid wrote:
>>>> I haven't thought of a decent name for Guard, though; just
>>>> ExtendedGuard, SugaredGuard, FancyGuard, etc., which might be true 
>>>> but
>>
>> However, I think it will eventually be important to preserve the
>> guard's ability to override those operations to be more than that; for
>> example, the guard resulting from this expression can be much more
>> efficient if IsAny (previously discussed for replacing the ==-pattern)
>> can implement | to define a new IsAny guard instead of an or-guard:
>>
>>    accum none for item :notNull in dataSource { _ | IsAny[item] }
>
> This looks completely unfamiliar to me.  Can you explain?

Context:

'none' is a (hypothetical) guard which accepts no values.

'accum' is a pragma-enabled syntax for accumulating/reducing/folding.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dean Tribble | 4 Sep 2005 00:28

Protocol tests are necessary (was Re: Rename Guard, ValueGuard)

> > I'm confused about what "ExtendedGuards" are.  If they are the guards
> > that add the infrequently-used operator overloadings,
>
> Yes.

In that case, I would advocate that we provide no support over what
the language otherwise requires.  It's does not appear to be a common
scenario, and for any truly interesting guard, the programmer can
define an appropriate guard class.  The net result is no additional
mechanism, no loss of generality, and relative familiarity to any E
programmer of the special cases.

> >> However, I think it will eventually be important to preserve the
> >> guard's ability to override those operations to be more than that; for
> >> example, the guard resulting from this expression can be much more
> >> efficient if IsAny (previously discussed for replacing the ==-pattern)
> >> can implement | to define a new IsAny guard instead of an or-guard:
> >>
> >>    accum none for item :notNull in dataSource { _ | IsAny[item] }
> >
> > This looks completely unfamiliar to me.  Can you explain?
>
> Context:
>
> 'none' is a (hypothetical) guard which accepts no values.
>
> 'accum' is a pragma-enabled syntax for accumulating/reducing/folding.
>
>      accum INITIAL-VALUE LOOP-EXPR { _ RIGHT-SIDE-OF-CALL-EXPR }
(Continue reading)

Permalink | Reply | 0 comments |
headers
Steve Jenson | 5 Sep 2005 08:39
Picon
Favicon

Problems building E 0.8.35f

Hi guys,

Have any of you build E 0.8.35f with Java 5 on Win32? Using cygwin, I
get the following error:

javac: target release 1.2 conflicts with default source release 1.5

I clearly see see javac getting called with -target 1.2 in the make
output but don't find this anywhere in the Makefile.

Any advice is appreciated,
Steve
Permalink | Reply | 2 comments |
headers
Mark S. Miller | 8 Sep 2005 20:15

Re: Problems building E 0.8.35f

Steve Jenson wrote:
> Hi guys,
> 
> Have any of you build E 0.8.35f with Java 5 on Win32? Using cygwin, I
> get the following error:
> 
> javac: target release 1.2 conflicts with default source release 1.5
> 
> I clearly see see javac getting called with -target 1.2 in the make
> output but don't find this anywhere in the Makefile.

Hi Steve, sorry it took me so long to get to this.

The -target directive is in src/build/makerules.mk. You should be able to
build while suppressing the target directive by setting the environment
variable JTARGET to "none". In bash, this would be

    $ JTARGET=none make ...

The problem seems to be that I'm setting the -target version without setting
the -source version. I've changed the relevant block of code in makerules.mk to

----------------------------------
ifeq "$(JAVAC)" "gcj"
 JCOMPILE="$(JAVAC)" -C -fno-assert -g \
	-classpath "$(COMP_PATH)" -d $(TOP)/classes
 TOOLCOMPILE="$(JAVAC)" -C -fno-assert -g \
	-classpath "$(TOOL_PATH)" -d $(TOP)/classes
else
 ifeq "$(JTARGET)" "none"
(Continue reading)

Permalink | Reply | 1 comment |
headers
James Graves | 21 Sep 2005 11:59
Favicon
Gravatar

More on "Fixing" CL (object level confinement)

[BTW, sending this to e-lang because it seems more general.]

OK, so many thoughts, so little time.  

Towards the goal of writing down those thoughts, so that they might
actually be useful to and debated among other people, I need/want to
push out several e-mails on the following topics:

* More comments on the Common Lisp package system.
* Object level, package level, and image level confinement in CL.
* Image level confinement with CL, and how this could be really cool and
  scaleable.
* More on why I like CL.
* Why or why not Scheme?  (still an open question for me, again)
* Fixing Scheme:
*   Scheme package / module systems.
*   Scheme R5RS vs. object-level confinement.
*   Scheme 48 and other implementations.

Here are some comments in response to Jonathan Rees' e-mail about
object-level confinement.  (Thanks David)

Jonathan Rees wrote:

> I think this is a herculean task. Good luck. There are scores of
> features in Common Lisp that show abysmal capability discipline. This
> is one thing that led me to give up on it (I worked on the first
> Common Lisp implementation, NIL) and do T and Scheme 48 instead. 

Indeed.  I am despairing of trying to get any kind of object level
(Continue reading)

Permalink | Reply | 0 comments |

Gmane