http://wiki.erights.org/mediawiki/index.php?title=Special:Contributions&feed=atom&target=Toby.murrayErights - User contributions [en]2024-03-19T04:20:23ZFrom ErightsMediaWiki 1.15.5-7http://wiki.erights.org/wiki/AuthodoxAuthodox2011-04-26T23:40:55Z<p>Toby.murray: </p>
<hr />
<div>[http://web.comlab.ox.ac.uk/oucl/work/toby.murray/tools/authodox/ Authodox] is used to automatically detect excess authority in systems of interacting objects, by modelling them in CSP and applying the FDR automatic refinement-checker. It was originally based on [http://web.comlab.ox.ac.uk/oucl/work/toby.murray/papers/AALPE.pdf Authority Analysis for Least Privilege Environments] and [http://www.comlab.ox.ac.uk/files/2690/AOCS.pdf Analysing Object-Capability Security].<br />
<br />
Authodox is no longer supported. Some of the ideas embodied in its most recent release (Version 0.2, May 19, 2008) have been superseded by work that followed that release. The best reference on using CSP to model and reason about authority and object-capability systems, in particular, is Toby Murray's D.Phil. thesis, [http://ertos.nicta.com.au/publications/papers/Murray:phd.abstract?bib=login Analysing the Security Properties of Object-Capability Patterns].<br />
<br />
[[Category:Applications]]<br />
[[Category:Formal Reasoning]]</div>Toby.murrayhttp://wiki.erights.org/wiki/UnumUnum2011-04-21T05:32:55Z<p>Toby.murray: Reverted edits by 62.206.137.42 (Talk); changed back to last version by Kevin Reid</p>
<hr />
<div>An unum can be described as a single conceptual object with a distributed implementation.<br />
An object, called the "master presence", is replicated at different locations using smart proxies, called "presences".<br />
The presences cache some state of the master presence and can be used to communicate with the master presence.<br />
----<br />
<div style="float: right;width:360px;font-size:80%;border:1px solid #aaaaaa;padding:5px;margin-left:5px;margin-top:20px;"><br />
[[Image:Unum.png|Unum Example]]<br />
<br />
A simple unum representing a circle. Using lamport slots, the non-authoritative presences on the right synchronize their state with the authoritative presence on the left. Mutating message calls are forwarded from the presences to their respective authoritative presence.<br />
</div><br />
<br />
Note: At this point this page is directly copied from [http://www.eros-os.org/pipermail/e-lang/2001-September/005728.html MarkM's post to the E-Lang mailing list]<br />
<br />
The Unum Pattern goes back to Chip Morningstar's work at Electric Communities.<br />
<br />
Each replica of an Unum is a "presence" of the Unum, and all the presences jointly are taken <br />
to form the Unum. One of the presences is the "authoritative presence" -- <br />
its state is considered to be the "true" state of the Unum. <br />
A1, being the <br />
initial presence, therefore starts out as the authoritative presence.<br />
<br />
<br />
The other presences are effectively smart remote references to the <br />
authoritative presence. These "shadow presences" maintain a somewhat stale <br />
cache of a copy of some state from the authoritative presence -- but only <br />
state that can be useful even when it's stale. These shadow presences do <br />
support immediate calls for those operations that can be sensible performed <br />
using this stale data -- giving us another huge victory over network <br />
latency. But operations needing accurate state must still be eventual, and <br />
must be delegated to the authoritative presence.<br />
<br />
The shadow presences also register themselves as observers (in E, <br />
"reactors") on the authoritative presence. Every time the authoritative <br />
presence changes replicated state, it notifies all its reactors, so that <br />
they may update their cached copies. In the absence of partition, we can <br />
say that these caches are always "eventually consistent" -- they are always <br />
consistent with some past state, they only move forward in time, and under <br />
quiescence they will always eventually become accurate. <br />
(Does this capture <br />
Lamport-like eventual consistency?)<br />
<br />
During a partition, the presence can still give correct, even if <br />
increasingly stale, service for the staleness tolerant operations. Of <br />
course, it must refuse the accurate operations. Should the authoritative <br />
presence again become reachable, the shadow should "heal". (Note: at EC we <br />
didn't do this. Instead, we always invalidated shadow presences on <br />
partition. So although both choices seem valuable, we don't yet have any <br />
experience with shadows that survive partition.)<br />
<br />
What happens when a shadow presence A2 is passed? Two simple possibilities are<br />
<br />
# a new shadow presence A3 is created that takes the authoritative presence A1 as authoritative. A2 and A3 would both be registered as reactors on A1.<br />
# a new shadow presence A3 is created that takes shadow presence A2 as authoritative. A2 is a reactor on A1, and A3 is a reactor on A2.<br />
<br />
1. is Granovetter introduction, and supports grant matching. 2. is <br />
proxying, and does not.<br />
<br />
Answer #1 gives us a flat multicast fanout for state updates. Answer #2 <br />
turns the presences into a spontaneously malformed multicast tree. (I say <br />
"malformed" because the topology of the tree is based only on acts of <br />
introduction, and not on any sensible performance issues.) NetNews, DNS, <br />
and Notes are all massively scalable systems that use Lamport-like eventual <br />
consistency to distribute state updates.<br />
<br />
<br />
== See Also ==<br />
<br />
[[Pass By Construction]]<br />
<br />
[http://www.erights.org/elib/distrib/unum/index.html The Unum: a form of distributed object]<br />
<br />
[http://www.eros-os.org/pipermail/e-lang/2001-September/005728.html MarkM's post to the E-Lang mailing list]<br />
<br />
[http://www.erights.org/talks/uni-tea/index.html Uni-Tea - Towards a unified, parameterizable model of distributed "object"]</div>Toby.murrayhttp://wiki.erights.org/wiki/AuditorAuditor2011-04-21T05:19:12Z<p>Toby.murray: Reverted edits by 209.212.77.225 (Talk); changed back to last version by Kevin Reid</p>
<hr />
<div>{{XXX|write general explanation}}<br />
<br />
==Protocol==<br />
<br />
{{instance msgdoc|audit|1|<var>audition</var> :[[Audition]]|[[boolean]]}}<br />
<br />
{{unspecified message}}<br />
<br />
CAUTION: If the auditor uses the [[Audition#ask/1]] method to apply [[stamp]]s, then the auditor '''must''' check that the audition is a genuine system-created Audition or it will be vulnerable to fake auditions which supply the wrong object-examination answers but forward ask/1, or simply steal the stamps and misapply them itself.<br />
<br />
Note that under [[guard-based auditing]], the ''as''-auditor of an object is stored in the binding as if the object passed the auditor as a guard; therefore, objects which implement this Auditor protocol as well as the [[Guard]] protocol should make them consistent with each other.<br />
<br />
[[Category:ELib specification]]</div>Toby.murrayhttp://wiki.erights.org/wiki/EE2011-04-21T05:17:46Z<p>Toby.murray: Reverted edits by 67.208.188.226 (Talk); changed back to last version by Kevin Reid</p>
<hr />
<div>:''Which E did you mean?''<br />
<br />
[[Main Page|This wiki]] is about [[E language|the E programming language]].<br />
<br />
Within E, there is an [[Object E|object named “E”]].<br />
<br />
{{stub}}</div>Toby.murrayhttp://wiki.erights.org/wiki/Object-capability_languagesObject-capability languages2010-03-18T12:14:35Z<p>Toby.murray: reverting last two spammy edits</p>
<hr />
<div>== Independent or Prior Objcap Languages ==<br />
<br />
* [http://www.erights.org/history/morris73.pdf Gedanken]<br />
* [http://www.erights.org/history/actors.html Actors]<br />
* [http://portal.acm.org/ft_gateway.cfm?id=323739&type=pdf Vulcan],<br />
* [http://www.agorics.com/Library/joule.html Joule]<br />
* [http://mumble.net/~jar/pubs/secureos/ W7]<br />
* [http://portal.acm.org/citation.cfm?doid=323627.323646 Eden, Emerald]<br />
* [http://citeseer.ist.psu.edu/279442.html J-Kernel]<br />
* [http://plash.beasts.org Plash]<br />
* [http://prog.vub.ac.be/amop/ AmbientTalk]<br />
* [http://newspeaklanguage.org/ Newspeak]<br />
* [http://www.bitc-lang.org/ BitC]<br />
<br />
== Related to '''''E''''' ==<br />
{| <br />
|+Relationships of '''''E''''' and other languages<br />
! Base language !! '''''E''''' Implementation !! Adapted to objcaps<br />
|-<br />
| [http://java.sun.com Java] || [http://erights.org/download/ E-on-Java] || [[Joe-E]] [http://waterken.sourceforge.net/ Waterken] [http://asyncobjects.sourceforge.net/ AsyncObjects]<br />
|-<br />
| [http://www.mozart-oz.org/ Mozart/Oz] || || [http://www.info.ucl.ac.be/people/PVR/oze.pdf Oz-E]<br />
|-<br />
| C/C++ || [http://erights.org/e-impls/e-on-c/index.html MC] [http://washort.twistedmatrix.com/2008/07/ecru-c-runtime-for-e.html Ecru] || <br />
|-<br />
| [http://www.erights.org/javadoc/org/erights/e/elang/smallcaps/SmallcapsOps.html Smallcaps] || [http://erights.org/e-impls/e-on-smallcaps/index.html E-on-Smallcaps] || <br />
|-<br />
| [http://www.squeak.org/ Squeak] || [http://erights.org/e-impls/e-on-squeak/index.html E-on-Squeak] || [http://www.squeaksource.com/SecureSqueak.html SecureSqueak] [http://wiki.squeak.org/squeak/6011 SqueakElibVM]<br />
|-<br />
| Common Lisp || [http://erights.org/e-impls/e-on-cl/index.html E-on-CL] || [http://www.eros-os.org/pipermail/e-lang/2005-April/010572.html CL-E]<br />
|-<br />
| [http://caml.inria.fr/ocaml/index.en.html OCaml] || || [[Emily]]<br />
|-<br />
| [http://www.haskell.org/ Haskell] || [http://homepage.mac.com/kpreid/elang/ E-on-Haskell] || [http://code.google.com/p/caskell/ Caskell]<br />
|-<br />
| Python || || [http://twistedmatrix.com/ Twisted Python] [http://foolscap.lothar.com/trac FoolsCap] [http://www.cs.ubc.ca/~drifty/papers/python_security.pdf Secure Python] [http://plash.beasts.org/wiki/CapPython CapPython] [http://code.google.com/p/googleappengine/issues/detail?id=671 safelite]<br />
|-<br />
| Perl || || [http://caperl.links.org/ CaPerl]<br />
|-<br />
