►
From YouTube: tc39: SES Status Update (as re-recorded at SES-mtg)
Description
The "SES Status Update" presentation I originally gave at the July 2019 tc39 meeting I gave again to the SES-mtg on Aug 1, and recorded.
"SES Status Update" as originally presented at tc39 at
https://www.youtube.com/watch?v=cspzkRvs1Ig
Starts at the fourth slide because I forgot to turn recording on earlier.
Full Aug1 SES mtg at
https://www.youtube.com/watch?v=IxwX200g4TI&list=PLzDw4TTug5O1jzKodRDp3qec8zl88oxGd
A
This
is
a
status
update,
not
a
request
to
advance
through
the
staging
process
and
that
the
presentation
will
explain
why
we're
not
asking
for
advancement,
but
in
the
absence
of
advancement
it's
it's
easy
to
think
that
nothing's
happening
and
in
fact
a
significant
number
of
people
and
groups
on
the
committee
have
been
working
together
on
this
and
a
lot
has
been
happening.
So
this
is
bringing
you
up
to
date
on
what's
been
happening
and
how
we're
thinking
about
the
boundaries
between
the
proposals
have
changed.
A
Any
one
of
those
libraries
can
completely
corrupt.
The
application
in
the
context
of
meta
mask
since
meta
mask
is
the
primary
user
interface
framework
for
creating
user
interfaces
to
decentralized
applications
to
applications
running
on
blockchain
any
one
of
the
packages
LinkedIn
could
not
only
corrupt
the
user
interface
but
all
of
the
assets
that
that
person
is
using
through
the
user
interface.
A
So
the
exposure
here,
the
risk
exposure
is
really
quite
frightening,
so
what
Sesa
fie
is
doing
there
browserify
plugin
is
that
it's
doing
a
first
of
all
doing
a
tofu
analysis.
That's
a
tofu
that
cumavi
wrote
based
on
the
tofu
that
Bradley
wrote
he's
taking
a
look
at
what
each
module
apparently
depends
on
by
this
naive
static
analysis,
creating
a
configuration
file
that
records
those
apparent
dependencies
and
then
in
spawning
these
things
under
SES
were
spawning
them
such
that
the
authority
were
giving
them.
A
So,
in
order
to
run
that
module
all,
you
have
to
run
it
in
an
environment
in
which
there
is
a
global,
named
xml,
httprequest
and
in
which
that
global
acts
enough,
like
the
xml
httprequest,
that
it's
expecting
as
to
enable
that
module
to
run
so
any
security
review
of
these
things
would
start
with
the
red
nodes
and
proceed
down
in
colors
towards
the
green
and
for
these
dangerous
imports.
You
can
also
take
a
look
at
what
the
module
actually
does
with
them,
and
figure
out
whether
you
want
to
manually
impose
interpose
an
attenuator.
A
A
A
We
have
a
function
named
make
counter.
This
is
using
objects.
The
closure
pattern.
You
can
do
essentially
the
same
thing
with
the
class
pattern
using
private
state
and
object
freeze.
But
let's
just
do
it:
let's
do
this
one,
so
you
have
an
outer
function,
make
counter
and
every
time
you
call
it.
It
makes
a
new
object,
which
is
this
record
with
an
inker
and
dekker
method
that
lexically
capture
this.
This
encapsulated
count
variable.
A
So
every
time
we
call
it,
we
make
a
new
triple
of
a
inker
function,
a
dekker
function
and
encapsulate
account
variable
and
the
record
exposing
the
inker
function
and
dekker
function.
So
that's
basically
the
object.
The
hardened
is
an
abstraction
over
object,
dot
freeze,
so
the
record
itself
cannot
be
tampered
with
and
every
time
we
call
it.
We
make
a
new
instance
where
each
of
these
instances
is
isolated
from
the
other.
A
With
one
of
these
one
of
the
things
that
you
can
do,
what
can
you
do
with
one
of
these
counters
with
an
inker
and
a
Decker?
You
can,
for
example,
if
you
want
to
count
the
number
of
things
entering
and
exiting
a
container,
you
could
have
an
entry
guard
guarding
the
entrance
to
the
container
and
exit
guard
guarding
the
exit
to
the
container
and
give
the
entry
card
the
ability
to
increment
and
give
the
exit
card,
the
ability
to
decrement
and
the
intuition
that
a
programmer
should
take
to
this.
A
If
don't
know
the
odd
corners
of
JavaScript,
what
does
this
program
seem
to
be
doing?
It
seems
to
be
giving
the
entry
guard
only
the
ability
to
increment
in
giving
the
exit
guard
only
the
ability
to
decrement.
