►
From YouTube: SES-mtg: import maps, safe modules, SES devel steps
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
B
So
several
topics
we
can,
we
can
talk
about
solid,
just
posted
to
oh
cap,
Jess,
a
pointer
to
what's
been
going
on
with
import
maps
and
things
about
that
which
I
have
not
had
a
chance
to
look
at
yet
and
I
know
that
import
Maps
is
something
that
we
that
we
would
be
needing
to
pay
attention
to,
but
I
have
not
yet
paid
attention
to.
It
also
had
a
gorrik
on
Friday
we
had
an
internal
planning
session
to
figure
out
what
the
phases
of
development
are
to
move
ahead
with
SES
and.
B
C
B
D
B
I
think
right
right,
that's
TV
got
it
okay
and
also
as
part
of
the
wiring
discussion.
We've
we've
also
been
discussing
the
the
issue
of
how
does
either
a
module
on
the
rather
a
package
or
an
application
Express,
what
it's
expecting
such
that
some
policy
decision
in
making
a
decision
about
what
for
what
to
provide
it?
What
specific
thing
to
provide
it
can
be
doing
that
in
the
context
of
an
expectation
about
what
kind
of
thing
it's
expecting
and
therefore,
what
kind
of
thing
to
provide
it.
B
C
B
C
B
Yeah
I-I've
we've
actually
discussed
it
in
the
occasional
meeting
here.
Bradley's
brought
it
up
many
times,
so
it's
something:
we've
known,
we've
needed
to
pay
attention
to,
and
it's
been
I
believe
it's
been
visible
on
the
w3c
side
of
things.
I
have
not
really
been
visible
after
the
TF
tc39
side
of
things,
except
that
tc39
people
have
known
me
needed
to
pay
attention
to
it.
D
Yeah
we've
paid
attention
to
it:
I
actually
set
out
loud
in
a
no
js'
eating
a
wild
bag
that
I'm
so
sorry,
I.
Think.
The
only
conclusion
at
this
point
is
that
we
should
be
paying
attention
to
new
things
like
import
maps
and
I.
You
know,
I
was
embarrassed
because
I
didn't
know
enough
about
it
to
actually
weigh
a
decision.
We
were
making
at
that
point
and
you
know
since
then
it's
a
browser
thing
right.
So
we
we
have
a
mirror
of
it.
Something
called
export
maps
that
we've
been
working
on.
B
I
watch
one
interrupt
briefly
with
a
a
zoom
issue.
That's
distracting
me
for
everybody
else.
I'm
seeing
icons
rather
than
video
I
would
like
to
also
be
transmitting
or
showing
an
icon
for
myself
rather
than
video.
The
only
control
I
see
is
stop
video
and
when
I
turn
it
off.
My
I
don't
see
anything
anymore.
D
C
B
C
B
A
D
B
D
So
so
I
was
really
not
not
concerned
about
import
maps
until
I
saw
it
being
used
to
prop
up
yet
another
proposal,
which
is
STD
and
in
very
very
wrong
ways,
and
on
a
on
a
blog
of
Google.
You
know
a
browser
developer
of
all
places
and
I
have
no
problem
with
the
idea
of
built-in
modules.
In
fact,
I
actually
want
to
see
Global's
be
a
legacy
feature
in
a
legacy
sandbox
that
people
opt
in,
because
some
code
needs
to
stay
alive
apparently,
but
it's
not
important
enough
to
update
go
figure.
D
So
so
what
we're
doing
in
security
instead
is
we're
creating
safe
compartments,
initialized
in
unsafe,
initially
unsafe
environments,
which,
which
goes
you
know
the
opposite,
but
but
the
idea
that
we
have
modules
means
that
we
have
a
new
where
you
can
import
your
Global's
and
global
scope
in
a
module.
But
to
do
that,
you
have
to
do
a
thinking
of
all
the
edges.
Not
not
just
thinking
of
K
V,
Dash
storage
would
have
looked
very
bad
as
a
global
name,
because
you
can
never
refer
to
it
with
a
period.
D
B
D
D
Yeah
so
when
I'm
work
writing
require
like
imports,
you
know
using
required
to
import
modules
on
in
own
I.
Often
don't
have
a
relative
path
in
there.
I
just
refer
to
a
bear,
specify
like
import
awesome
package,
no,
no
HTTP,
no
file.
No
all
these
past
specific
aspects
are
fundamentally
dropped
off
from
the
prefix
and
you
start
with
a
bear
named
optionally.
D
D
When
I
use
the
bare
specifier
ie
this
part
here
in
my
own
module,
so
so
in
this
module
they're
importing
what
is
obviously
not
a
bear
specifier
and
they
are
saying
import
maps
will
allow
you
to
say
it's.
It's
either
the
built
in
and
if
that
doesn't
exist,
then
its
user
code.
That
I
will
give
it
to
it.
D
So,
in
a
just
import
maps
are
a
manifest
approach
to
define
the
file
systems
searching
operations
that
nodejs
does
for
you
when
you
require
a
module
without
giving
it
a
particular
node
modules,
absolute
path
to
import
from,
and
they
did
that
by
having
you
actually
create.
Every
single
record
you
want
to
refer
to.
That
is
not
a
path,
and
it
just
looks
up
in
this
map
to
give
you
what
you
need.
C
D
C
D
They're
really
mashing
things
up
together.
That
was
a
third
also
called
layered
modules
or
layered
imports.
Let's
not
get
into
that
that
the
idea
that
they
have
an
array
was
fallback
here
is
a
new
feature
of
another
proposal
happening
called
layered
resolution
or
layered
whatever,
which,
which
said
that
we
would
use
a
pipe
and
and
give
a
string
so
I
import,
STD,
whatever
type,
and
that
path
forget
about
import
naps.
I
just
put
that
in
that
string
over
here
and
somehow
magically,
but
pipe
you
just
mean
vertical
bar
right.