| [http://www.cis.upenn.edu/~bcpierce/papers/pict/Html/Pict.html Pict] || || [http://altair.fiit.stuba.sk/mediawiki/index.php/Tamed_Pict Tamed Pict]<br />
|-<br />
| E || E-on-E ||<br />
|-<br />
| || || [http://sebyla.sourceforge.net/ Sebyla]<br />
|-<br />
| Javascript || [[E-on-JS]] || [http://code.google.com/p/google-caja/ Caja] [http://www.adsafe.org/ ADsafe] [http://wiki.developers.facebook.com/index.php/FBJS FBJS][http://video.google.com/videoplay?docid=452089494323007214 Vats on Gears] [http://www.jacaranda.org/jacaranda-spec-0.3.txt Jacaranda] [http://websandbox.livelabs.com/ Microsoft WebSandbox] [http://research.microsoft.com/en-us/projects/gatekeeper/ Gatekeeper] [http://www.sitepen.com/blog/2008/08/01/secure-mashups-with-dojoxsecure/ Dojo Secure]<br />
|}<br />
<br />
<br />
Also applicable to ML and Haskell style systems: [http://okmij.org/ftp/papers/lightweight-static-capabilities.pdf Lightweight Static Capabilities]</div>Toby.murrayhttp://wiki.erights.org/wiki/Talk:Object_capabilityTalk:Object capability2009-07-13T12:48:16Z<p>Toby.murray: </p>
<hr />
<div>Are you sure, Dmbarbour?<br />
<br />
May I suggest you<br />
* first to read [http://www.erights.org/talks/thesis/ Mark Miller's thesis]<br />
* then install E<br />
* read E in a [[Walnut]] and experiment with E<br />
If you like it, join e-lang or cap-talk mailing list and discuss your ideas.<br />
<br />
[[User:Kosik|Kosik]] 15:17, 10 July 2009 (CDT)<br />
<br />
----<br />
<br />
I have read Mark Miller's thesis, many years ago. And I played with '''E language''' then, too. I've gained more than a few inspirations from these, but I'm not all that fond of the language (in particular, how it handles distribution, disruption, resilience, persistence, concurrency, consistency, facets, and I'm not impressed with available optimizations achievable).<br />
<br />
Anyhow, I can only express my professional opinion on what [[object capability]] means based on the literature I have read, same as Mark Miller or anyone else, and take comfort in the fact that formal definitions are graded by '''utility in making distinctions''' rather than by their conformance with the opinions of others. You ask if I'm "sure"? I'm very certain of the utility in understanding [[object capability]] as distinct from other capabilities, and I'm very certain of the utility in understanding [[capability]] as distinct from '''secure''' capability, such that one can meaningfully discusss the security '''of''' capabilities rather than just security '''with''' capabilities. So, in that sense, I'm sure. <br />
-- [[User:Dmbarbour|Dmbarbour]] 16:15, 10 July 2009 (CDT)<br />
<br />
-------<br />
<br />
Upon seeing you 'rewrite' my professional opinion on the matter with your own, it is clear to me that you would prefer to maintain and grow this wiki on your own rather than risk dissenting opinions. I'll leave you alone now. But, before I go, May I suggest that you read some capability literature that ''wasn't'' written by Mark Miller? There's a lot of it out there.<br />
-- [[User:Dmbarbour|Dmbarbour]] 16:23, 10 July 2009 (CDT)<br />
<br />
----<br />
<br />
I think [http://www.eros-os.org/mailman/listinfo/cap-talk cap-talk] would be a better place for expressing your professional opinion. Join under your real name.<br />
<br />
[[User:Kosik|Kosik]] 16:30, 10 July 2009 (CDT)<br />
<br />
----<br />
<br />
Kosik: I think your "complete rewrite" was unnecessarily antagonistic. Please prefer gradual improvements ''and discussion'' to discarding others' work, unless it is complete nonsense, which this wasn't. --[[User:Kevin Reid|Kevin Reid]] 19:37, 10 July 2009 (CDT)<br />
<br />
----<br />
<br />
I propose first discussion of the [[ambient capability]] article and if it is settled, let us discuss other things (like [[object capability]]). Sequentially. Is that fair? [[User:Kosik|Kosik]] 01:34, 11 July 2009 (CDT)<br />
<br />
----<br />
<br />
I've just deleted this page. This term is not formally defined anywhere in the object-capability security literature as far as I'm aware. It does not need a separate definition. It's better to define the object-capability model IMO and redirect to that page if it is really felt necessary to have a page on this wiki called "object capability".<br />
--[[User:Toby.murray|Toby.murray]] 07:48, 13 July 2009 (CDT)</div>Toby.murrayhttp://wiki.erights.org/wiki/CapabilityCapability2009-07-13T12:44:42Z<p>Toby.murray: </p>
<hr />
<div>== Definition ==<br />
<br />
A ''capability'' is a token that identifies an [[subject, object, operation and permission|object]] and provides its holder with the [[subject, object, operation and permission|permission]] to operate on the object it identifies. Capabilities must either be totally unforgeable or infeasible to forge. <br />
<br />
== Examples ==<br />
Some examples of unforgeable capabilities:<br />
* Designations of objects in [[E]]. Those who hold these capabilities have the permission to invoke any method supported by the designated object.<br />
* Designations of functions and procedures in [[Emily]]. Those who hold these capabilities have the permission to call designated functions or procedures.<br />
* Designations of channels in [http://altair.fiit.stuba.sk/mediawiki/index.php/Tamed_Pict Tamed Pict]. Those who hold these capabilities may have a permission to make send and/or receive operations with the designated channel.<br />
Some examples of capabilities that are infeasible to forge: <br />
* Designations of remote objects in E, such as <tt>captp://*orwqphzlugjwqj2wozz7tmg47ime466j@74.125.87.147:55189/oa6vn5whhapylswhzesdlqh5ppmjkcrq.</tt> Those who hold these capabilities have the permission to invoke any method supported by the designated object.<br />
* Password capabilities.<br />
<br />
== See also ==<br />
<br />
{{XXX|improve this section}}<br />
<br />
See [http://www.eros-os.org/essays/capintro.html What is a Capability, Anyway?] for a partisan explanation of what capabilities actually are.<br />
<br />
See also [http://www.erights.org/elib/capability/overview.html Overview: Capability Computation]<br />
<br />
{{stub}}</div>Toby.murrayhttp://wiki.erights.org/wiki/Talk:CapabilityTalk:Capability2009-07-13T12:37:43Z<p>Toby.murray: </p>
<hr />
<div>The article can be further improved by given more examples of capabilities from CapROS, EROS and Coyotos systems. What objects can those capabilities designate? Which operations do those capabilities permit their holder to perform with designated objects? [[User:Kosik|Kosik]] 05:17, 10 July 2009 (CDT)<br />
<br />
-------------<br />
<br />
It seems the article describes an object-capability as though it is the only sort. I understand it is the type of capability used in E and such, but other sorts are used for security.<br />
* Password Capabilities (SPKI, Certificates) do not need to designate objects<br />
* Object Capabilities <br />
<br />
Further, capability doesn't imply '''unforgeable''' unless you're talking about '''secure''' capabilities, and '''capability-based security'''.<br />
<br />
----<br />
<br />
You are right. Some capabilities are indeed unforgeable and some are merly ''hardly guessable''. Cannot these two different terms:<br />
* unforgeable<br />
* hardly unguessable<br />
be contracted to some single adjective? Using the term "unforgeable or hardly unguessable" is awkward. [[User:Kosik|Kosik]] 10:59, 10 July 2009 (CDT)<br />
<br />
''I'm afraid you didn't grok. I mean to say that capabilities may be very forgeable and guessable. They [the forgeable and guessable capabilities] simply aren't secure capabilities, or suitable for capability-based security. And the page still has a heavily '''object-'''capability bias.''<br />
<br />
----<br />
<br />
Concerning object-capability bias, see my suggestion at the top of the page. More example are needed and can be added. I am just not qualified to give them.<br />
<br />
It is possible to demonstrate that if you say "capabilities are very forgeable and guessable" you are wrong.<br />
<br />
[[User:Kosik|Kosik]] 11:51, 10 July 2009 (CDT)<br />
<br />
----<br />
<br />
''Please demonstrate, then. Demonstrate that "Capability" implies "Secure capability" in global vernacular and I'll be happy to recant. But I suspect you're not qualified to do that, either.''<br />
<br />
----<br />
<br />
Here is a [http://altair.fiit.stuba.sk/mediawiki/index.php/SandboxedPing non-trivial example]. You can try to explain me how it would be possible for an untrusted sandboxed subsystem to forge or guess arbitrary capabilities?<br />
<br />
Similar examples can be also shown in any object-capability programming language one chooses to use. I may try to show some code in E with a similar point. I am not qualified to show any examples showing a similar point in capability-based operating systems but I think on cap-talk there are such people.<br />
<br />
[[User:Kosik|Kosik]] 13:16, 10 July 2009 (CDT)<br />
<br />
----<br />
<br />
''You've got your logic backwards, Kosik. I'm asserting that not all capabilities are secure, not that all (and 'arbitrary') capabilities are insecure.''<br />
<br />
----<br />
<br />
What do you mean by "secure capability"?<br />
<br />
[[User:Kosik|Kosik]] 14:55, 10 July 2009 (CDT)<br />
<br />
----<br />
<br />
''A secure capability is any power to perform an operation that is available to a system but unavailable (not merely forbidden) to a subject acting within that system.''<br />
<br />
----<br />
<br />
I do not understand the definition:<br />
<br />
: "''A secure capability is any power to perform an operation that is available to a system but unavailable (not merely forbidden) to a subject acting within that system."<br />
<br />
Can you please give some examples of secure capabilities? Something from real systems.<br />
<br />
[[User:Kosik|Kosik]] 07:41, 11 July 2009 (CDT)<br />
<br />
----<br />
<br />
There is only one acceptable interpretation of the word "capability" on this wiki and its definition coincides with Dmbarbour's notion of a '''secure''' capability. Insecure capabilities do not exist in the world of capability-based security and, hence, have no place on this wiki except under a discussion of "other uses of the word capability", which would also be the place to discuss e.g. UNIX capabilities which are not capabilities in the sense used on this wiki either.<br />