So
the
basic
idea
of
SES
is
to
uphold
that
expectation
to
actually
make
it
possible
to
only
give
the
entry
guard
the
ability
to
it
to
increment,
using
the
code
pattern
that
you
saw.
A
The
reason
that
javascript
is
a
suitable
language
for
creating
this
secure,
runtime,
the
secure
SAS
runtime
and
why
the
resulting
SAS
system
is
really
essentially
just
JavaScript.
As
far
as
the
experience
that
programmers
have
is
because
javascript
is
uniquely
well
set
up
for
carving
out
this
object
capability
behavior.
This
object
capability
form
of
JavaScript
from
the
language,
even
going
back
to
Eknath
script
3,
which
was
the
JavaScript
that
we
had
when
I
joined
the
committee.
A
There
was
this
accident
of
history
where
JavaScript
the
language
was
being
standardized
under
ACMA,
the
browser
was
being
standardized
under
w3c
and
even
though,
for
the
first
decade
of
JavaScript's
existence,
the
only
host
that
mattered
was
the
browser.
This
jurisdictional
separation
between
two
standards
bodies
prevented
most
browser
concepts
from
leaking
into
the
language
definition
and
prevented
all
browser
effects
from
leaking
into
the
language
definition.
So
the
language
itself
was
left
as
a
language
without
Io
language
that
sent.
A
Providing
those
host
objects
by
populating
the
global
address
space
and
then
javascript
objects
could
only
get
initial
access
to
a
host
object
by
global
scope
lookup.
So
if
you
can
intervene
on
the
global
scope,
lookup
you're
in
a
position
to
virtualize
the
host,
essentially
completely
virtual,
was
all
abilities
to
cause
external
effects.
It's
very
much
like
how,
in
a
hardware
architecture,
when
you
have
a
clean
separation
between
the
user
mode
instruction
set
and
the
system
mode
instruction
set
and
all
attempt
to
do
system
things
cause
traps,
you
can
essentially
virtualize
any
operating
system.
A
So
that
gives
us
support
for
realms
as
a
unit
of
isolation.
Javascript,
furthermore,
supports
object,
granularity
protection
by
virtue
of
the
fact
that
each
object,
the
only
things
it's
born
with
implicit
access
to
are
the
primordial
like
when
you
evaluate
a
sopin
square
bracket,
close
square
bracket.
It's
born,
inheriting
from
object
from
array,
dot
prototype,
so
there's
all
those
things
that
has
implicit
access
to
all
of
those
things
which
we
call
the
priority.
A
So
this
is
I'm
going
to
use
this
little
sample
of
the
primordial
x'
to
just
stand
for
the
full
set
of
primordial,
so
the
primordial
x'
come
in
a
self-contained
graph,
one
of
the
things
very
nice
about
the
primordial
x'
is
they
pointed
each
other,
but
they
don't
point
at
anything
outside
the
primaries,
so
traverse
it
traversing.
These
pointers
only
takes
you
from
primordial
to
primordial
and
there's
also
the
global
object,
which
has
these
global
property
names.
A
These
property
names
that
point
at
some
of
these
prime
orioles
and
of
the
primordial
x',
there's
a
special
category
of
primordial
that
we
call
the
evaluators
for
which
the
global
object
serves.
A
special
role
in
this
picture.
Function
and
eval
are
evaluators
and
two
evaluators
when
they
evaluate
code
for
any
name
lookup
where
it's
you're,
looking
up
a
variable
name,
that's
not
defined
within
the
code
for
any
fruit,
but
for
any
lookup
of
a
free
variable.
It's
looked
up
in
the
global
scope
and
the
global
scope
is
essentially
aliases.
A
A
So
all
those
objects
are
frozen
and
introduce
a
new
abstraction,
which
is
the
compartment
where
a
compartment
is
a
realm
in
the
sense
of
an
executions
scope,
an
execution
context
for
code
to
be
running
in
so
each
of
these
other
boxes
is
all
is,
is
a
compartment,
but
a
compartment
differs
from
a
full
realm,
as
we've
known
it
in
that
it
does
not
have
its
own
set
of
prime
Oracle's.
It
inherits
the
primordial
from
the
full
realm
that's
created,
so
since
these
full
realms
are
also
realms,
that
we
introduce
the
terminology
distinction
the
full
realm.
A
We
call
it
a
root
realm
and
then
the
compartments
are
also
kind
of
realm,
but
they're
a
realm
within
a
read
realm
and
each
compartment
only
costs
a
few
objects,
and
this
ability
to
create
featherweight
protection
domains
is
in
particular
important
to
access
the
the
embedded
JavaScript
for
devices
with
limited
memory.
