dynamic scope == ambient authority, but some weird thing that where dynamic scope / parameters might be useful is all low-level stuff that's like "language-level abstractions" stuff

I have this sense that emaker model might be able to overcome most remaining dynamic scope needs

I promise my words make sense given sufficient context


> I promise my words make sense given sufficient context

Eternal mood whenever I post something overly technical

"Here be rabbit holes occupied by dragons"

@mattcen yak hair is what the rabbit holes are lined with, to keep the dragons warm

@cwebber at least you don't have to acquire the yak hair yourself!

@cwebber (also my mental image of your really holes completely changed with that last toot; they now sound rather more... hole-some 😛

@cwebber I kind of enjoy the sensation of having just enough context to know the thought would be really interesting if I went and gathered more context

like "dynamic scope" I firmly understand, "ambient authority" I have a pretty casual understanding of, but enough that I can complete the thought and go "Oh, yeah! That's true!", and then "emaker model" I had to look up

@SpindleyQ yeah: lexical scope is ocaps, dynamic scope is ambient authority. Lambda, the Ultimate Security Model!

@SpindleyQ @cwebber I tried to look up the emaker model and all I got was icemakers. where do i find the thing you are talking about

@zwol @SpindleyQ Good question! It's here: skyhunter.com/marcs/ewalnut.ht

See also "frozen realms" in Javascript.

The idea is simple: you can load any library in an environment that has no authority to do anything dangerous (except, perhaps, to max out CPU or memory, but you can set up a sandbox that can prevent that too). Can't even permit mutable globals!

But this means anyone can add or load these fairly safely. Module returns a function, which is where you pass in authority as an entry point.

@cwebber @zwol @SpindleyQ keep in mind that sandboxing is hard: any side-effect — even cache-invalidation — could be used to influence the parent environment.

@ArneBab @zwol @SpindleyQ Preventing authority model leakage is def hard enough and preventing privacy leaks is much harder. "Prisoners knocking on pipes" is the metaphor I've heard (and yes, incarceration of people is disturbing... incarcerating non-sapient code less so)

@cwebber Makes me think of the RLBox wasm sandbox that Firefox 95 wraps some of its dependencies in.

@SpindleyQ @zwol

@cwebber @SpindleyQ Aha, E as in the language. Thanks.

I am thinking about this in the context of this discussion about adding a “contexts and capabilities” feature to Rust: internals.rust-lang.org/t/blog They aren’t using “capability” in the security sense; the feature proposal seems mostly about not wanting to pass many arguments to “intermediate” functions (and so it winds up reinventing dynamically scoped globals, AFAICT).

In an actual ocap environment this is the last thing you are supposed to do, but the desire to not pass half a dozen caps to functions that only need them in order to pass them along to their own callees does still seem legit, and maybe even desirable for authority minimization.

@zwol @SpindleyQ Yes I've pinged the author that they're overloading the term in a way that is *exactly* ambient authority. It's unfortunate.

@zwol @SpindleyQ Ambient stuff / dynamic scope can certainly make things a lot easier for programmers, I agree. I've considered whether or not to accept vat-level ambience for meta-level language abstractions on top of Goblins, even in the propagator design, for instance for truth maintenance systems.

The emaker bit is exactly meant to point to the alternative direction: since you're enclosing a module within a scope of explicitly passed authority, it may give "dynamic benefits" w/o ambience.

@cwebber @SpindleyQ Right, I see how it could work. You have a bunch of boxes, you give each of them the caps it needs to do its job, and then you wire them together. There might be a problem with encapsulation -- is the high level programmer _supposed_ to know that the green box needs to be wired to a red box and a pinstripe box? -- but it might actually be a Good Thing to design libraries to surface that kind of glue.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!