A
D
And-
and
you
know,
obviously,
it's
not
a
good
idea
to
have
that
in
a
file
name,
so
it's
understandably
a
good
choice,
but
but
you
know
so
so
that
was
a
different
proposal
and
you
know
to
make
things
I
guess
you
know
to
to
simplify
the
world
and
to
be
able
to
give
this
article
time
very,
very
well,
you
know
around
whatever
will
happen
at
TC
meetings.
D
Lets
you
see
they're
both
experimental
proposals
that
are
obviously
changing
depending
on
what
article
is
writing
about
them?
So
what
would
be
the
reasonable
thing
to
assume
if
that
has
been
the
ruled
so
far?
There's
only
one
import
map
declared
and
kv
storage
is
obviously
going
to
be
a
module
record
in
an
otherwise
up
to
spec
idempotent
map.
I
really
really
hate
to
see
you
know.
People
having
you
know,
schemes,
protocols,
urls
masquerading,
something
is
coming
from
a
trusted
CDN
when
it's
actually
coming
from
a
third-party
just
because
they
could
create
a
script
tag.
B
D
D
D
B
D
And-
and
we
are
going
to
attack
this
by
actually
oh
yeah,
because
I'm
doing
a
standing
meeting
today,
I
have
to
not
be
sitting
all
day.
So
that's
why
I'm
pressing
the
wrong
keys,
so
so
I
guess
the
problem
now
becomes.
If,
right
before
my
code,
there
was
an
HTML
that
had
a
script
type
equals
import
map
which
is
not
a
mind
type
with.
What
are
they
thinking
and
over
here.
A
B
C
B
Bad
yeah
I,
don't
I,
don't
understand
why
this
attack
is
a
is,
is
is
a
threat
or
is
it
legitimate?
It
seems
like
if
you
have
the
ability
to
determine
the
contents
of
a
script
tag
on
the
HTML
page.
You
really
are
in
control
and
from
a
kaha
or
SES
point
of
view.
We
actually
you
know
kaha
initializes,
the
frame
before
it
loads
anything
untrusted
and
one
of
the
things
that
it
does
is
actually
a
part
of
D'amato.
The
the
browser
component
of
kaha
was
a
URL
rewriter.
B
Basically,
they
gave
you
the
ability
to
reroute
to
remap
the
dereferencing
of
any
name,
and
likewise,
we've
been
constructing
you.
All
of
our
discussions
about
the
safe
module
system.
Is
that
if
realm,
if
you
know
codon
in
rouen
realm,
a
sets
up
new
route
realm,
be
that
realm
a
should
be
in
complete
control
over
the
import
namespace
seen
by
B.
So
this
this
seems
like
it's
consistent
with
all
that
I.
D
A
D
B
B
Intermediation
mechanism
to
do
confinement
because
they
can
only
intercept
external
Network
requests
to
the
origin
as
you
that
you
know
that
their
scope
to.
If,
if
the
frame
that
you
want
to
confine
is
making
requests
to
arbitrary
other
origins,
then
it
won't
get
Incept
intercepted
by
a
service
worker.
So.
D
D
Only
if
my
module
served
from
an
origin
that
is
different,
I'm,
providing
my
module
as
a
service
entry
point
for
consumers
to
use
off
of
my
service
and
I
and
while
that,
if
I,
if
that
was
a
service
worker
I,
would
have
had
control
to
ensure
that
nobody
injected
a
rogue
module
that
can
listen
to
anything
happening
with
trusted.
Think
import
map,
which
is
in
the
HTML
that
I
have
no
control.
C
D
C
D
Think
it's,
it
could
be
better
phrased
that
it
can
only
be
intercepted
or
shadowed
or
overwritten
by
a
serviceworker,
hosted
and
and
provided
by
the
same
origin.
The
module
is
coming
from.
So
so,
if
I'm
offering
my
service
I'm
telling
you,
you
have
to
also
register
my
serviceworker
in
order
for
my
service
to
be
properly
serviced
to
your
page
and
there's
no
problem
in
having
multiple
service
workers,
because
each
one
of
them
has
its
own
unique
scope.
C
That
make
sense,
I'm
kind
of
imagining
a
there's,
a
hierarchy
of
authorities.
Here
you
know
in
our
usual
pattern,
where
the
HTML
page
is
the
one
that
gets
to
well.
The
user
agent
controls
the
entire
experience,
the
user
agents
choices
are
broken
into
what
add-ons
are
involved.
What
URL
is
being
fetched
that
delegates
to
the
contents
of
the
initial
page
that
delegates
to
some
combination
of
service
workers
that
loads
in
additional
scripts
that
loads
them
and
it'd
be
nice?
C
If,
if
the
web
could
provide
sort
of
a
coherent
ordering
of
who
gets
to
be
in
charge
and
who
delegating
to
whom?
And
it
sounds
like
with
the
serviceworker
api,
it
implies
that
that
there's
a
claim
that
says
the
origin
of
the
the
origin
of
the
resource
you're
pulling
in,
is
higher
priority
than
the
index
dot.
Html,
that's
making
the
script
tag
to
pull
it
in,
because
the
Service
Worker
that
setup
in
one
can't
don't
override
that,
but
but
really
that
first
HTML
page
is
the
primary
Authority.
D
A
D
D
However,
when
it
comes
to
a
resource
coming
from
the
origin
of
another
origin,
like
another
thing,
that
is
not
the
same
origin
as
as
as
that
of
the
index
that
HTML,
what
origin
has
the
same
and
the
the
priority
to
determine
how
it
could
locally
be
service,
shadowed,
morphed
or
whatever,
because
service
workers
are
not
meant
to
solve
importing
packages
from
different
origins
and
caching
them
in
a
way
that
is
ideal
to
mimic
NPM
packages
they
were
designed
for
caching,
because
application
cache
was
designed
for
something
else.
Apparently,.
C
A
B
B
D
I
would
be-
and
you
know
amazed
if,
let's
see
Safari,
oh,
they
did
actually
when
that
was
added
I'm,
not
sure,
but
I
would
still
be
amazed
that
it's
afraid,
for
instance,
allowed
it
to
actually
take.