--[[User:Toby.murray|Toby.murray]] 07:37, 13 July 2009 (CDT)</div>Toby.murrayhttp://wiki.erights.org/wiki/Talk:Ambient_capabilityTalk:Ambient capability2009-07-13T12:35:00Z<p>Toby.murray: </p>
<hr />
<div>I have never heard of this term. Why do we need it? Isn't the term [[ambient authority]] sufficient? Can you give some example of things you (the author) consider as an example of [[ambient capability]]? Are there some examples of ambient capabilities that are somehow different from ambient authority? [[User:Kosik|Kosik]] 01:19, 10 July 2009 (CDT)<br />
<br />
----<br />
<br />
[[Ambient authority]] doesn't apply '''unless''' permissions are enforced in denying an operation. The two are barely even related. Ambient authority is not sufficient or appropriate as terminology to properly discuss the circumstances surrounding distribution and mobility. <br />
<br />
Consider an object that accesses the following:<br />
* a keyboard<br />
* a monitor<br />
* current local time via a clock <br />
* random number generator<br />
* a HTTP cache<br />
* a Domain Name Service<br />
* a timer (10 Hz event)<br />
* hooking into Data Distribution Service (a distributed publish/subscribe)<br />
* local memory allocations (i.e. to allocate values)<br />
<br />
These capabilities are ALL ambient, at least initially. Access to each of them is highly contingent on context. It takes much work to create a common namespace that would let one machine have access to the monitor or keyboard on another machine.<br />
<br />
But consider:<br />
* An object-capability system (OS or language) is likely to wrap access to the keyboard and monitor into objects with secure (unforgeable) designations. If the above object is mobilized, the keyboard and monitor objects designate the keyboard and monitor on the original host, thus causing messages to cross the network. That's the desired behavior... keyboard and monitor are reasonably 'unique' ambients (though one might transparently replace the keyboard or monitor), so fit reasonably well into the [[object capability]] system.<br />
* Access to a clock, random number generator is more questionable. [[object-capability languages]] can go either way: allow access as new language primitives, in which case the 'current local time' is ambient to programs written in that language (and refers to the time on the host). Or wrap these into objects, in which case once object is mobilized it will need to send messages across the network for each request to the current local time. Sending requests for random numbers across the network is wasteful, at the very least. Accessing a clock across a network introduces variation in latency.<br />
* access to HTTP cache and Domain Name Service across a network after mobilization is pointless, but also demonstrate that there's no feasible way for [[object-capability languages]] to possibly provide all the desired ambient capabilities AS object capabilities after a mobilization.<br />
* Access to the 10 Hz event and DDS adds an extra challenges: having subscribed to these locally requires handing object-capabilities to other objects on the local system in order to subscribe and later unsubscribe. When mobilizing, however, having a 10 Hz event or DDS updates cross the network is problematic: those services can easily be provided locally for much higher performance, reliability, consistent latency, and quality of service. This suggests some first-class support for subscriptions (and later unsubscribe) to ambients is necessary to deal with certain distribution issues.<br />
* Most [[object-capability languages]] simply make allocations from local memory into 'primitives' making them ambient to the program, but there is always talk of wrapping memory resources into capabilities in order to handle quotas and such. After a mobilization, the 'primitives' approach means that the object will allocate any new objects on the remote machine, whereas if memory is wrapped into quota caps then one will be allocating memory on its original host. This suggests, at the very least, that quotas need to be handled differently if object-capabilities are to be networked.<br />
<br />
[[Object-capability languages]] + '''distribution or mobility''' benefits considerably from first-class support for [[ambient capability|ambient capabilities]]. But to discuss such possibilities requires that one first understand terminology such as [[ambient capability]].<br />
<br />
Usefully, ambient capabilities - even 10 Hz events and DDS and HTTP cache and DNS - '''can''' be reified. But one needs to explicitly recognize such [[ambient capability|ambient capabilities]] as being distinct from [[object capability|object capabilities]].<br />
<br />
----<br />
<br />
May I choose single of your points? You say that access to a local time via a clock is an "ambient capability". This is false in case of [http://altair.fiit.stuba.sk/mediawiki/index.php/Tamed_Pict Tamed Pict]. Untrusted sandboxed subsystems do not have such an "ambient capability". What kind of "ambient capabilities" have untrusted sandboxed subsystems written in Tamed Pict? What kind of "ambient capabilities" do have untrusted sandboxed subsystems written in E?<br />
<br />
Other points are also false but that is beyond the scope now until you show a single "ambient capability".<br />
<br />
[[User:Kosik|Kosik]] 13:35, 10 July 2009 (CDT)<br />
<br />
''I said that "local time via a clock is an [[ambient capability]], '''at least initially'''". I.e. at the hardware/OS/abstract-machine/LAN level. I then go on to explain options available to a secure capability-system (like a capability OS or [[object-capability languages]]) for securing these capabilities. Two options were explicitly mentioned:''<br />
* wrap the [[ambient capability]] to the local time via a clock in an 'object' with a secure [[object capability]]. This has certain implications when comes time to mobilize objects (i.e. for load-balancing, disruption tolerance, etc.)<br />
* or allow access to local time as a language primitive, which tends to add [[excessive authority]] to the language.<br />
<br />
''There are many more options, of course. Infinitely many. Two more are:''<br />
* One can create a 'major domo' object that provides a set of factories for certain local capabilities to 'guests', who must take advantage of them. The factories and the rest of the system is secure and thus provide a sandbox (up to primitive caps, such as memory allocation in many languages). <br />
* One can reify the notion of an 'ambient', thus producing [[ambient object|ambient objects]] that have the same semantics everywhere but different implementations. One may then provide something similar to [[object capability]] to these reified ambients through factories rather than as language primitives, and these access to these ambients will implicitly follow objects as they are distributed.<br />
<br />
''Tamed Pict just happens to choose one option among many: it uses the 'major domo' option to provide access to local time and various other features. The 'major domo' seems to be expressed by importing some 'trusted' modules, which provide those capabilities to the guest via automatic construction of various hooks. Unfortunately, this sandbox approach has many flaws for transparent distribution:''<br />
* the provided [[capability]] isn't tuned to the guest, which means it provides [[excessive authority]] for some guests and [[insufficient authority]] for others<br />
* if the major-domo doesn't provide a necessary capability, the guest cannot transparently continue using the remote capability to ensure the guest has the exact same capability before and after mobilization.<br />
* active interactions with these ambients (e.g. subscriptions) are not maintained and must be rebuilt by the guest after each mobilization, pretty much utterly destroying transparency<br />
<br />
''Transparent distribution, especially automatic distribution, especially of the first-class sort, is useful for: redundancy and self-healing, load-balancing, latency and bandwidth optimizations, improved quality-of-service, and disruption tolerance.<br />
<br />
''[[ambient authority]] is not [[ambient capability]]. A secure [[ambient capability]] must not be denied or lost simply because one is mobilized to a new sandbox. [[ambient authority]] will 'grant' or 'deny' permissions. It is effectively expressed by granting a set of factories to the guest - the guest may only behave within the limits of those factories. By comparison [[ambient capability]] is effectively expressed by ensuring the guest has the exact same set of capabilities both before and after a mobilization - but only up to semantics, allowing (and sometimes requiring) for the guest to automatically take advantage of the local HTTP cache, local random number generator, local timers, etc. Unlike objects, '''ambients''' have poorly defined boundaries.'' --[[User:Dmbarbour|Dmbarbour]] 15:57, 10 July 2009<br />
<br />
----<br />
<br />
It sounds to me like these "ambients" that you describe just above are singleton [[Unum Pattern|una]]; for example, the [[LocatorUnum]] in [[CapTP]], which to any object holding it grants the authority to convert bits into object-capabilities to any object reachable over CapTP. Similarly, access to a clock (in the sense of "what time is it now?") is ''universal'' -- real time is the same no matter what machine or process you're in. Does this fit the concept you're describing? --[[User:Kevin Reid|Kevin Reid]] 19:58, 10 July 2009 (CDT)<br />
<br />
''The [[Unum Pattern]] is certainly related. It is clearly aimed to reify universals or ambients, working around some of the problems of object identity. It's incomplete, though... it doesn't handle domain-of-presence (context) and it doesn't handle reverse direction interactions (e.g. subscriptions to a 10 Hz signal). Thanks for pointing it out.'' -- [[User:198.253.49.6|198.253.49.6]] 21:11, 10 July 2009 (CDT)<br />
<br />
----<br />
<br />
I do not understand the definition:<br />
<br />
