upvote

points

by amelius1 days ago |
comments
upvoteby jerf1 days ago|
next
[-]
Now is probably a pretty good time to start a capabilities-based language if someone is able to do that. I wish I had the time.
reply
upvoteby mike_hearn1 days ago|
prev|
next
[-]
Java had that from v1.2 in the 1990s. It got pulled out because nobody used it. The problem of how to make this usable by developers is very hard, although maybe LLMs change the equation.
reply
upvoteby jFriedensreich1 days ago|
prev|
next
[-]
We have one where thats possible: workerd (apache 2.0) no new language needed just a new runtime
reply
upvoteby amelius1 days ago|
parent|
[-]
I mean, the sandboxing aspect of a language is just one thing.

We should have sandboxing in Rust, Python, and every language in between.

reply
upvoteby saidnooneever1 days ago|
prev|
next
[-]
just sandbox the interpreter (in this case), package manager and binaries.

u can run in chroot jail and it wouldnt have accessed ssh keys outside of the jail...

theres many more similar technologies aleady existing, for decades.

doing it on a per language basis is not ideal. any new language would have to reinvent the wheel.

better to do it at system level. with the already existing tooling.

openbsd has plege/unveil, linux chroot, namespaces, cgroups, freebsd capsicum or w/e. theres many of these things.

(i am not sure how well they play within these scenarios, but just triggering on the sandboxing comment. theres plenty of ways to do it as far as i can tell...)

reply
upvoteby amelius1 days ago|
parent|
[-]
What if I wanted to write a program that uses untrusted libraries, but also does some very security sensitive stuff? You are probably going to suggest splitting the program into microservices. But that has a lot of problems and makes things slow.

The problem is that programs can be entire systems, so "doing it at the system level" still means that you'd have to build boundaries inside a program.

reply
upvoteby saidnooneever1 days ago|
parent|
[-]
you can do multi process things. or drop privs when using untrusted things.

you can use OS apis to isolate the thing u want to use just fine..

and yes, if you mix privilege levels in a program by design then u will have to design your program for that.

this is simple logic.

a programming language can not decide for you who and what you trust.

reply
upvoteby amelius1 days ago|
parent|
[-]
> you can use OS apis to isolate the thing u want to use just fine..

For the sake of the argument, what if I wanted to isolate numpy from scipy?

Would you run numpy in a separate process from scipy? How would you share data between them?

Yes, you __can__ do all of that without programming language support. However, language support can make it much easier.

reply
upvoteby sph1 days ago|
prev|
next
[-]
https://en.wikipedia.org/wiki/Capability-based_security

https://en.wikipedia.org/wiki/Object-capability_model

reply
upvoteby codethief15 hours ago|
prev|
next
[-]
Or just make side effects explicit in the type system through monads or algebraic effects.
reply
upvoteby staticassertion1 days ago|
prev|
[-]
In frontend-land you can sort of do this by loading dependencies in iframe sandboxes. In backend, ur fucked.
reply