You
know,
take
effect,
but
but
I
think
we
should.
We
should
be
really
concerned
that
an
article
in
a
blog
as
important
to
do
to
web
developers
for
adult
propping
up
expectations.
D
That
was
my
concern
really.
My
second
concern
obviously
is
STD
and
you
know
I
hope
we're
all
having
you
know.
You
know
you
know
if
he
is
something
good.
Anyone
or
the
fact
that
it's
actually
a
scheme,
not
maybe
some
non
non.
You
URL
specific
feature
like
like
import
being
used
here,
and
you
know
at
some
point.
They
were
thinking
that
import
would
be
the
scheme,
so
how
does
it
work
if
my
import
map
says
I
should
use
import
in
order
for
me
to
use
the
bare
specified?
D
D
I
was
a
this
was
the
only
thing
that
was
brought
to
my
attention.
Okay,
you
know
because
I
somehow
I
had
my
notifications
on
and
I
saw
that
they
were
concerned
and
note
in
some
threads
because
no
does
not
use
a
prefix.
We
thought
about
the
idea
of
the
prefix
in
me
avoided
using
it,
because
we
came
to
very,
very
reasonable
conclusions
that
once
you
make
this
a
URL,
you
have
to
think
of
all
the
cases
where
this
will
not
be
filed,
and
this
will
be
something
that
is
potentially
a
URL
on
some
operating
system.
A
B
B
B
D
Yeah
so,
hopefully
down
the
road
like
like
I'm.
Actually,
this
came
at
a
perfect
time.
I
was
trying
to
build
the
case
of
how
to
safely
create
a
way
to
expose
built-ins,
and
this
just
came.
You
know
at
the
height
of
me
thinking
about
it
today
so
but
then
the
real,
hopefully
I'll
have
something
more
tangible.
B
E
D
E
D
Yeah,
so
so
so
I,
but
but
but
in
all
fairness,
there
are
a
lot
of
merits
on
what
import
maps
can
actually
solve,
but
but
they
are
not.
They
are
not
ready
to
be
piggybacked
on
in
a
post
meant
to
get
web
developers
to
think
of
things
as
they
are
ready
to
be
used
in
the
browser's
like
this
venue.
It's
very
wrong
for
this
kind
of
debut
of
this.
E
Be
home
I'm
wondering
if
the
the
thing
you
just
just
by
kind
of
skimming
at
us,
it's
kind
of
flown
by
there
that
this
is
kV
storage
thing?
Is
it
the
people
who
are
doing
this?
They
really
just
don't
give
a
crap
about
import
Maps.
They
just
want
to
do
their
KB
storage
thing
and
somehow
they've
entitled
them.
E
D
B
B
B
So
let's
see
okay.
So
the
context
here
is
that
kate
has
created
two
repositories
that
are
intended
to
be
extremely
simple
example,
basically,
as
simply
as
simple
as
possible,
while
still
having
enough
structure
to
explore
the
differences
between
the
approaches,
she
wrote
a
little
to-do
application
using
a
very
small
number
of
dependencies
and.
B
D
B
Okay,
that's
that's
fine,
okay,
so
so
the
the
index
dot
JSP
to
do
repository
is
you
know
the
main
is
that
is
the
top
level
of
the
application
itself
and
the
legacy
one
is
the
one
that
is
written
to
use
existing
Global's
and
packages.
So
in
particular,
there's
already
an
NPM
package
called
minimus,
an
NPM
package
called
chalk
and
an
NPM
package
as
read
line
new
I.
Don't
remember
that
one.
B
Okay,
I
haven't
been
paying
attention
to
read
lines
in
any
case,
I'm,
so
shocked
and
minimis,
or
what
I've
been
paying
attention
to
and
then
chalk
in
turn
makes
use
of
a
an
NPM
package
called
supports
global.
So
let's
take
a
look
at
that.
A
A
E
A
B
B
I'm
I'm
I'm,
sorry
I,
am
I,
am
being
mean,
coherent,
well,
I'll
say
with
our
member
and
Kate.
You
can.
Why
don't
you
project
the
code
if
it's
relevant
chalk
depends
on
supports?
Color
supports
color,
uses
the
process
module
and
the
OS
module
in
a
trivial
way
to
figure
out
whether
it's
on
a
platform
that
supports
color.
B
And
so
in
so
the
legacy
version
of
length
of
the
to
do
the
the
the
version
of
the
to
do
that
uses
legacy
code.
It
uses
the
existing
NPN.
Things
does
a
require
of
FS,
which
is
the
FS
that
comes
from
node
and
then
minimis
chalk
and
read
line
that
come
from
NPM
or
does
read
line
come
the
read
line
comes
from
NPM
and
then
does.
A
A
A
B
A
B
B
Without
the
manifest
as
something
that
has
the
normal
XS
privileges
violates
Polo
all
over
the
place
or
when
run
in
an
SES
environment,
with
the
manifest
and
a
safe
module
system
that
honors
the
manifest
that
the
manifest
says
for
the
resource
modules,
what
to
give
each
resource
module
and
when
it
mentions
a
name.
What
to
map
that
name
kit.
B
So
when
supports
color,
we
recognize
that
there's
two
ways
in
which
a
resource
module
obtains
resources
that
we
need
to
manipulate
at
initialization
time.
The
Danae
editor
that
it
obtains
resources
at
initialization
time,
which
is
the
thing
that
makes
it
itself
resource
module,
which
is
by
import
or
require.
B
So
this
is
saying
when
supports
color
imports
OS
instead
of
giving
it
what
would
normally
be
named
OS
give
it
the
thing
we're
naming
Aalto
LS,
and
this
is
where
there's
clearly
some
overlap
between
what
we're
trying
to
do
and
what
the
import
map
that
we
were
just
looking
at
is
trying
to
do,
and
we
need
to
at
some
point
think
about
how
these
things
relate
to
each
other.
