Can it be less ambient?
A recent topic in capability theory is whether Dataspaces’ way of modeling ambient shared scratchpads (the “data spaces” themselves) needs to have its exemption from capability-safety. At the same time, a common complaint of systemd/D-Bus/GNOME/etc. is that there is an ambient message bus which has many powerful clients connected by default. These have the same taste to me, when imagining a capability-aware language being used to implement PID 1; is there some ambient authority that could be removed here?
I might well not understand Dataspaces, and I’m happy to learn more about your plan.
Absolutely. So the theory up until recently had exactly one dataspace as execution context & communications medium for each actor in a tree.
But now I’ve reworked things to include capabilities, I’ve also moved away from that perspective. Now a dataspace is an object-in-a-vat like any other. Capabilities secure access to dataspaces or to any other object-in-a-vat.
There’s no longer exactly one privileged dataspace per actor. My early impressions of this new style of “syndicated actor” programming are that it will lead to many more smaller more tightly-focussed task- or domain-specific dataspaces interconnected in a loose web, within and among machines.
Programs connect to a server and upgrade access from Macaroon-like datastructures (basically sturdyref-like) to more ephemeral references.
There’s a little (completely undocumented) proof-of-concept in https://git.syndicate-lang.org/syndicate-lang/novy-syndicate.
Hang on, I’ll do a quick screencast and post it here.
I blogged about the screencast: https://syndicate-lang.org/journal/2021/05/20/demo-of-capabilities
This is a very nice project! Now I feel very curious about what a deamon soup looks like in Syndicate-lang, and about the extension of object-capabilities to syndicated actors. The latter may have suggestions for many system designs outside the current scope of your project – I was just reading about Matrix Spaces which seem to be trying to couple spatial intuitions with access/permissions, and I wonder what Chris Webber wonderings about ocaps in the Fediverse.
Yes indeed! I’m excited to find out what it will be like.
I’ve actually been discussing all this stuff somewhat regularly with Chris Webber. I really like his stuff and our discussions are always useful and interesting.