[General] LK and Caja [was: [Ann] Lively kernel 0.8 is out!]

[Dan Ingalls]

Hi, Mark -

>However, your recent message has me concerned that Lively is deviating
>ever farther from programming patterns that can be secured. Before
>making these changes, what thought was given to their possible
>compatibility with object-capability security?

I realize that my previous somewhat flip answer of "Zero" might have you a bit
concerned.  Also, I let my response go in other directions that may have
obscured our very real interest in Caja and serious security for JavaScript.

So far we have made our best progress by small experiments followed by
significant rewrites.  Things are still small enough (and we hope to keep
it that way) that global rewrites are still tractable.

I think the next step would be to have a meeting with you folks in which
(in fact probably before which) we scrutinize the Lively Kernel code and
sketch a few rewrites that would put us on the high road as soon as possible.

While some aspects of 0.8 may bother you, it captures the functionality
we're after pretty well, so we can probably carry out some of these
experiments without too much interference with other ongoing changes.

While I'd like to get together off line, I think this is a project of great
potential importance, so we should try to document as much as possible
as we go, and include our respective mail list communities in the process.

I think that it would be enormously instructive and validating
to show that a relatively complete and self-supporting system can
be rewritten as a secure architecture without making things more
complex and, hopefully even improving its clarity.

	- Dan, for the LK team