But
let's,
let's
not
go
into
that
today
or
not
go
into
it
now
and
then
the
other
one
is
the
Global's
supports.
Color.
B
B
It
populates
the
global
variable
process,
with
the
default
export
from
the
module
alt
process,
and
then
all
of
these
alt
things
alt
FS
all
to
OS
and
alt
process
are
things
that
we
wrote
as
attend
as
as
resource
modules
that
are
attenuations
of
other
resources.
So
alt
FS
is
an
attenuation
of
the
built
in
module.
B
E
B
B
That's
exporting
a
pure
function
where
the
pure
function
goes,
takes
an
FS
as
an
argument
and
produces
a
and
attenuated
FS.
So
because
it's
doing
it
all
at
runtime
with
arguments
attenuate
FS
is
itself
pure
and
then
alt
FS
wraps
the
ten
u8f
s
such
that
alt
FS
is
itself
a
resource
module
because
it's
obtaining
the
resource
FS
and
it's
exporting
the
attenuated
resource
as
the
export
of
the
module
itself.
So
it's
being
a
module
that
exports
a
resource
itself
is
a
resource
module.
B
Okay,
so
what's
going
on
with
this
ten,
you
eight
FS
is.
It's.
Is
it's
a
very,
very
special
case?
It's
because
we're
starting
with
this
simple
as
possible
example.
It's
just
doing
the
attenuation.
That's
needed
for
this
one
example,
which
is
to
export
something
that
looks
like
FS,
except
it
only
honors
the
requests
to
FS
that
we
know
this
application
uses,
which
is
that
it
opens
a
file
name
to
do
dot
txt
and
the
only
things
it
does
with
that
file
is
append
to
it
and
read
from
it.
So
with
this
attenuator.
B
D
Can
I
ask
a
question
at
this
point,
so
so
so
obviously
it
is.
It
is
correct
that
when
you
try
to
use
something
for
a
purpose
other
than
what
was
expected
when
you
asked
for
it,
then
here's
where
you
interject
my
my
my
my
question
here
would
be:
what
is
the
appropriate
way
to
interject?
Are
you
going
to
throw
you're,
not
allowed
error,
or
are
you
going
to
throw
an
error
because
the
operation
occurs
on
an
undefined
thing
because
it
was
not
requested,
so
it
does
not
exist
so.
B
So
yeah
we've
bought,
so
both
options
are
possible.
It's
up
to
yo.
This
is
an
issue
of
what
we
want
to
recommend.
So
I'll
give
you
so
I'll
just
start
off
with
my
recommendation,
which
is
that
this
thing
is
written.
The
way
it
should
be
written,
which
is
everything
that
it
doesn't
do,
is
absent
in
terms
of
method
names
and
for
attenuations
that
go
beyond
the
presence
or
absence
of
method
names.
It
throws
an
error.
B
Javascript
code
is
already
used
to
what's
called
a
feature.
Testing
style,
which
is,
as
some
api
is
upgraded
with
new
features.
The
new
features
are
expressed
as
new
methods
and
then
code
adapts
to
the
presence
or
absence
of
features
by
testing
for
the
presence
or
absence
of
the
method
names.
This
is
kind
of
going
in
the
reverse
direction,
which
is
rather
than
providing
something
with
new
names
that
something
could
test
for.
B
E
That
yeah,
they
think,
there's
an
open
design
question
about
what
the
failure
goals
are,
because
if,
if
what
you're
trying
to
do
in
the
event
of
a
failure
is
to
figure
out
what
did
you
miss
configure
in
your
attenuation
implementation?
Something
like
that?
That's
one
thing
and
that's
definitely
going
to
be
a
concern
at
development
time.
E
E
B
All
right,
that's
good!
That's
good!
If
I'm,
given
a
logger
from
giving
access
to
a
logger,
I'm
gonna
go
ahead
and
use
it,
but
if
I'm
not
given
access
to
a
logger
I,
don't
want
to
to
fail
as
a
result,
I
want
to
adapt
to
that.
Let
me
give
a
somewhat
different
example
that
that
takes
us
through
sort
of
the
logic
of
the
transition
between
versions,
that
this
whole
polar
thing
is
trying.
The
polar
combined
with
tofu
is
trying
to
catch,
which
is
in
version
one
of
a
module
of
a
package.
B
B
D
E
E
Sounds
like
their
recipe
for
a
kind
of
latent
malware
thing.
Where
we're
you
know,
it's
basically
the
the
monster
in
the
cage
and
it's
constantly
testing
whether
the
cage
is
locked
or
not,
and
as
long
as
the
cage
stays
locked.
Everything
is
fine,
but
if,
for
some
reason,
somebody
at
one
day
accidentally
leaves
the
cage
unlock,
the
monster
gets
out.
I
think.
E
E
I
think
that's
a
fair
point,
I'm
just
wondering
if
there's
some
intermediary
failure
mode
where
it
looks
like
you're
doing
feature
testing,
but
behind
the
scenes.
It's
logging,
the
fact
that
hey
this
thing
is
doing
a
lot
of
feature
testing
but
I.
Don't
that's
just
a
special
case
of
something
more
general
and
I
think
what
you're
arguing
is
well,
we
can't
detect
the
more
general
case
of
somebody,
who's
really
clever
and
subtle,
and
so
why
bother
with
this
special
case
and
I?
Think
there's
a
lot
to
that
argument.
Yeah.
D
D
B
So
here's
why
try
catch
in
try
catch
as
you've
written?
It
is
a
very,
very
bad
way
to
feature
test,
which
is
it
might
be
that
the
feature
actually
does
exist
and
you're
using
it
in
a
buggy
way
or
the
feature
itself
is
buggy
and
using
try
catch
to
test
you're.
Going
to
confuse
the
bug
with
the
absence
yeah.
D
D
People
like
to
do
undefined
I
like
to
sorry
like
to
do
this
I
like
to
do
equals
function,
because
if
it's
an
object,
it's
not
the
trusted
thing.