:"Ambient capability describes constraint and provision of operations by virtue of context."<br />
<br />
Can you please give some examples of ambient capabilities? [[User:Kosik|Kosik]] 01:23, 11 July 2009 (CDT)<br />
<br />
----<br />
<br />
Dmbarbour,<br />
<br />
I have deleted your text (although it can still be found in the history). If you want to discuss it, please:<br />
* either contact me personally (<tt>kosik at fiit.stuba.sk</tt>)<br />
* or, better, join [http://www.eros-os.org/mailman/listinfo/cap-talk cap-talk] mailing list.<br />
<br />
Best regards.<br />
<br />
[[User:Kosik|Kosik]] 07:00, 13 July 2009 (CDT)<br />
<br />
<br />
----<br />
<br />
I suspect that "ambient capability" and "capability" as used by Dmbarbour is best interpreted to mean "ability". I suspect that Dmbarbour is using the word "capability" in its everyday, informal sense. For example, an everyday definition of the word "capability" is "The power or ability to generate an outcome." In this sense it is more similar to "authority" and "permission" than to the specialised use of "capability" that can found on this wiki.<br />
<br />
Understood in those terms, Dmbarbour's definitions of Capability, Object-Capability and Ambient Capability make some sense. However, I would argue that none of them should remain in their current form on this wiki. The reason is that the word "capability" has a very specific meaning here that is not equivalent to its use in everyday language. Keeping pages and definitions that fail to recognise this specific meaning is confusing to users who are trying to learn the terminology of capability-based security.<br />
<br />
For example, in capability-based security there is '''no such thing''' as an "insecure" capability. Talking about such things is unhelpful because it conflates two different and separate definitions of "capability". <br />
<br />
I expect that Dmbarbour probably has a lot of good to contribute to discussions of capability-based security. I'd encourage him/her to join cap-talk or e-lang to discuss these ideas. I'd also strongly urge him/her not to take the positions that Kosic and I have taken here as anything personal or disparaging against him/her or his/her understanding of capability-based security, but merely as a sign that certain words have very specific definitions within the community of people that Dmbarbour has recently joined (welcome!) and that these definitions must be adhered to for meaningful discussion (and communication with the outside world) to take place.<br />
--[[User:Toby.murray|Toby.murray]] 07:35, 13 July 2009 (CDT)</div>Toby.murrayhttp://wiki.erights.org/wiki/E-on-JavaE-on-Java2009-06-16T09:32:14Z<p>Toby.murray: add download page link</p>
<hr />
<div>The primary implementation of E.<br />
<br />
Most of [http://www.erights.org/ erights.org] is about E-on-Java.<br />
<br />
=== Get It ===<br />
<br />
[http://www.erights.org/download/index.html Download] E-on-Java<br />
<br />
----<br />
{{stub}}<br />
[[Category:E implementations]]</div>Toby.murrayhttp://wiki.erights.org/wiki/ObjectObject2009-06-16T09:15:28Z<p>Toby.murray: Link to authoratative page on wikipedia for object-as-in-computer-science-and-oop</p>
<hr />
<div>{{disambig}}<br />
<br />
'''Object''' may refer to:<br />
* [http://en.wikipedia.org/wiki/Object_(computer_science) Object (computer science)]<br />
* [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security Object (access control)]</div>Toby.murrayhttp://wiki.erights.org/wiki/ObjectObject2009-06-16T09:11:53Z<p>Toby.murray: Fix typo</p>
<hr />
<div>{{disambig}}<br />
<br />
'''Object''' may refer to:<br />
* [[Object (object-oriented programming)]]<br />
* [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security Object (access control)]</div>Toby.murrayhttp://wiki.erights.org/wiki/ObjectObject2009-06-16T09:11:30Z<p>Toby.murray: These terms are standard in the access control literature so link to the authoratative page on wikipedia</p>
<hr />
<div>{{disambig}}<br />
<br />
'''Object''' may refer to:<br />
* [[Object (object-oriented programming)]]<br />
* [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security Object (access control)]]</div>Toby.murrayhttp://wiki.erights.org/wiki/ObjectObject2009-06-16T09:06:00Z<p>Toby.murray: Use more precise term of 'access control' in place of 'security'.</p>
<hr />
<div>{{disambig}}<br />
<br />
'''Object''' may refer to:<br />
* [[Object (object-oriented programming)]]<br />
* [[Subject, object, operation and permission|Object (access control)]]</div>Toby.murrayhttp://wiki.erights.org/wiki/Walnut/Ordinary_Programming/Ordinary_Computing_ExamplesWalnut/Ordinary Programming/Ordinary Computing Examples2009-01-18T16:13:35Z<p>Toby.murray: Reverted edits by 210.52.15.210 (Talk); changed back to last version by Kevin Reid</p>
<hr />
<div>[[Category:Walnut|2]]<br />
<br />
===Ordinary Computing Examples===<br />
<br />
====Pretty E====<br />
<br />
====Racetrack Game for a single computer====<br />
<br />
Below is a simple game of racetrack: 3 cars are set on the track, to race between walls around curves to the finish line. Each driver can choose to accelerate or decelerate his car by +/- 1 space/turn during each turn. Do not build up too much velocity, you won't be able to slow down!<br />
<br />
The example has just about everything in it: JPanels, objects, functions, Java API calls, it's all there. We will come back to this example later in the book, to make the track distributed and secure. Then we shall invite Satan for a little competition, with souls on the line.<br />
<br />
<pre><br />
<br />
<nowiki># E sample<br />
<br />
#!/usr/bin/env rune<br />
<br />
# Copyright 2002 Combex, Inc. under the terms of the MIT X license<br />
# found at http://www.opensource.org/licenses/mit-license.html<br />
pragma.syntax("0.9")<br />
<br />
def traceln(text) { stderr.println(text) }<br />
<br />
def attachAction(component,target,verb) {<br />
def listener {<br />
to actionPerformed(event) {<br />
try {<br />
E.call(target, verb, [])<br />
} catch problem {<br />
throw <- (problem) # send to E tracelog instead of AWT<br />
}<br />
}<br />
}<br />
component.addActionListener(listener)<br />
}<br />
<br />
def newButton(labelText, verb, target) {<br />
def button := <swing:makeJButton>(labelText)<br />
button.setBackground(<awt:makeSystemColor>.getControl())<br />
attachAction(button,target,verb)<br />
return button<br />
}<br />
<br />
def abs(number) {return if (number >= 0) {number} else {-number}}<br />
<br />
def makeCoord(x,y) {<br />
def coord {<br />
to getX() {return x}<br />
to getY() {return y}<br />
to printOn(writer) {writer.print(`coord: $x,$y`)}<br />
to samePlace(coord2) :boolean {<br />
return x == coord2.getX() && y == coord2.getY()<br />
}<br />
<br />
/**<br />
* The "add" method is the underlying function for the "+" operator.<br />
* Here, by writing an "add" method, we make coordinates work with "+"<br />
*/<br />
to add(coord2) {return makeCoord(x + coord2.getX(),y + coord2.getY())}<br />
<br />
/**<br />
* The "subtract" method is the underlying function for the "-" operator<br />
*/<br />
to subtract(coord2) {return makeCoord(x - coord2.getX(),y - coord2.getY())}<br />
}<br />
return coord<br />
}<br />
<br />
def makeInstrumentPanel(car) :near {<br />
def makeIndicator(speed,positiveText,negativeText):pbc {<br />
var answer := ""<br />
var direction := positiveText<br />
if (speed < 0) {direction := negativeText}<br />
for i in 1..abs(speed) {answer := answer + direction}<br />
if (speed == 0) {answer := "0"}<br />
return answer<br />
}<br />
def makeXIndicator(speed) {return makeIndicator(speed,">","<")} <br />
def makeYIndicator(speed) {return makeIndicator(speed,"^\n","V\n")} <br />
def frame := <swing:makeJFrame>(`Car ${car.getName()} Instrument Panel`)<br />
def lbl(text) {return <swing:makeJLabel>(text)} <br />
def xLabel := lbl("Horizontal Speed:") <br />
def xIndicator := <swing:makeJTextArea>() <br />
xIndicator.setText("0") <br />
def yLabel := <swing:makeJTextArea>("V \ne\nr\nt\ni\nc\na\nl") <br />
yLabel.setBackground(<awt:makeSystemColor>.getControl()) <br />
def yIndicator := <swing:makeJTextArea>() <br />
yIndicator.setText("0") <br />
def statusPane := lbl("Running...") <br />
def instrumentPanel <br />
def btn(name,action) {return newButton(name,action,instrumentPanel)} <br />
def submitButton := btn("Submit","submit") <br />
var acceleration := makeCoord(0,0) <br />
def realPane :=JPanel`<br />
${lbl("")} $xLabel > > > <br />
V $xIndicator > > > <br />
$yLabel.Y $yIndicator ${btn("\\","upLeft")} ${btn("^","up")} ${btn("/","upRight")} <br />
V V ${btn("<","left")} ${btn("0","zero")} ${btn(">","right")}<br />
V V ${btn("/","downLeft")} ${btn("V","down")} ${btn("\\","downRight")}<br />
V V $submitButton.X > ><br />
$statusPane > > > >`<br />
frame.setDefaultCloseOperation(<swing:makeWindowConstants>.getDO_NOTHING_ON_CLOSE())<br />
frame.getContentPane().add(realPane)<br />
frame.pack()<br />
frame.show()<br />
bind instrumentPanel {<br />
to submit() {<br />
submitButton.setEnabled(false)<br />
car.accelerate(acceleration)<br />
}<br />
to prepareForNextTurn() {<br />
xIndicator.setText(makeXIndicator(car.getVelocity().getX()))<br />
yIndicator.setText(makeYIndicator(-(car.getVelocity().getY())))<br />
acceleration := makeCoord(0,0)<br />
submitButton.setEnabled(true)<br />
# Note, public static transferFocus on awt Component is not Java API, added in E environment<br />
<awt:makeComponent>.transferFocus([frame.getContentPane()], statusPane)<br />
}<br />
to setStatus(status) {statusPane.setText(status)}<br />
to upLeft() {acceleration := makeCoord(-1,-1)}<br />
to up() {acceleration := makeCoord(0,-1)}<br />
to upRight() {acceleration := makeCoord(1,-1)}<br />
to left() {acceleration := makeCoord(-1,0)}<br />
to zero() {acceleration := makeCoord(0,0)}<br />
to right() {acceleration := makeCoord(1,0)}<br />
to downLeft() {acceleration := makeCoord(-1,1)}<br />
to down() {acceleration := makeCoord(0,1)}<br />
to downRight() {acceleration := makeCoord(1,1)}<br />
}<br />
return instrumentPanel<br />
}<br />
<br />
def makeCar(name,startLocation,raceMap) {<br />
var location := startLocation<br />
var acceleration := makeCoord(0,0)<br />
