cap'based or actors-based

9.26: adda/security/cap'based or actors-based:

. since adda has control of the code,

does it need capabilities?

it's just like checking array bounds

protecting programmer from accidents .

. also when using agents and concurrency,

you need that soa-style id'ing

that let's you find out who's doing what

when things seem wrong .

. without having to know much about cap'-based systems,

it seems there's a clear path if you

stop worrying about efficiency, and model the system after

what you can understand is secure among human interactions:

organizing jobs just as if they were teams of people .

. all these actors keep journals

checked by god (the exec that runs their prgm for them)

. the flip side of logging is contracting:

a module has a req's list

that tells what permissions of what space it needs

and the exec will report any deviation from those

contractual obligations .

. global logging allows selective roll-backs

not just per object but agent-selecting:

undo all work of a faulty agent

then redo the work without that agent's contributions .

. req's should be specifying what operations or tools

it's using on what space

. another way to do this is have the exec generate

a report of the space being used .

. this can be done as a blacbox without needin to know the code:

as long as it was compiled to be exec'd by addm,

it can't make outside contacts without being logged by addm .

. likewise if it had an efficient way to virtualize the native platform,

then it could do the same with native binaries .

[9.29:

. the language that both addm and the binary would talk

is the files in the virtualization that would get the output .

]

10.9: adda/no need to specify current directory with command:

. regarding dev.unix/need to specify current directory with command:

adda will instead rely on cap'based security

to protect authors from each other .

10.26: adda/self-modifying or code-generating code/security:

. how is adda safe letting code modify itself?

it does so only by calling the adda compiler

which can enforce rules to run by .

. it has to declare everything it wants to modify;

and, this is checked against user or client preferences .

[11.3:

. eg, adda asks the user's agent this:

"( this code was generated from .program,

and wants permission for { .access to .resource, ... }

do permit?

do disallow code additions,

do disallow permission change requests? .

) ] .

11.30: adda/lisp/security options:

. along with having a cap'based security system

it can tell the user if a provider uses self-modifying tech

for in case that should be avoided for safety critical applications,

or for when correctness is not easily proven from scanning output .