I
thought
it
was,
but
but
here
I'm
I'm
really
try.
Caching,
because
trusted
think
and
throw
because,
because
the
user
is
not
privy
to
using
trusted
thing
because
he's
not
a
trusted
user,
whereas
yeah.
D
Error
is
related
to
not
not
attenuation
effect,
but
rather
the
fact
that
the
service
itself
will
throw
an
error
even
if
trusted
thing
executed.
So
the
context
of
me
logging
to
the
user
or
showing
the
user
in
effect
of
why
that
code
fails
in
the
absence
of
this
is
contextual
not
not
because
attenuation
was
thought
about,
but
rather
because
trusted
thing
failed
because
of
a
business
domain
related
aspect.
B
B
B
Good,
this
is
what
I
was
expecting.
This
is
this
is
the
thing
that
I
had
remember,
that
I
was
looking
for
and
I
understand
why
it's
only
in
the
clean
one
and
not
the
legacy
one
now,
okay,
so
the
clean
chalk
is,
is
chalk
re-written
as
a
pure
module.
The
clean
supports
color
is
supports.
Color
rewritten
as
a
pure
module,
so
supports
color
as
a
pure
module.
B
Create
this
peer
support,
scholar
function,
widget
exports,
so
since
it's
only
exporting
a
peer
function
in
itself
is
pure.
It
takes
a
oh
s
and
process
which
is,
which
is,
can
be
the
attenuated
OS
in
process,
but
it's
taking
them
as
arguments
rather
than
assuming
them
as
Global's
or
as
modules,
and
then
it
only
does
with
those
things
those
things
that
are
analogous
to
our
previous
attenuation
now
a
conversation
that
I
had.
B
I,
don't
remember
with
whom,
but
a
conversation
that
I
had
pointed
out,
that
the
clean
form
being
shown
here
is
actually
intermediate.
Yes,
that
was
okay,
that
was
Brian.
So
that's.
This
is
sort
of
medium
clean,
because
it's
still
assuming
that
the
that
we
have
the
attenuated
OS
and
process
as
opposed
to
rewriting
the
whole
thing.
The
way
one
would
have
written
it
for
a
capability
language
in
the
first
place.
B
D
B
C
B
Okay
and
then,
and
then
over
here,
we're
only
using
OS
release
sub
to
look
oh
I'm,
sorry,
OS,
release,
sub
0
and
sub
2
I.
Don't
remember
what
those
re
then
anymore!
It
doesn't
matter
and
then
process
dot
so
from
process
we're
actually
using
a
few
things,
and
so
now
it
become
a
API
design
issue,
whether
how
how
these
things
are
bundled
together
into
some
more
coherent
objects
rather
or
whether
they
are
would
actually
be
a
bunch
of
separate
parameters
which
would
be
unwieldy.
B
B
B
Yep,
so
this
thing
is
both
doing
a
bunch
of
wiring
up
here
that
is
analogous
to
the
wiring
that
legacy
to
do
expresses
declaratively
in
the
manifest
file,
and
it's
also
doing
a
bunch
of
startup
logic
in
the
rest
of
it
down
here.
So
this
is
a
Kate's
clean
to
do,
and
Brian
and
Dan
Connolly
got
into
interesting
discussion
about
where
this
wiring
should
be
expressed.
If
one
is
in
a
clean
world
of
only
pure
modules
and.
B
B
The
so
so
one
of
the
things
that's
pleasing
about
the
approach
we
saw
in
the
legacy
repository
is
that
by
pulling
out
all
code
expressing
interesting
logic,
interesting
behavioral
logic
in
two
separate
modules,
the
remaining
residue
of
wiring
of
those
top-level
knowledge
modules
could
be
expressed.
Declaratively
and
it's
nice
that
it
can
be
addressed.
Declaratively
and-
and
it's
potentially
a
useful
that
we
know
that
it's
expressed
in
a
analyzable
manner.
B
B
That
is
basically
just
using
a
subset
of
Jesse
that
essentially
can
just
can
just
can
just
expresses
scoping
and
function
calls
and
the
export
of
a
pure
function
that
takes
two
arguments
off,
require
and
auth
global,
where,
where
here's,
where
we
still
have
an
issue
of
bridging
to
the
legacy
platform,
which
is
any
capability
programming,
language
has
to
cope
with
the
issue
of
how
to
represent
the
processes.
Initial
Authority
and
Daria.
If
you're
still
on
yeah
I
see,
you
are
very
much
like
your
feedback
about
how
wyvern
Koch's
with
the
initial
authority
problem.
B
It
obtains
some
of
those
initial
authorities
by
using
the
namespace
packaging
of
those
initial
authorities,
it
attenuates
them,
and
then
it
wires
up
the
attenuated
authorities
and
the
the
the
the
the
application
of
the
initial
module
functions,
the
pure
function
to
make
module
instances
and
wires.
All
of
that
together.
So
that's
what
this
code
is
showing
and
Darr
you
have
you
have
you
guys
faced
us
with
wyvern.
A
Yes,
we
did.
Our
solution
was
well
so
far.
We
were
either
having
the
main
module
so
where
everything
starts
or
having
having
a
module,
that
is
the
main
for
the
application
and
then
that
module
that
starts
on
the
top
level
and
then
all
of
this,
the
distribution
of
authorities
happening
inside
that
other
module.
So.
A
A
A
A
B
B
I've
also
taken
the
remainder
of
index
J
s,
which
is
in
common
with
the
legacy
form,
which
is
the
behavioral
startup
and
I
fold
it
out
into
a
pure
main,
passing
such
that
its
itself
now
expressed
in
a
cure
manner,
and
and
passing
it
the
part
of
the
wiring
that
it
needs
noticing
that
there's
another
thing
that
I
was
getting
that
we
were
getting
from
process
that
we
were
also
not
being
explicit
about,
which
is
the
Arg
V
and
somehow
again,
I
completely
missed
the
read
line.
