andrewchambers · April 12, 2018 13:01 · MostAwesomeDude · Oct 27, 2017 · andrewchambers · Nov 9, 2017
diff --git a/notes.txt b/notes.txt
 I have been thinking recently about a set of features that might be
 interesting for an interpreted language. Largely I am uninterested in the
 syntax for now, just the properties of the language and implementation.


 1. Actor model similar to erlang with total isolation of actors except
 via message passing. Crashing one actor does not affect other actors
 unless they want to be affected.

 2. Mutability within an actor, but only immutable objects can be passed
 between actors. Or mutable objects can be transferred but a runtime
 error occurs on accessing a mutable structure after it has been 'moved'.

 3. Embrace the unix security model. Actors can be local to the vm or forked actors
 with a different pid and user id. Actors could embrace OS level privsep
 code, perhaps integrate the language with OS level jails/containers. Make
 writing privsepped code a first class citizen of the language...

 4. Object/actor capability system. If you do no have an unforgeable
 reference to an actor, you cannot message it. See pony for
 inspiration. All OS/runtime functionality is controlled by actors, hence
 sandboxing code is as simple as not passing references to the relevant
 actors to the sandboxed actor.

 5. The actors in a different process can be remote or local. spawn an actor over
 an ssh link then send it a reference to an open file actor.
 Perhaps the runtime needs some smart routing to get messages
 to distant actors, especially in the presence of a tree of unix
 processes. I think this is slightly different to erlang which has a
 notion of 'nodes', and no security isolation or tree structure.

 6. Unreachable actors can be garbage collected. This might not be well
 thought out or possible.

 7. Runtime resource limits can be put on individual actors, or groups
 of actors. Be able to say - "This http server actor (tree) cannot use
 more than N resources" which is imposed at runtime.

 8. Erlang style supervisors should be possible via links.

 9. Live code reloading. Code changes are propagated down the process tree.

 Some of these are already possible with erlang, but I think some of it
 would be a unique combination. Let me know if any of this is new, good,
 bad or impossible.

 Misc:

 Remote messages may need to be unforgeable using cryptography. This can be accomplished by giving each actor
 a secret or pub/private, and  messaged recieved must be HMACED/signed. local actors can trust the runtime
 that the actor id hasn't been faked for performance, Pony accomplishes this with memory safety.

 Examples for the imagination:

 Spawning a privsepped remote actor, and getting it to write a file:

 write_file(file) {
 	// the remote actor can ONLY write to this file, thats all it has a reference to.
 	// The chroot and remote message signing add security from runtime exploits.
 	file.write("hello from remote actor!")	
 	file.close()
 }

 main(world) {
 	// world, remote_world, and file are all references to actors.

 	file = world.open("/local/file.txt")
 	remote_world = world.spawn_world(host="[email protected]", chroot="/jail/")
 	remote_actor = remote_world.spawn(write_file, file)
 	remote_actor.wait_for_exit()
 	// Prints "hello from remote actor!"
 	world.print(world.readfile("/local/file.txt""))
 }

 Perhaps we could send a handle for the current world to the remote world!
	I have been thinking recently about a set of features that might be
	interesting for an interpreted language. Largely I am uninterested in the
	syntax for now, just the properties of the language and implementation.


	1. Actor model similar to erlang with total isolation of actors except
	via message passing. Crashing one actor does not affect other actors
	unless they want to be affected.

	2. Mutability within an actor, but only immutable objects can be passed
	between actors. Or mutable objects can be transferred but a runtime
	error occurs on accessing a mutable structure after it has been 'moved'.

	3. Embrace the unix security model. Actors can be local to the vm or forked actors
	with a different pid and user id. Actors could embrace OS level privsep
	code, perhaps integrate the language with OS level jails/containers. Make
	writing privsepped code a first class citizen of the language...

	4. Object/actor capability system. If you do no have an unforgeable
	reference to an actor, you cannot message it. See pony for
	inspiration. All OS/runtime functionality is controlled by actors, hence
	sandboxing code is as simple as not passing references to the relevant
	actors to the sandboxed actor.

	5. The actors in a different process can be remote or local. spawn an actor over
	an ssh link then send it a reference to an open file actor.
	Perhaps the runtime needs some smart routing to get messages
	to distant actors, especially in the presence of a tree of unix
	processes. I think this is slightly different to erlang which has a
	notion of 'nodes', and no security isolation or tree structure.

	6. Unreachable actors can be garbage collected. This might not be well
	thought out or possible.

	7. Runtime resource limits can be put on individual actors, or groups
	of actors. Be able to say - "This http server actor (tree) cannot use
	more than N resources" which is imposed at runtime.

	8. Erlang style supervisors should be possible via links.

	9. Live code reloading. Code changes are propagated down the process tree.

	Some of these are already possible with erlang, but I think some of it
	would be a unique combination. Let me know if any of this is new, good,
	bad or impossible.

	Misc:

	Remote messages may need to be unforgeable using cryptography. This can be accomplished by giving each actor
	a secret or pub/private, and messaged recieved must be HMACED/signed. local actors can trust the runtime
	that the actor id hasn't been faked for performance, Pony accomplishes this with memory safety.

	Examples for the imagination:

	Spawning a privsepped remote actor, and getting it to write a file:

	write_file(file) {
	// the remote actor can ONLY write to this file, thats all it has a reference to.
	// The chroot and remote message signing add security from runtime exploits.
	file.write("hello from remote actor!")
	file.close()
	}

	main(world) {
	// world, remote_world, and file are all references to actors.

	file = world.open("/local/file.txt")
	remote_world = world.spawn_world(host="[email protected]", chroot="/jail/")
	remote_actor = remote_world.spawn(write_file, file)
	remote_actor.wait_for_exit()
	// Prints "hello from remote actor!"
	world.print(world.readfile("/local/file.txt""))
	}

	Perhaps we could send a handle for the current world to the remote world!