var velocity := makeCoord(0,0)<br />
var hasCrashed := false<br />
var hasFinished := false<br />
def instrumentPanel<br />
def sign(x) {<br />
return if (x > 0) {<br />
1<br />
} else if (x < 0) {<br />
-1<br />
} else {0}<br />
}<br />
<br />
def accelReactors := [].asMap().diverge()<br />
<br />
/**<br />
* Compute the path the car will take from the location at the<br />
* beginning of this turn to the end; return the result<br />
* as a list of coords<br />
*/<br />
def computeIntermediateLocations(start,finish) {<br />
def locations := [].diverge()<br />
def slope := (finish.getY() - start.getY()) / (finish.getX() - start.getX())<br />
def computeRemainingLocations(current) {<br />
var nextX := current.getX()<br />
var nextY := current.getY()<br />
var distToGo := 0<br />
#if the car is traveling faster in the x direction than<br />
#in the y direction, increment x position by one along<br />
#the path and compute the new y<br />
if (slope < 1.0 && slope > -1.0) {<br />
distToGo := finish.getX() - current.getX()<br />
nextX += sign(distToGo)<br />
def distTraveled := nextX - start.getX()<br />
nextY := start.getY() + ((slope * distTraveled) + 0.5) //1<br />
#if the car is traveling faster in the y direction than<br />
#in the x direction, increment y position by one along<br />
#the path and compute new x<br />
} else {<br />
distToGo := finish.getY() - current.getY()<br />
nextY += sign(distToGo)<br />
def distTraveled := nextY - start.getY()<br />
nextX := start.getX() + ((distTraveled/slope) + 0.5) //1<br />
}<br />
def next := makeCoord(nextX,nextY)<br />
locations.push(next)<br />
if (!(next.samePlace(finish))) {<br />
computeRemainingLocations(next)<br />
}<br />
}<br />
computeRemainingLocations(start)<br />
return locations<br />
}<br />
def car {<br />
to accelerate(accel) {<br />
traceln(`accelerating car $name`)<br />
acceleration := accel<br />
for each in accelReactors {<br />
each.reactToAccel(car)<br />
}<br />
}<br />
to move(){<br />
traceln("into move")<br />
velocity += acceleration<br />
def newLocation := location + velocity<br />
traceln("got newlocation")<br />
def path := computeIntermediateLocations(location,newLocation)<br />
location := newLocation<br />
traceln("assigned location")<br />
hasCrashed := hasCrashed || raceMap.causesCrash(path)<br />
hasFinished := hasFinished || raceMap.causesFinish(path)<br />
traceln("got crash finish")<br />
if (hasCrashed) {<br />
instrumentPanel.setStatus("Crashed")<br />
} else if (hasFinished) {instrumentPanel.setStatus("Finished")}<br />
traceln("out of move")<br />
}<br />
to getLocation() {return location}<br />
to getVelocity() {return velocity}<br />
to hasCrashed() {return hasCrashed}<br />
to hasFinished() {return hasFinished}<br />
to getName() {return name}<br />
to prepareForNextTurn() {instrumentPanel.prepareForNextTurn()}<br />
to addAccelReactor(reactor) {accelReactors[reactor] := reactor}<br />
to removeAccelReactor(reactor) {accelReactors.remove(reactor)}<br />
}<br />
bind instrumentPanel := makeInstrumentPanel(car)<br />
return car<br />
}<br />
<br />
def makeTrackViewer(initialTextMap) {<br />
def frame := <swing:makeJFrame>("Track View")<br />
def mapPane := <swing:makeJTextArea>(initialTextMap)<br />
def statusPane := <swing:makeJLabel>(" ")<br />
def realPane :=<br />
JPanel`$mapPane.Y<br />
$statusPane`<br />
frame.getContentPane().add(realPane)<br />
def windowListener {<br />
to windowClosing(event) {<br />
interp.continueAtTop()<br />
}<br />
match [verb,args] {}<br />
}<br />
frame.addWindowListener(windowListener)<br />
frame.pack()<br />
frame.show()<br />
def trackViewer {<br />
to refresh(textMap) {mapPane.setText(textMap)}<br />
to showStatus(status) {statusPane.setText(status)}<br />
}<br />
return trackViewer<br />
}<br />
<br />
def makeRaceMap() {<br />
def baseMap := [<br />
"..........W...............",<br />
"..........W...........FFFF",<br />
"......W...WW..............",<br />
"......W....W..............",<br />
"......W....WWW............",<br />
"......W........W..........",<br />
"......W.....W.............",<br />
"......W.....W.............",<br />
"......W...................",<br />
"......W..................."]<br />
<br />
def isWall(coord) :boolean {return baseMap[coord.getY()] [coord.getX()] == 'W' }<br />
def isFinish(coord) :boolean {return baseMap[coord.getY()] [coord.getX()] == 'F'}<br />
def pointCrash(coord) :boolean {<br />
var result := false<br />
if (coord.getX() < 0 || coord.getY() < 0 ||<br />
coord.getX() >= baseMap[0].size() || coord.getY() >= baseMap.size()) {<br />
result := true<br />
} else if (isWall(coord)) {<br />
result := true<br />
}<br />
return result<br />
}<br />
def raceMap {<br />
to getAsTextWithCars(cars) {<br />
def embedCarsInLine(index,line) {<br />
def inBounds(xLoc) :boolean {return xLoc >= 0 && xLoc < line.size()}<br />
var result := line<br />
for each in cars {<br />
if (each.getLocation().getY() == index && <br />
inBounds(each.getLocation().getX())) {<br />
def editable := result.diverge(char)<br />
editable[each.getLocation().getX()] := (each.getName())[0]<br />
result := editable.snapshot()<br />
}<br />
}<br />
return result<br />
}<br />
var result := ""<br />
for i => each in baseMap {<br />
result := result + embedCarsInLine(i,each) + "\n"<br />
}<br />
return result<br />
}<br />
to causesCrash(path) :boolean {<br />
var result := false<br />
for each in path {<br />
if (pointCrash(each)) {<br />
result := true<br />
break()<br />
}<br />
}<br />
return result<br />
}<br />
to causesFinish(path) :boolean {<br />
var result := false<br />
for each in path {<br />
if (pointCrash(each)) {<br />
break()<br />
} else if (isFinish(each)) {<br />
result := true<br />
break()<br />
}<br />
}<br />
return result<br />
}<br />
}<br />
return raceMap<br />
}<br />
<br />
/**<br />
* create the cars, place them in a flex map to be used as a set<br />
*/<br />
def makeCars(raceMap) {<br />
def carList := [ <br />
makeCar("1",makeCoord(1,9),raceMap),<br />
makeCar("2",makeCoord(2,9),raceMap),<br />
makeCar("3",makeCoord(3,9),raceMap)]<br />
def carSet := [].asMap().diverge()<br />
for each in carList {carSet[each] := each}<br />
return carSet<br />
}<br />
<br />
/**<br />
* @author </nowiki>[mailto:marcs@skyhunter.com Marc Stiegler]<nowiki><br />
*/<br />
def makeRaceTrack() {<br />
def raceMap := makeRaceMap()<br />
def cars := makeCars(raceMap)<br />
var carsReadyToMove := [].asMap().diverge()<br />
def mapViewer := makeTrackViewer(raceMap.getAsTextWithCars(cars))<br />
def raceTrack {<br />
to reactToAccel(car) {<br />
traceln("racetrack reacting to accel")<br />
carsReadyToMove[car] := car<br />
if (carsReadyToMove.size() >= cars.size()) {<br />
raceTrack.completeNextTurn()<br />
}<br />
}<br />
to completeNextTurn() {<br />
def winners := [].diverge()<br />
for each in cars {<br />
each.move()<br />
if (each.hasCrashed()) {<br />
cars.removeKey(each)<br />
} else if (each.hasFinished()) {<br />
winners.push(each)<br />
}<br />
}<br />
mapViewer.refresh(raceMap.getAsTextWithCars(cars) )<br />
if (winners.size() == 1) {<br />
mapViewer.showStatus(`Car ${winners[0].getName()} has won!`)<br />
} else if (winners.size() > 1) {<br />
mapViewer.showStatus("It's a tie!")<br />
} else if (cars.size() == 0) {<br />
mapViewer.showStatus("Everyone's dead!")<br />
} else {raceTrack.prepareForNextTurn()}<br />
}<br />
to prepareForNextTurn() {<br />
traceln("into prepare for next turn")<br />
carsReadyToMove := [].asMap().diverge()<br />
for each in cars {<br />
each.prepareForNextTurn()<br />
}<br />
}<br />
}<br />
for each in cars {each.addAccelReactor(raceTrack)}<br />
return raceTrack<br />
}<br />
<br />
makeRaceTrack()<br />
# In actual code, the following line would not be commented out<br />
# interp.blockAtTop()</nowiki><br />
<br />
</pre></div>Toby.murrayhttp://wiki.erights.org/wiki/Walnut/Ordinary_Programming/Quasi-Literals_and_Quasi-ParsersWalnut/Ordinary Programming/Quasi-Literals and Quasi-Parsers2009-01-12T08:51:29Z<p>Toby.murray: Reverted edits by 66.201.219.17 (Talk); changed back to last version by Kevin Reid</p>
<hr />
<div>[[Category:Walnut|2]]<br />
<br />
===Quasi-Literals and Quasi-Parsers===<br />
<br />
E supports ''quasi-parsers''. A quasi-parser allows one to compress large numbers of operations into a succinct notation (a ''quasi-literal'') in a specific problem domain. Writing your own quasi-parsers (which can be done in <span class="e">''E''</span> itself, as the JPanel quasiparser described below was written) is beyond the scope of this book. However, <span class="e">''E''</span> comes with several quasi-parsers built in: a simple quasi-parser, a regular expression quasi-parser, a JPanel quasi-parser for Swing, and a swtGrid quasi-parser for SWT.<br />
<br />
====Simple quasi-parser====<br />
<br />
The default quasi-parser is a text manipulating parser capable of extracting data from strings and constructing new strings. In its simplest form, it is a clean and simple way of constructing strings for printing:<br />
<br />
<pre><br />
<br />
<nowiki># E sample<br />
def a := 3<br />
def answerString := `The value a is $a, and a times two is ${2 * a}.`<br />
println(answerString)</nowiki><br />
<br />
</pre><br />
<br />
Here we use a simple quasi-parser to build an output string in a fashion similar to the printf statement in C. Quasi literals are enclosed in back-ticks. A dollar sign denotes the beginning of a description of a value to be inserted at the dollar sign location. If the dollar sign is immediately followed by a variable name, the value of that variable is used. If the dollar sign is followed by an open brace, everything up to the close brace is evaluated to compute the value to be substituted (so you could put "$" inside the braces to put a dollar sign in the string, as well as doing arithmetic as in the above example). Quasi-literals can span multiple lines, in which case the carriage return is part of the structure.<br />
<br />
A more sophisticated use of simple quasi-literals is for pattern matching. Here we parse a sentence:<br />
<br />
<pre><br />
<br />
<nowiki># E sample<br />
def line := "By the rude bridge that arched the flood"<br />
