[Python-Dev] Capabilities (original) (raw)

Ben Laurie ben@algroup.co.uk
Thu, 03 Apr 2003 11:43:10 +0100

Zooko wrote:

In the capability way of life, it is still the case that access to the ZipFile class gives you the ability to open files anywhere in the system! (That is: I'm assuming for now that we implement capabilities without re-writing every dangerous class in the Library.) In this scheme, there are no flags, and when you run code that you think might misuse this feature, you simply don't give that code a reference to the ZipFile class. (Also, we have to arrange that it can't acquire a reference by "import zipfile".)

It would probably be helpful to explain what you (or, at least, I) would do if you (I) were writing from scratch, rather then "taming" the existing libraries. In this case, Zipfile would require a file capability to be passed to it at construction time, and so would become non-dangerous, which is, I think, where Guido is coming from.

The risk only occurs because we want to not rewrite the whole library, just to wrap it, and its important to understand that this isn't really the "proper" way to do it (though, of course, the ZipFile class is not unlike any of the other non-capability things we'd have to wrap anyway, given a non-capability OS underneath, it just happens to be one that can be rewritten if we want to rewrite it).

Cheers,

Ben.

-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff