Although recent discussion of Guile has mentioned SCSH once or twice,
it is not really about SCSH. Please direct all followups away from
the scsh mailing list.
OK.
...
The complaint is also false because the next release will contain a
module system that allows compiler writers to design Guile top levels
containing only compilable constructs but able to export definitions
to full-blown top-levels.
This brings up an important issue. With the advent of high-level
language viruses, the ability to restrict certain execution
environments [e.g. client-servers] to certain abilities is becoming
paramount to safe WWW operation.
With a function set the size of Guile's, it is impractical for a coder
to correctly pick and choose (on a function by function basis) the
safe subset for restricted access. Also, upgrading a server to a new
Guile or SLIB release would necessitate repeating the whole process in
order to not have security compromised by new or changed functions.
I have tried with `*features*' and `require' to group Scheme
extensions so that a few keywords would describe a varied feature set.
My goal was ability description, not restriction. Neither did I
categorize required R4RS operations such as open-output-file which can
still be dangerous. Not addressed at all were quotas and other
methods of partially restricting access.
Unix systems provide some controls for file access, but quotas and
execution time constraints are not standardized. Also, securely
configured Unix systems which actually achieve their goal are probably
a small minority. Also, quotas for quantities like run time, heap
size, stack length, and malloc usage have uses far beyond security IF
THEY ARE SIGNALED AS RECOVERABLE CONDITIONS.
I believe that `require' is still a reasonable paradigm for accessing
capabilities. In order to allow quotas for various quantities to be
specified I think it reasonable that `require' take multiple arguments
for some features.
But the first order of business would be to group and categorize
function names according to resource usage. The information needed
would be which set of functions use a resource and what parameters
might be desirable for restricting that resource. This is a large
task; it is probably best done by each person responsible for a
module. So, is anyone working on Scheme/GUILE capability management?