if (line =~ `@word1 @{word2} rude @remainder`) {<br />
println(`text matches, word1 = $word1`)<br />
}</nowiki><br />
<br />
</pre><br />
<br />
The string on the left of =~ is compared to the quasi literal on the right, evaluating true if the string can be parsed in conformance with the quasi literal. The "@" asserts that any text can match this part of the string, and the variable declared after the "@" contains that text at the end of the evaluation. The variable "word2" is enclosed in braces to offset it from the word "rude" immediately following it, which would look like part of the variable name without the offset.<br />
<br />
In this example, the minimal string that can get a match would be space-space-"rude ", in which case the data extracted for variables word1, word2, and remainder would all be zero-length strings. As it is, at the end of the evaluation, word1=="By", word2=="the", and remainder == "bridge that arched the flood".<br />
<br />
A single quasi-literal can contain dollar signs as well as "@"'s, in which case the results of the dollar sign evaluations will be included in the matching conditions.<br />
<br />
Quasi-literals can almost always be treated as strings. They accept almost all of the string protocol (technically, the quasi-literals are of type "twine"). The one place where they cannot be treated as strings is in comparisons to actual strings. To compare a quasi-literal to a string, use the "bare" method: <span class="warn">this is now wrong! all strings seem to now be twines</span><br />
<br />
def equalStrings := "abc".bare() == `abc`.bare()<br />
<br />
====Regular expression quasi parser====<br />
<br />
The regular expression quasi-parser gives <span class="e">''E''</span> much of the CGI scripting power that Perl and Python share. Since <span class="e">''E''</span> runs on top of a jvm with all the startup time such jvms entail, using <span class="e">''E''</span> for CGI scripts ''per se'' is not recommended. However, if one uses the distributed computing power of <span class="e">''E''</span> to run CGI-like <span class="e">''E''</span> programs as services for a Web server, one can achieve the same effect, and receive a number of bonuses unavailable in Perl and Python. The example Web server written in <span class="e">''E''</span>, shown at the end of the book, was designed with just this thought in mind.<br />
<br />
====JPanel====<br />
<br />
The JPanel quasi-parser processes visually understandable strings into complex window panel layouts for gui applications. It is a most remarkable and useful example of quasi-parsers in action, giving the developer a rather WYSIWYG presentation of his windows. Thus the <span class="e">''E''</span> programmer has no need to resort to the typical inflexible IDE-specific drawing tools that produce code no one can read and absolutely no one can edit. Under the covers, the JPanel uses the GridBagLayout manager to compose the panel, giving it a flexibility comparable to the TK layout system from TCL (which actually inspired the JPanel). Unlike the typical visual layout editors in Java IDEs, the JPanel system is able to define a broad range of ''resizable'' windows simply and intuitively.<br />
<br />
<pre><br />
<br />
<nowiki># E syntax<br />
# define the panels explanation,label, field, okButton, cancelButton, logo<br />
# pad1, pad2, which are label fields before <br />
# this example begins<br />
def composedPanel := <br />
JPanel`$explanation.Y > ><br />
$label $field ><br />
$okButton $cancelButton $pad1.X<br />
V $pad2 $logo`</nowiki><br />
<br />
</pre><br />
<br />
In this layout, the explanation (presumably a textArea) is at the top of the composedPanel, with the label and field left-to-right underneath, and the okButton to the left of the cancelButton/logo area arranged top-to-bottom. This is a layout for a 3-wide, 4-high grid of cells, though some the panes fill multiple cells, and the rules for which cells grow are sophisticated, as described next:<br />
<br />
The ".Y" says that the explanation should soak up any extra vertical space. The ".X" says the field should soak up any extra horizontal space. The two ">" symbols say that the explanation should span all three of the columns of this pane. The field fills two horizontal cells as denoted by the ">" which follows it. The "V" in the lower lefthand corner says that the okButton should fill two vertical cells.<br />
<br />
When this pane is part of a resizable window, enlarging vertically makes the explanation larger. Enlarging the window horizontally enlarges the field but not the label. Both the cancel button and the okButton should remain the same size regardless of resizing since the extra space is being soaked up elsewhere.<br />
<br />
If several elements have ".Y", the extra vertical space is divided evenly among them; similarly fields with ".X" share extra horizontal space.<br />
<br />
The space characters used to separate the elements of this layout have no meaning to the quasi-parser; we have used the space to create a visual representation of the layout that makes it easy to see the layout even though this is just code.<br />
<br />
It is not possible to lay out all possible compositions with a single JPanel, but JPanels can dramatically reduce the nesting of panels compared to Java applications, while making the layout visually clear in the code itself. And of course, you can always place JPanel-laid-out panels inside of other JPanel layouts. The result is tremendously more compact, easier to understand, and easier to maintain than the result of nesting large numbers of Swing Box layouts.<br />
<br />
A similar quasi-parser, the swtGrid, is included for layout of SWT panels. The main difference, as shown in later example code, is that the swtGrid requires a first entry that is the parent panel for the laid out components <span class="note" style="color:red"> improve this discussion</span></div>Toby.murrayhttp://wiki.erights.org/wiki/Talk:Main_PageTalk:Main Page2008-09-28T09:47:40Z<p>Toby.murray: reverting spammy edits</p>
<hr />
<div>== Goals for the Main Page ==<br />
<br />
I've been trying to keep the main page as short and concise as possible. We need to keep in mind the users of this site. The main page is, in a sense, the main user interface for the wiki... it is how people start using the 'application'. So I'll be trying very hard to keep only the most important and relevant stuff on the main page. --[[User:Ansible|Ansible]] 11:32, 28 March 2007 (CDT)<br />
<br />
In fact, either on the main page, or on the getting started page, I'd like to have a 1 (one!) paragraph summary of '''''E''''' and why it the greatest thing since sliced bread. And then 3 or so paragraphs of further explaination. Perhaps we need to have an updated FAQ, and the first question answers this. --[[User:Ansible|Ansible]] 11:37, 28 March 2007 (CDT)<br />
<br />
I just starded the [[FAQ]]. I'll try to hack in as many questions as I can think of. --[[User:mscheffler|mscheffler]] 12:43, 21 April 2007 (CDT)<br />
<br />
== '''''E''''' vs. E==<br />
<br />
There seems to be a difference of opinion on how to write '''''E''''' on wiki pages. In some of the original documentatin on erights.org, I've seen it shown as in an italic and green font. We don't have easy wiki markup for colors, so I've always been just using the '''bold''' and ''italic'' markup together for the letter 'E' when it refers to the programming language. However, this is not the only view, and Kevin seems to prefer just a plain 'E'. Can we create a consensus on how to display 'E'? --[[User:Ansible|Ansible]] 05:50, 4 July 2008 (CDT)<br />
<br />
I'd suggest creating a template page, Template:E. Put in that page the wikitext for how we want the name of this language to be rendered. Then in other pages, simply transclude the template, i.e. write <nowiki>{{E}}</nowiki> for the language name. This would ensure consistency and be at least as simple as <nowiki>'''''E'''''</nowiki>. --[[User:Toby.murray|Toby.murray]] 07:57, 4 July 2008 (CDT)<br />
<br />
I've just created a demo templte, using my user talk page. Use it by writing <nowiki>{{:User_talk:Toby.murray}}</nowiki> somewhere, like here: {{User_talk:Toby.murray}}, or {{User_talk:Toby.murray}} there. --[[User:Toby.murray|Toby.murray]] 08:05, 4 July 2008 (CDT)<br />
* Nice, I like it. --[[User:Ansible|Ansible]] 15:12, 7 July 2008 (CDT)</div>Toby.murrayhttp://wiki.erights.org/wiki/Related_SitesRelated Sites2008-09-17T21:09:05Z<p>Toby.murray: reverted</p>
<hr />
<div>[http://www.erights.org Main Erights.org site]<br />
<br />
[[wikipedia:E_(programming_language)|'''''E''''' on Wikipedia]]<br />
<br />
[[wiki:EeLanguage|'''''E''''' on the C2 wiki]]<br />
<br />
[http://www.combex.com/ Combex, Inc.] - The for-profit facet of the '''''E''''' project, featuring [[CapDesk]] -- the capability secure desktop, and [[caplet]] installation and launching framework.<br />
<br />
[[Object-capability languages]]<br />
<br />
[http://www.selnet.org/pubs/capbib.html Cap-talk Bibliography]<br />
<br />
== Language Comparison Sites ==<br />
<br />
[http://www.rosettacode.org/wiki/Category:E "Rosetta Code" examples in '''''E''''']<br />
<br />
[http://www.codepoetics.com/wiki/index.php?title=Topics:SICP_in_other_languages#E SICP Examples in '''''E'''''] ("SICP" is "Structure and Interpretation of Computer Programs", a classic textbook.)<br />
<br />
[http://en.literateprograms.org/Category:Programming_language:E Literate Programming examples in '''''E''''']<br />
<br />
[http://people.mandriva.com/~prigaux/language-study/syntax-across-languages-per-language/E.html '''''E''''''s entry at Syntax Across Languages]</div>Toby.murrayhttp://wiki.erights.org/wiki/Talk:Main_PageTalk:Main Page2008-09-12T15:20:59Z<p>Toby.murray: Reverted last edits - spam</p>
<hr />
<div>== Goals for the Main Page ==<br />
<br />
I've been trying to keep the main page as short and concise as possible. We need to keep in mind the users of this site. The main page is, in a sense, the main user interface for the wiki... it is how people start using the 'application'. So I'll be trying very hard to keep only the most important and relevant stuff on the main page. --[[User:Ansible|Ansible]] 11:32, 28 March 2007 (CDT)<br />