I,
don't
know
how
I
did
that.
B
A
B
D
I
could
also
a
point
out
a
fundamental
behavioral
difference
between
the
two
wrapping,
the
instantiation
of
a
module
as
the
function
means
that
does
that
module
being
referred
to
does
not
instantiate
what
it
would
be
exporting,
but
only
exposes
the
factory
of
that
module
and
and
and
when
we
talk
about
the
semantics
for
static
imports
in
ASM.
You
know
moving
this
out
of
require.
D
B
The
fundamental
thing
is
that
independent
of
whether
its
express
with
require
and
exports,
or
whether
it's
expressed
with
import
and
export
independent
of
that
that
all
values
exported
are
pure
values
or,
more
accurately,
all
values
being
exported
are
purify.
Eval
use
such
that
all
values
being
imported
are
pure
under
the
assumption
of
a
pure
loader,
but
but
the
the
the
important
thing
is
that
we're
only
expressing
pure
values,
our
modules
are
only
trying
to
express
pure
values
and
then
all
of
the
wiring
up
of
anything,
that's
impure,
I'm.
Sorry,
that's
that's!
B
That's
a
resource
that
that
is
able
to
cause
effects,
or
that
contains
mutable
state.
All
of
that
wiring
is
now
reduced
to
the
previously
solved
problem
of
just
objects,
invoking
each
other.
Just
just
you
know,
just
runtime
parameter
passing
that
it's
not
that
that
there's
a
phase
of
that
that
happens
at
initialization
time,
but
there's
nothing
fundamental.
B
D
Yeah,
that's
a
really
good
way
to
frame
it.
Obviously,
I
wouldn't
be
able
to
do
that.
I
think
that
one
thing
we
learned
in
working
on
nodejs
modules
is:
it
seems
very
intuitive
that,
because
this
you
know
works
out
well
would
require.
Being
that
require
is
all
synchronous
code
locating
and
instantiating
is
all
happening
synchronously,
but
when
you
try
to
instantiate
what
would
be
a
require
module
in
a
ESM
graph,
you
hit
how
many
different
and
unexpected
problems
and
trying
to
decide.
When
is
the
right
order
of
actually
evaluating
the
synchronous
quality
out.
D
You
know
it's
actually
compounded
when
you're
trying
to
do
Interop,
where
it
will
be
transparent
to
use
ESM
imported
things
in
in
a
require
flashing
or
the
more
practical
one
which
is
the
opposite.
You
will
be
in
a
common
j/s
module
into
any
sm
one,
so
I'm
just
pointing
out
that
it's
it's
a
little
bit
unintuitive
that
that
the
kind
of
trouble
you
can
come
in
to
when
you
rely
on
on
how
things
work
with
require,
as
has
been
shown,
trying
to
create
some.
You
know
it's
trying
to
do
this
with
ESM.
B
B
There
doesn't
need
to
be
any
more
asynchrony
once
all
of
the
sources
are
local.
It's
only
the
import
expression
that
introduces
a
synchrony
into
any
of
this
and
the
import
expression.
Basically,
the
new
thing
that
it
loads
in
a
later
turn
is
itself
internally
subject
to
exactly
the
same
logic.
It
it
itself
doesn't
happen
until
all
of
the
transitive
dependencies
are
all
gathered
together.
So
all
of
the
initialization
can
happen
in
one
synchronous
term.
That.
D
That
is
a
very,
very
important
distinction
and,
and
it
does
solve
at
least
transparent
and
no
like
one
sided
internal,
you
know
importing
named
common
Jas
exports
that
are
statically
or
declaratively
predetermined
before
the
execution
of
the
synchronous
code
is
solved
by
looking
at
the
problem
of
evaluation
as
an
after
effect
of
all
the
asynchronous
resolution
that
needs
to
take
place.
That
is,
that
is
really
where
nodejs
hit.
You
know,
that's
the
end
of
what
no
Diaz
was
able
to
address
so
far
and
dealing
with
the
other
side
of
this.
D
But
you
know
people
want
to
also
import
a
package
and
not
know
that
it
has
been
upgraded
to
ESM
and
they
want
to
do
that
requiring
it
follow.
So
how
do
you
do
the
opposite
of
that,
and
that
is
where
things
start
to
get
very
messy,
because
this
and
the
fact
that
in
reality,
Colin
Jas
exports
are
a
dynamically
declared
thing
as
a
side-effect
of
the
code.
That
actually
runs
that
that
that
is
a
you
know
a
given
here.
So
those
have
been
problematic
so
as
it
relates
to
the
cold
here.
D
In
this
particular
example,
I
think
wrapping
everything
as
a
function
that
requires
to
be
executed.
Synchronously,
to
evaluate
dependencies
for
modules
before
those
modules
are
evaluated,
are
a
very
clean
way
to
to
draw
the
line
between
what
is
an
asynchronous
graph
operation
that
can
fail
the
entire
graph
and
what
is
a
synchronous
operation
that
will
only
fail
after
the
entire
graph
did
not
fail
and
being
located
at.
You
know
at
this
point.
A
B
B
So
the
question
is
really
whether
this
would
be
a
viable
split
in
wyvern,
so
I
take
it
in
wyvern
right
now.
The
practice
is
is
more
analogous
to
Kate's
index
Jas,
where
the
wiring
and
the
initial
behavioral
initialization
is
mixed
together
in
one
main
file,
one
one
main
module
so
that
that's
the
first
question
for
wyvern
it
was
the
we
did
have
that
mixing
in
both
en
Joey.
B
So,
in
the
other
version,
we've
got
two
files:
two
modules,
there's
pure
index,
J
s
that
just
expresses
the
top
level
wiring
and
is
following
a
discipline
of
staying
within
a
very,
very
small
subset
of
JavaScript,
for
which
there's
there's
as
long
as
you're
guaranteed
that
you're
in
that
subset.
There's
a
lot
of
you
know
things
you
could.