So
we
can
have
many
featherweight
compartments
with
very
little
space
overhead
per
compartment.
A
Javascript
exists
in
four
primary
primary
hosting
environments,
of
course
started
in
the
browser.
Also,
the
single
machine
server
this,
which
we
call
the
solo
server
embedded,
is
also
a
widespread
use
of
JavaScript.
But
it's
not
a
well-known
use
of
JavaScript.
There
are
many
devices
that
the,
including
probably
some
in
your
house
that
are
actually
running
and
embedded
JavaScript
and
then
of
course,
now
blockchain
is
a
new
hosting
environment
on
the
browser.
A
The
java
sea
for
embedded
devices
there's
both
XS,
which
I
mentioned
and
there's
the
new
standards
group
under
ECMO
TC
53,
which
is
standardizing
the
JavaScript
modules
for
embedded
devices.
Tc
53
is
explicitly
using
SES
as
the
standard
JavaScript
for
embedded
devices,
such
as
the
standardization
of
all
the
modules
for
embedded
assumes
SES
as
the
context
of
execution
and
XS,
which
is
the
main
JavaScript
on
embedded
devices
represented
by
moddable.
Here
on
the
committee.
They
already
have
a
configuration
out-of-the-box,
that's
a
full
SES
implementation.
That's
nice!
A
It's
not
a
SES
created
by
carving
it
out
of
the
full
JavaScript
engine
at
runtime.
It's
rather
a
runtime
which,
which
just
has
SES
and
omits
the
parts
of
JavaScript
that
are
not
in
SES
and
then,
of
course,
agaric
is
bringing
SES
to
the
blockchain
and
meta
mask
is,
as
I
mentioned,
has
created
a
browserify
plug-in
called
Sesa
phi
that
is
using
cess
to
do
this
safe
module.
Linkage.
A
On
top
over
time,
elements
of
frozen
realms
moved
down
into
our
notion
of
what
the
realms
proposal
should
be,
and
elements
of
frozen
realms
moved
up
into
what
we
considered
SES
to
be,
and
it
just
over
time.
There
wasn't
enough
difference
to
justify
three
layers.
It
really
collapsed
into
these
two
layers.
A
But
what
we
realized
over
time,
as
we
went
to
apply
SES
to
various
systems,
is
that
the
use
cases
for
creating
root
realms
and
the
use
cases
for
creating
compartments
were
quite
distinct.
In
particular,
the
embedded
use
with
excess
is
an
environment
that
is
not
able
to
create
multiple
root
realms
and
in
which
there's
no
reason
to
do
the
engineering
to
enable
multiple
root
realms.
It
really
is,
quite
naturally,
a
single
root,
realm
environment
and
likewise,
in
the
browser,
a
worker
is
a
single
root.
Realm
environment.
A
A
Node
has
been
making
great
progress,
bringing
elements
of
sess
directly
into
node,
so
that
node
can
provide
more
direct
support
for
sass
and
cess
like
security,
so
node
already
comes
with
an
experimental
flag.
It's
already
shipping,
with
this
experimental
frozen
intrinsics
flag
that,
when
turned
on,
actually
creates
a
instantiation
of
node
in
which,
in
the
main
environment,
all
the
all
of
the
intrinsic
switches.
The
primordial
x'
are
already
born.
Frozen.
A
Node
really
has
only
three
Global's,
which
is
or
suppose
for
Global's
process
ray
buffer
and
then
require
and
module
for
the
declare
and
module
with
module
that
exploits
those
are
really
just
the
common
Jas
form
of
import
and
exports
adjust
the
mechanism
for
importing
exporting
among
common
J's
modules.
So
the
the
interesting
things
as
global
variables
in
node
is
process
and
array.
A
A
And
the
main
compatibility
problem
that
you
run
into
when
you
freeze
the
primordial
x'
is
the
override
mistake.
For
example,
if
you
create
a
new
object
in
the
context
in
a
context
which
all
the
prime
Oriels
of
frozen-
and
you
want
to
give
it
a
two
string
method
by
saying
object,
dot
two
string
equals
new
function
if
the
primordial
czar
naively
frozen.
That
assignment
will
fail
because
of
a
spec
mistake
that
that
the
equus
crypt
committee
made
many
years
ago
that
we've
failed
to
fix.
A
Experience
in
salesforce
says
that
even
more
narrowly
there
are
five
of
the
primordial
prototypes
array
object
function.