<br />
In fact, either on the main page, or on the getting started page, I'd like to have a 1 (one!) paragraph summary of '''''E''''' and why it the greatest thing since sliced bread. And then 3 or so paragraphs of further explaination. Perhaps we need to have an updated FAQ, and the first question answers this. --[[User:Ansible|Ansible]] 11:37, 28 March 2007 (CDT)<br />
<br />
I just starded the [[FAQ]]. I'll try to hack in as many questions as I can think of. --[[User:mscheffler|mscheffler]] 12:43, 21 April 2007 (CDT)<br />
<br />
== '''''E''''' vs. E==<br />
<br />
There seems to be a difference of opinion on how to write '''''E''''' on wiki pages. In some of the original documentatin on erights.org, I've seen it shown as in an italic and green font. We don't have easy wiki markup for colors, so I've always been just using the '''bold''' and ''italic'' markup together for the letter 'E' when it refers to the programming language. However, this is not the only view, and Kevin seems to prefer just a plain 'E'. Can we create a consensus on how to display 'E'? --[[User:Ansible|Ansible]] 05:50, 4 July 2008 (CDT)<br />
<br />
I'd suggest creating a template page, Template:E. Put in that page the wikitext for how we want the name of this language to be rendered. Then in other pages, simply transclude the template, i.e. write <nowiki>{{E}}</nowiki> for the language name. This would ensure consistency and be at least as simple as <nowiki>'''''E'''''</nowiki>. --[[User:Toby.murray|Toby.murray]] 07:57, 4 July 2008 (CDT)<br />
<br />
I've just created a demo templte, using my user talk page. Use it by writing <nowiki>{{:User_talk:Toby.murray}}</nowiki> somewhere, like here: {{User_talk:Toby.murray}}, or {{User_talk:Toby.murray}} there. --[[User:Toby.murray|Toby.murray]] 08:05, 4 July 2008 (CDT)<br />
* Nice, I like it. --[[User:Ansible|Ansible]] 15:12, 7 July 2008 (CDT)</div>Toby.murrayhttp://wiki.erights.org/wiki/Talk:Main_PageTalk:Main Page2008-08-27T10:52:42Z<p>Toby.murray: Reverted edits by bot 211.76.97.228</p>
<hr />
<div>== Goals for the Main Page ==<br />
<br />
I've been trying to keep the main page as short and concise as possible. We need to keep in mind the users of this site. The main page is, in a sense, the main user interface for the wiki... it is how people start using the 'application'. So I'll be trying very hard to keep only the most important and relevant stuff on the main page. --[[User:Ansible|Ansible]] 11:32, 28 March 2007 (CDT)<br />
<br />
In fact, either on the main page, or on the getting started page, I'd like to have a 1 (one!) paragraph summary of '''''E''''' and why it the greatest thing since sliced bread. And then 3 or so paragraphs of further explaination. Perhaps we need to have an updated FAQ, and the first question answers this. --[[User:Ansible|Ansible]] 11:37, 28 March 2007 (CDT)<br />
<br />
I just starded the [[FAQ]]. I'll try to hack in as many questions as I can think of. --[[User:mscheffler|mscheffler]] 12:43, 21 April 2007 (CDT)<br />
<br />
== '''''E''''' vs. E==<br />
<br />
There seems to be a difference of opinion on how to write '''''E''''' on wiki pages. In some of the original documentatin on erights.org, I've seen it shown as in an italic and green font. We don't have easy wiki markup for colors, so I've always been just using the '''bold''' and ''italic'' markup together for the letter 'E' when it refers to the programming language. However, this is not the only view, and Kevin seems to prefer just a plain 'E'. Can we create a consensus on how to display 'E'? --[[User:Ansible|Ansible]] 05:50, 4 July 2008 (CDT)<br />
<br />
I'd suggest creating a template page, Template:E. Put in that page the wikitext for how we want the name of this language to be rendered. Then in other pages, simply transclude the template, i.e. write <nowiki>{{E}}</nowiki> for the language name. This would ensure consistency and be at least as simple as <nowiki>'''''E'''''</nowiki>. --[[User:Toby.murray|Toby.murray]] 07:57, 4 July 2008 (CDT)<br />
<br />
I've just created a demo templte, using my user talk page. Use it by writing <nowiki>{{:User_talk:Toby.murray}}</nowiki> somewhere, like here: {{User_talk:Toby.murray}}, or {{User_talk:Toby.murray}} there. --[[User:Toby.murray|Toby.murray]] 08:05, 4 July 2008 (CDT)<br />
* Nice, I like it. --[[User:Ansible|Ansible]] 15:12, 7 July 2008 (CDT)</div>Toby.murrayhttp://wiki.erights.org/wiki/Talk:Main_PageTalk:Main Page2008-07-04T13:05:56Z<p>Toby.murray: </p>
<hr />
<div>== Goals for the Main Page ==<br />
<br />
I've been trying to keep the main page as short and concise as possible. We need to keep in mind the users of this site. The main page is, in a sense, the main user interface for the wiki... it is how people start using the 'application'. So I'll be trying very hard to keep only the most important and relevant stuff on the main page. --[[User:Ansible|Ansible]] 11:32, 28 March 2007 (CDT)<br />
<br />
In fact, either on the main page, or on the getting started page, I'd like to have a 1 (one!) paragraph summary of '''''E''''' and why it the greatest thing since sliced bread. And then 3 or so paragraphs of further explaination. Perhaps we need to have an updated FAQ, and the first question answers this. --[[User:Ansible|Ansible]] 11:37, 28 March 2007 (CDT)<br />
<br />
I just starded the [[FAQ]]. I'll try to hack in as many questions as I can think of. --[[User:mscheffler|mscheffler]] 12:43, 21 April 2007 (CDT)<br />
<br />
== '''''E''''' vs. E==<br />
<br />
There seems to be a difference of opinion on how to write '''''E''''' on wiki pages. In some of the original documentatin on erights.org, I've seen it shown as in an italic and green font. We don't have easy wiki markup for colors, so I've always been just using the '''bold''' and ''italic'' markup together for the letter 'E' when it refers to the programming language. However, this is not the only view, and Kevin seems to prefer just a plain 'E'. Can we create a consensus on how to display 'E'? --[[User:Ansible|Ansible]] 05:50, 4 July 2008 (CDT)<br />
<br />
I'd suggest creating a template page, Template:E. Put in that page the wikitext for how we want the name of this language to be rendered. Then in other pages, simply transclude the template, i.e. write <nowiki>{{E}}</nowiki> for the language name. This would ensure consistency and be at least as simple as <nowiki>'''''E'''''</nowiki>. --[[User:Toby.murray|Toby.murray]] 07:57, 4 July 2008 (CDT)<br />
<br />
I've just created a demo templte, using my user talk page. Use it by writing <nowiki>{{:User_talk:Toby.murray}}</nowiki> somewhere, like here: {{User_talk:Toby.murray}}, or {{User_talk:Toby.murray}} there. --[[User:Toby.murray|Toby.murray]] 08:05, 4 July 2008 (CDT)</div>Toby.murrayhttp://wiki.erights.org/wiki/User_talk:Toby.murrayUser talk:Toby.murray2008-07-04T13:03:40Z<p>Toby.murray: </p>
<hr />
<div><span style="color: #009000;">'''''E'''''</span></div>Toby.murrayhttp://wiki.erights.org/wiki/Talk:Main_PageTalk:Main Page2008-07-04T12:57:32Z<p>Toby.murray: </p>
<hr />
<div>== Goals for the Main Page ==<br />
<br />
I've been trying to keep the main page as short and concise as possible. We need to keep in mind the users of this site. The main page is, in a sense, the main user interface for the wiki... it is how people start using the 'application'. So I'll be trying very hard to keep only the most important and relevant stuff on the main page. --[[User:Ansible|Ansible]] 11:32, 28 March 2007 (CDT)<br />
<br />
In fact, either on the main page, or on the getting started page, I'd like to have a 1 (one!) paragraph summary of '''''E''''' and why it the greatest thing since sliced bread. And then 3 or so paragraphs of further explaination. Perhaps we need to have an updated FAQ, and the first question answers this. --[[User:Ansible|Ansible]] 11:37, 28 March 2007 (CDT)<br />
<br />
I just starded the [[FAQ]]. I'll try to hack in as many questions as I can think of. --[[User:mscheffler|mscheffler]] 12:43, 21 April 2007 (CDT)<br />
<br />
== '''''E''''' vs. E==<br />
<br />
There seems to be a difference of opinion on how to write '''''E''''' on wiki pages. In some of the original documentatin on erights.org, I've seen it shown as in an italic and green font. We don't have easy wiki markup for colors, so I've always been just using the '''bold''' and ''italic'' markup together for the letter 'E' when it refers to the programming language. However, this is not the only view, and Kevin seems to prefer just a plain 'E'. Can we create a consensus on how to display 'E'? --[[User:Ansible|Ansible]] 05:50, 4 July 2008 (CDT)<br />
<br />
I'd suggest creating a template page, Template:E. Put in that page the wikitext for how we want the name of this language to be rendered. Then in other pages, simply transclude the template, i.e. write <nowiki>{{E}}</nowiki> for the language name. This would ensure consistency and be at least as simple as <nowiki>'''''E'''''</nowiki>. See my user page for a demo. --[[User:Toby.murray|Toby.murray]] 07:57, 4 July 2008 (CDT)</div>Toby.murrayhttp://wiki.erights.org/wiki/Talk:Main_PageTalk:Main Page2008-07-04T12:57:04Z<p>Toby.murray: </p>
<hr />
<div>== Goals for the Main Page ==<br />
<br />
I've been trying to keep the main page as short and concise as possible. We need to keep in mind the users of this site. The main page is, in a sense, the main user interface for the wiki... it is how people start using the 'application'. So I'll be trying very hard to keep only the most important and relevant stuff on the main page. --[[User:Ansible|Ansible]] 11:32, 28 March 2007 (CDT)<br />
<br />
In fact, either on the main page, or on the getting started page, I'd like to have a 1 (one!) paragraph summary of '''''E''''' and why it the greatest thing since sliced bread. And then 3 or so paragraphs of further explaination. Perhaps we need to have an updated FAQ, and the first question answers this. --[[User:Ansible|Ansible]] 11:37, 28 March 2007 (CDT)<br />
<br />
I just starded the [[FAQ]]. I'll try to hack in as many questions as I can think of. --[[User:mscheffler|mscheffler]] 12:43, 21 April 2007 (CDT)<br />
<br />
== '''''E''''' vs. E==<br />
<br />