B
B
B
B
A
D
I,
don't
know
if
it
helps,
but
typescript
has
built
a
lot
of
momentum
in
statically
typing
JavaScript
files
recently,
so
it
used
to
be
typescript
only
like
typescript
ones,
but
they've
done
a
lot
of
work
to
actually
bring
type
support,
Jas
pods
in
the
past
20
years-
and
it's
been
very
very
like
it's.
It's
been
surprisingly
accurate
with
very
little
tight
annotations
jeaious
dogs
to
actually
be
able
to
infer
what
you're
doing
here
with
pure
index.
Okay.
B
B
D
This
format
can
I
see
the
other
code
just
for
a
second
yeah
sure
I'll
to
try
to
you
know,
compare
with
more
contacts,
yeah
I
again,
I,
don't
see
anything
in
here
that
is
going
to
make
typescript
choke
other
than
the
fact
that,
because
because
you
have
a
lot
of
functions
here
in
this
in
this
file
like
arrow
functions
that
have
arguments
that
are
not
being
predictably
typed,
so
there's
no
implicit
type
for
to
do
it's
typed
any.
D
D
Typescript
was
designed
to
only
infer
from
what
it
knows
it
does
not
necessarily
I,
don't
think
that
it
it
in
first
to
do
to
be
a
string
because
you
used
it
in
a
template
string
it
just
it
will
just
infer
that
it
would
be
coercive
all
to
a
string
at
the
very
least
if
it
even
did
that
I
think
it
will
likely
infer
to
do
to
be
statically
typed
as
any
so
without
type
annotations.
Here,
both
formats
would
be,
or
with
or
without
type
on
the
patient's.
D
Both
of
them
will
require
the
same
amount
of
additional
work,
the
exact
additional
annotations
for
typescript
to
function
here.
So
if
we're
talking
about
a
typing
static,
typing
mechanism,
other
than
types
credit
that
does
not
require
the
padding,
then
it
will
likely
be
hit
the
same
way
in
both
times
and
I
could
be
wrong.
Okay,
actually,.
A
I
thought
about
this
a
bit
more
I
think
in
wyvern
the
second
version,
the
version
that
mark
wrote
would
be
beneficial
because
if
you
put
everything
at
the
top
level,
so
we
care
about
what
kind
of
authority
what
kind
of
resources
each
module
could
access.
So
if
it's
written
the
first
way
when
everything
kind
of
bunched
together
along
with
all
the
methods.
So
it's
not
that
useful,
because
we
look
at
the
main
and
we
know
that
main
has
access
to
all
resources.
So
there
is
not
much
that
we
can
say
about
it.
A
Try
to
just
yeah.
We
have
access
to
everything.
If
you
put
it
in
a
separate
module,
then
the
number
of
resources
that
that
module
can
access
in
this
case
say
the
pure
main
right.
So
now
we
can
see
that
there
are
only
three
specific
resources
that
can
be
accessed
so
that
kind
of
narrows
the
scope
and
then
it's.
A
It
should
be
easier
to
reason
about
the
program
in
that
way,
because
now
we,
if
there
is
a
method
that
is
called
from
pure
mean
it
could
use
only
one
resource
and
not
all
of
them,
and
then
we
also
know
from
the
beginning
that
pure
main
has
access
only
to
three
particular
resources
and
not
everything.
Ok,.
B
Good
good,
so
let
me
let
me
try
restating
that
in
a
way
the
may,
the
the
real
the
startup
logic
has
to
be
given
tremendous
amounts
of
authority
and
therefore
the
startup
logic
is
itself
a
point
of
tremendous
vulnerability.
If
we
misunderstand
what
it's
doing
and
therefore
we
would
like
the
startup
logic
to
be
analyzable
with
confidence,
so
by
pulling
all
the
behavioral
logic,
which
is
arbitrary
code,
which
is
therefore
runs
into
all
the
undecidability
properties
that
prevent
us.
B
C
C
Part
of
what
I
was
expressing
to
mark
the
other
day,
there's
kind
of
a
top-down
versus
bottom-up
issue
here
and
I
keep
thinking
about
what
the
ecosystem
looks
like.
How
is
the
work
done
to
analyze
any
one
of
these
attenuations
going
to
be
shared
from
one
program
to
another
and
doing
everything
up
at
the
top
level?
Here
it
feels
like
the
size
of
this.
This
start
up.
C
Wiring
thing
is
going
to
scale
linearly
with
the
total
amount
of
code
in
any
given
application,
and
it
feels
like
the
author
of
the
application
is
the
one
responsible
for
doing
all
of
that
work
that
there's
not
in
this
approach
a
good
way
of
sharing
that
or
delegating
that
to
somebody
else
who
has
done
a
subset
of
the
work
already
and
a
thing,
but
I
guess
a
lot
of
it
depends
upon
this
top-level
wiring
who's.
Who's.
Writing.
B
That
are
really
considered
to
be
just
the
business
of
the
author
of
that
unit
that
it
contains
particular
sub
units
that
it
could
contain
similar
wiring
logic
for
further
dividing
the
authority
that
it's
giving
that
it's
given
for
further
subdividing
it
and
handing
it
out
to
subunits
that
are
purely
internal
to
it
and
I
want
to
call
call
example.
A
very
nice
concrete,
a
very
nice
concrete
example
with
this,
which
is
a
truck
versus
supports.
Color,
there's
two
ways
within
this
formalism
and
and
there's
actually
an
earlier
I.
B
A
B
And
both
styles
are
called
for,
I
would
say
the
style
was
seen
here
is
what
I
think
of
as
the
jetpack
style
I
had
just
for
context.
Here.
Brian
did
work
on
at
least
authority
module
system
for
Firefox
extensions
named
jetpack,
and
it
was
very
much
what
I
think
of
what
I
mean
by
I.
Think
of
this
style
as
the
jetpack
style
is
that
the
attenuation
and
the
attenuated
form
were
created
outside
the
module
that
was
given
the
attenuated
form
yeah.
