> And to me that is the crux of the issue: Safe environments are
> designed to so limit a program that whatever it does is ok, even if
> that program is generated by a random (or even an "evil") code writer
> program. In other words, no trust is necessary.
> But I think that, in networks of information especially, it will be
> valuable to have programs that can aggregate and manipulate
> inforamation bases in the non-bounded WWW space. And I have a feeling
> that this will require trusted programs rather than confined programs.
Absolutely. The approach we took in Safe-Tcl was to have a core set of
capabilities that was available to untrusted users, and then have simple
ways to extend that capability differentially for particular trusted
users.
The hooks for doing this have been in Safe-Tcl all along. Only this
weekend, I finally implemented the small amount of necessary glue that
makes it easy to give Safe-Tcl programs particular extended capabilities
based on PGP signatures. (For those interested, I sent a preliminary
version of how to do this to the safe-tcl list the day before
yesterday.) Thus you can say that safe-tcl programs from a certain set
of PGP-signed senders have read or write access to a certain subset of
your files.
I think that an extensible "safe" environment is the right platform on
which to build differentially more powerful environments for trusted
colleagues. I think that a binary trusted/untrusted distinction is not
rich enough -- you need to be able to support shared files, for example,
without sharing ALL your files.... -- Nathaniel