There seems to be a difference of opinion on how to write '''''E''''' on wiki pages. In some of the original documentatin on erights.org, I've seen it shown as in an italic and green font. We don't have easy wiki markup for colors, so I've always been just using the '''bold''' and ''italic'' markup together for the letter 'E' when it refers to the programming language. However, this is not the only view, and Kevin seems to prefer just a plain 'E'. Can we create a consensus on how to display 'E'? --[[User:Ansible|Ansible]] 05:50, 4 July 2008 (CDT)<br />
<br />
I'd suggest creating a template page, Template:E. Put in that page the wikitext for how we want the name of this language to be rendered. Then in other pages, simply transclude the template, i.e. write <nowiki>{{E}}</nowiki> for the language name. This would ensure consistency and be at least as simple as <nowiki>'''''E'''''</nowiki>.--[[User:Toby.murray|Toby.murray]] 07:57, 4 July 2008 (CDT)</div>Toby.murrayhttp://wiki.erights.org/wiki/User:Toby.murrayUser:Toby.murray2008-07-04T12:53:45Z<p>Toby.murray: </p>
<hr />
<div>What happens with the {{:User_talk:Toby.murray}} here?</div>Toby.murrayhttp://wiki.erights.org/wiki/User_talk:Toby.murrayUser talk:Toby.murray2008-07-04T12:52:25Z<p>Toby.murray: </p>
<hr />
<div>'''E'''</div>Toby.murrayhttp://wiki.erights.org/wiki/User_talk:Toby.murrayUser talk:Toby.murray2008-07-04T12:52:00Z<p>Toby.murray: </p>
<hr />
<div>"""E"""</div>Toby.murrayhttp://wiki.erights.org/wiki/CapDeskCapDesk2008-05-15T16:02:52Z<p>Toby.murray: Initial fleshing-out of contents here. Incomplete at the moment.</p>
<hr />
<div>'''CapDesk''' is a distributed desktop shell, written in E.<br />
<br />
== Introduction ==<br />
<br />
CapDesk is a distributed file browser and [[caplet]] launcher. It enables users to browse their own files, much like an ordinary desktop shell like GNOME's [http://www.gnome.org/projects/nautilus/ Nautilus] or KDE's [http://www.konqueror.org/ Konqueror]. Users can double-click files to have them opened by applications for editing or viewing as normal, and use the shell to install new applications on their system. For example, double-clicking on a text file causes CapDesk to launch a text editor that enables the user to edit the file.<br />
<br />
CapDesk differs from standard desktop shells, however, in its aggressive enforcement of the [http://en.wikipedia.org/wiki/Principle_of_least_authority Principle of Least Authority] (POLA).Double-clicking a file causes CapDesk to launch a [[caplet]]. Caplets are similar to standard applications, except that they are explicitly designed to be launched by CapDesk and must be written in E. When launching a caplet in response to the user double-clicking a file, CapDesk enforces POLA by granting the caplet only the ability to edit the specific file that was double-clicked and nothing else. Opening a new file within a caplet using the "'''Open File'''" dialog, causes CapDesk to grant the caplet the ability to access that file only, and no others. In this way, caplets are given the minimum authority required for them to function without requiring the user to do anything that they wouldn't otherwise do during the course of their work.<br />
<br />
== Getting CapDesk ==<br />
CapDesk is included in the [[E-on-Java]] distribution and requires [[E-on-Java]] in order to run. To obtain CapDesk, simply obtain the current [[E-on-Java]] distribution.<br />
<br />
== Running CapDesk ==<br />
To run it, first install E. Then run the E script in <code>scripts/capDesk.e-awt</code> or <code>scripts/capDesk.e-swt</code>. The former uses the AWT/Swing library to implement CapDesk's Graphical User Interface, while the latter uses SWT. SWT looks nicer but may not work without special configuration. <br />
<br />
== Installing Caplets ===<br />
The first thing to do once CapDesk is running is to install some [[caplet]]s. Navigate to the directory in which E was installed. Then navigate to the <code>caplets/</code> subdirectory. This directory should contain files ending in <code>.caplet</code>. These are individual caplets which you can install to make CapDesk useful. Choose one, such as <code>CapEdit.caplet</code>, right-click it and choose the '''Install''' option from the pop-up menu. This causes CapDesk to launch the caplet installer.<br />
<br />
'''TODO: info about the installer, petnames, etc. Use CapEdit as the example. Add screenshots.'''<br />
<br />
==See Also==<br />
[http://en.wikipedia.org/wiki/CapDesk CapDesk at Wikipedia]<br />
<br />
[http://www.erights.org/talks/skynet/index.html The SkyNet Virus - Why it is Unstoppable; How to Stop it]<br />
<br />
[http://www.erights.org/talks/virus-safe/index.html Talk: Building a Virus-Safe Computing Platform: Don't Add Security, Remove Insecurity]<br />
<br />
[[Category:Applications]]<br />
<br />
[http://www.combex.com/papers/darpa-review/index.html A Security Analysis of the Combex DarpaBrowser Architecture], David Wagner and Dean Tribble, March 4, 2002</div>Toby.murrayhttp://wiki.erights.org/wiki/Erights:AboutErights:About2008-03-20T18:52:32Z<p>Toby.murray: Added myself to list of those taking backups of the wiki here</p>
<hr />
<div>For more info on '''''E''''' in general, go to the [http://www.erights.org E Home Page].<br />
<br />
This wiki is run by [[User:Ansible|Ansible]]. General discussion of the '''''E''''' wiki is on the [http://www.eros-os.org/pipermail/e-lang/ E-lang mailing list].<br />
<br />
All content of this wiki, unless otherwise attributed, is placed in the Public Domain. No guarantee is made about the accuracy of the content.<br />
<br />
== Backups ==<br />
<br />
Please help us back up the contents of the E Rights wiki.<br />
<br />
We've got nightly dump set up to run on the database. We are running a mysqldump and just excluding the wikidb.user table. Even though the passwords are hashed, we thought it would be a bad idea to make that public.<br />
<br />
The contents of the dump are stored in the document root. So you can retrieve the latest dump by running:<br />
<br />
wget http://wiki.erights.org/wikidb_dump.sql.gz<br />
<br />
Obviously, the URL will change when we set up the new name. You may want to use the '-r' option to wget so that the old dump will be overwitten.<br />
<br />
Ideally, several people would set this up to run out of cron. I'm looking at you. Yes... you!<br />
<br />
The backup is set to run at 12:45am CST each day, It only takes a minute to run now, but as time goes by, the database will get larger. So maybe set it to download the dump around 3am CST. Please space out the download times.<br />
<br />
=== People doing dumps ===<br />
<br />
* 3:15am CST --[[User:Ansible|Ansible]] 20:18, 28 November 2006 (CST)<br />
* 10:00am GMT --[http://web.comlab.ox.ac.uk/people/toby.murray/ Toby Murray] 18:47, 20 March 2008 (GMT)</div>Toby.murrayhttp://wiki.erights.org/wiki/Object-Capability_patternsObject-Capability patterns2008-03-19T22:52:42Z<p>Toby.murray: Added reminder to include logging forwarders</p>
<hr />
<div>This page contains information about common object-capability patterns that have appeared in a number of different object-capability systems.<br />
<br />
'''TBD: Powerbox, Attenuating Facets / Forwaders, Logging Forwarders<br />
<br />
{| border="1"<br />
|+ An Historical Overview <br />
! Pattern !! First Described In !! Appears In<br />
|-<br />
| Sealer-Unsealers || James H. Morris, Jr. Protection in Programming Languages. ''Communications of the ACM'', 16(1):15–21, 1973. || Gedanken, E, KeyKOS, Emily, Caja, Joule<br />
|-<br />
| Trademarks || James H. Morris, Jr. Protection in Programming Languages. ''Communications of the ACM'', 16(1):15–21, 1973. || Gedanken, E, KeyKOS<br />
|-<br />
| RevocableForwarder|| David D. Redell. ''Naming and Protection in Extensible Operating Systems''. PhD thesis, Department of Computer Science, University of California at Berkeley, November 1974. || E, KeyKOS, Emily<br />
|-<br />
| Coercers || E. Dean Tribble, Mark S. Miller, Norm Hardy, and David Krieger. ''[http://www.erights.org/history/joule/index.html Joule: Distributed Application Foundations]''. Technical Report ADd03.4P, Agorics Inc., Los Altos, December 1995. || Joule, E<br />
|-<br />
| Membranes || J. E. Donnelley. [http://www.webstart.com/jed/papers/DCCS/ A Distributed Capability Computing System], ''Proc. of the Third International Conference on Computer Communication'', pp. 432-440, 1976. || E, DCCS, KeyKOS, Emily, Joe-E/Waterken (? in the form of the Horton pattern)<br />
|}</div>Toby.murrayhttp://wiki.erights.org/wiki/Object-Capability_patternsObject-Capability patterns2008-03-19T22:51:23Z<p>Toby.murray: Added page summarising various common object-cap patterns</p>
<hr />
<div>This page contains information about common object-capability patterns that have appeared in a number of different object-capability systems.<br />
<br />
'''TBD: Powerbox, Attenuating Facets / Forwaders<br />
<br />
{| border="1"<br />
|+ An Historical Overview <br />
! Pattern !! First Described In !! Appears In<br />
|-<br />
| Sealer-Unsealers || James H. Morris, Jr. Protection in Programming Languages. ''Communications of the ACM'', 16(1):15–21, 1973. || Gedanken, E, KeyKOS, Emily, Caja, Joule<br />
|-<br />
| Trademarks || James H. Morris, Jr. Protection in Programming Languages. ''Communications of the ACM'', 16(1):15–21, 1973. || Gedanken, E, KeyKOS<br />
|-<br />
| RevocableForwarder|| David D. Redell. ''Naming and Protection in Extensible Operating Systems''. PhD thesis, Department of Computer Science, University of California at Berkeley, November 1974. || E, KeyKOS, Emily<br />
|-<br />
| Coercers || E. Dean Tribble, Mark S. Miller, Norm Hardy, and David Krieger. ''[http://www.erights.org/history/joule/index.html Joule: Distributed Application Foundations]''. Technical Report ADd03.4P, Agorics Inc., Los Altos, December 1995. || Joule, E<br />
|-<br />
| Membranes || J. E. Donnelley. [http://www.webstart.com/jed/papers/DCCS/ A Distributed Capability Computing System], ''Proc. of the Third International Conference on Computer Communication'', pp. 432-440, 1976. || E, DCCS, KeyKOS, Emily, Joe-E/Waterken (? in the form of the Horton pattern)<br />
|}</div>Toby.murray