I
don't
remember
what
the
other
two
are,
but
if
you
do
this
masking
of
the
override
mistake
for
the
methods
on
those
five
prototypes,
the
problem
practically
goes
away
from
most
code.
A
So
these
URLs
take
you
to
the
interesting
things
that
represent
the
current
state
of
SES.
The
first
link
is
the
official
link
to
the
SES
proposal,
which,
which
is
still
at
stage
one
and
I,
recommend
that
you
don't
look
at
it
very
hard,
because
the
text
of
that
is
way
stale
compared
to
our
current
understanding.
It
has
not
been
revised
in
quite
a
long
time.
A
What
we
realized,
especially
because
of
the
embedded
case,
is
that
the
thing
to
specify
first
is
what
would
be:
what
is
the
SES
environment
that
results
from
creating
an
SES
environment?
However,
you
created
get
that
pinned
down
first
and
then
worry
about
the
API
for
creating
it
and
that
suits
moddable
and
embedded
perfectly
well,
because
those
machines
can
just
start
out
as
standalone
SES
machines
without
a
prior
JavaScript
to
have
created
it
from.
A
Saf
module
loading
and
module
linkage
under
SES,
all
the
existing
users
of
SAS,
sale
and
meta
masks,
in
particular,
also
agaric.
All
three
of
us
were
using
existing
packagers
to
turn
modules
into
evaluable
scripts.
So
we
can
use
our
support
for
safe
script
evaluation,
but
we
need
a
first-class
semantics
for
safe
modules
for
SES,
and
this
problem
became
more
urgent
with
embedded
because
in
embedded,
the
normal
configuration
has
no
runtime
evaluators.
A
You
do
all
of
your
evaluation
at
Build
time,
creating
the
system
that
you
then
put
into
ROM.
That
then
runs
code
at
runtime,
so
moddable
came
up
with
our
first
compartment
spec.
That
has
a
system
for
module
loading
in
import,
remapping
and
attenuation
that
they
have
implemented
in
the
shipping
moddable
SAS
engine
and
which
agaric
is
now
working
on
implementing
as
an
extension
of
our
own
SAS
shrim
and
that's
a
safe
module
system.
A
B
Yep
I'm
still
here,
so
you
have
pared
down
the
proposal.
A
lot
it
sounds
like
these
are
meant
to
be
run
on
the
same
agent
and
potentially
talking
with
each
other.
You
didn't
mention
in
your
presentation
the
ability
for
compartments
to
create
other
compartments
within
themselves.
Is
that
still
being
discussed,
no
compartments.
A
So
the
compartments
can
create
new
compartments,
there's,
never
any
sense
in
which,
when
compartment
a
creates
compartment
B
there
was
never
any
sense
in
which
B
is
within
a
B
is
fully
under
the
control
of
a
because
a
was
used.
The
compartment
API
to
parameterize
what
the
nature
of
B
was,
but
structurally,
both
a
and
B
are
just
directly
nested
under
the
root
realm
that
both
of
them
are
with
it.
A
B
A
I
wasn't
thinking
about
realms
or
compartments
having
a
bearing
on
how
workers
talk
to
each
other,
but
rather
on
the
ability
to
create
multiple
protection
domains
within
a
worker
with,
even
though
there's
no
ability
to
create
multiple
route
realms
in
order,
we
don't
need
to
do
the
engineering
to
enable
multiple
route
realms
and
a
worker
in
order
to
divide
a
worker
up
into
these
multiple
protection
domains,
and
that
was
actually
raised
by
meta.
Mask
meta.
Mask.
B
Also
I
know
you've
mentioned
that
there
is
some
remapping
--zf
or
modules.
Has
there
been
discussion
around
API
designs
for
intercepting
not
only
static
module,
graphs
but
dynamic
ones
as
well.
A
The
the
main
discussions
of
that
have
been
in
these
SES
meetings
with
you,
I
mean
the
this.
This
all
of
the
times
when
we
explored
what
those
aap
is
for
doing
a
code
based
mapping
for
having
the
mapping
under
control
of
code
were
discussions
with
you.
What
we're
currently
targeting
as
a
interim
step
is
the
compartment
API
that
comes
from
model
B.
A
A
A
We
would
still
want
to
be
able
to
express
simple
remapping
as
declaratively,
whether
we
do
that
on
top
of
the
operational
mechanism
or
not,
because
the
output
of
the
tofu
tool
will
just
give
us
simple
static,
rewiring
that
we
want
to
be
able
to
run
in
such
a
way
where
that's
the
source
of
most
of
the
rewiring
x'.
That
we
did.