C
B
The
other
form
that
I
was
mentioning
where
pure
chalk
would
be
invoked
with
OS
release
and
all
process,
and
then
then
it
would
be
purely
internal
to
it
that
it
would
use
those
to
instantiate,
support
scholar
and
then
make
use
of
that
is
more
like
the
style.
I
was
using
an
e
where
responsibility
was
more
subdivided
and
and
the
further
division
of
authority
was
happening
down.
The
hierarchy
was
less
flattened
out
into
a
top
level.
C
Yeah
I
think
I
should
send
out
pointers
to
the
write-up
that
I
did
on
that
on
the
jetpack
work,
because
it's
it's
really
what
shapes
my
thinking
every
time
we
talk
about
this
stuff
and
in
that
one
modules
are
indicating
what
they
want
with
regular
import
statements
and
there's
a
an
auditor
of
some
sort.
There's
an
in
the
case
of
Firefox
add-ons.
There
are
reviewers
that
decide
whether
something
should
be
published
in
the
gallery
or
not
and
they're
the
ones
that
have
the
responsibility
of
making
sure
this
add-on
is
going
to
make
people
happy.
C
You
know
they
read
a
description
of
what
it's
going
to
do
and
they
want
to
know
it's
really
going
to
do
that
and
not
something
else
surprising
and
and
in
that
world
there's
you
know
the
end
user
that
ultimately
has
the
power
over
their
computer
and
what
software
they
run,
but
they're
delegating
a
lot
of
that
authority
off
to
somebody
like
the
add-on
gallery
reviewers
in
that
they're.
Getting
this
trusted
statement
from
those
review
that
says.
If
you
install
this
add-on,
it
will
behave
in
this
particular
way
and
that
conclusion
is
drawn
by
analyzing.
C
The
modules
and
a
lot
of
the
work
of
trying
to
attenuate
these
modules
is
to
reduce
the
amount
of
work
via
the
analysis
that
the
auditors
have
to
do
and
to
let
them
amortize
that
over
multiple
add-ons
that
share
the
same
components,
and
it's
that
that
sharing
you
know
in
this
scenario,
it's
it
that
mark
is
showing.
It
is
an
application
author
that
is
making
the
decisions
about
how
these
things
are
wired
together.
C
D
C
C
D
C
Yeah,
please
actually
let
mark.
Let
me
just
have
you,
can
you
do
a
search
for
github
jetpack
module
Warner
or
get
up
yeah
you're
not
become
slash.
Warner
I
just
want
to
make
the
URL
available
to
folks.
So
you
can
take
a
look
at
my
write-up
and
it's
somewhere
under
that.
C
B
C
A
D
D
C
C
D
Yeah
I
was
actually
muted
and
started
talking
so
so
so
I
know
that
we
don't
like
to
think
of
things
that
are
not
standard
syntax,
but
I
I
was
thinking.
It
was
ridiculous
idea
that
I
am
importing
FS
right.
Let's,
let's
change
this
to
AB
that
and
because
I'm
using
require
syntax.
This
actually
looks
like.
D
D
D
It's
only
promise
they
sync
versus
the
async,
the
conventional
async
of
FS,
and
require
a
code
without
without
analyzing
to
actually
make
sure
that
you
catch
every
single
reference
that
will
hit
FS
even
indirectly
for
static
typing
that
that's
that's
critical,
because
not
all
references
to
FS
will
be
this
clean
FS
can
be
mangled
and
passed
around
and
you
know
which,
which
one
is
that
kind
of
thing
and
eventually
also
so.
You
need
really
good
static
analysis
of
code
to
infer
what
would
have
been.
Maybe
a.
D
B
D
D
A
B
D
Yes,
here,
the
important
distinction
I'm
trying
to
get
at
is
that
whoever
makes
FS
is
best
suited
to
make
it
innovation
decisions
on
behalf
of
it
has
obviously
the
second
best
person.
Is
someone
qualified
to
do
that
as
a
third
party,
but
but
we
we
cannot
assume
that
most
people
are
willing
to
allow
third-party
attenuation
on
their
behalf,
because
a
node
it
makes
sense.
D
B
My
assumption
is
that
it's
universally
good
practice
in
object,
capability
systems
and
in
general
part
of
our
object
capability
systems
are
about.
Is
that
for
any
authority
you
have,
you
can
build
a
virtualization
of
it?
That
is
whatever
attenuation
of
it.
You'd
like
to
express
then
provide
that
attenuation,
rather
than
the
original
and
there's
thinner
there
is.
You
know
we
could
talk
about
branding
or
crepe
marking
and
nominal
typing
as
ways
to
check
that
something
is,
is
a
genuine
original
of
it,
but
that's
the
exception
rather
than
the
rule.
C
Think
that
a
way
to
think
of
this
is
about
so
you
have
code
written
by
person
a
and
at
some
point
in
the
future.
That
code
is
going
to
interact
with
code
written
by
person
B,
and
they
each
have
some
interests
that
you
have
some
agency.
They
each
have
some
some
communication
channels.
They
have
ahead
of
time,
but
then
you
kind
of
send
the
programs
off
on
their
way
and
sooner
or
later
they
run
into
each
other
and
whatever
happens,
happens
and
and
I
keep
thinking
about.
C
You
know
who
has
the
motivation
to
improve
the
security
of
these
things
and
person
a
is
giving
power
to
the
code
written
by
person
a
is
giving
power
to
the
code
written
by
person
B
and
at
what
point
do
they
get
to
to
have
agency
about
how
much
power
they're
actually
giving
to
them
when
one
problem
I
have
with
this
approach?
That
you're,
showing
here
is
at
least
in
the
jetpack
world
I,
didn't
assume
that
there
would
be
any
useful
attenuation
to
be
had
on
a
smaller
smaller
than
a
module
basis.
C
Like
I
guess,
a
module
could
be
specifically
designed
to
export
to
different
things
as
a
sort
of
convenient
bundling
of
them.
But
I
was
hoping
that
people
would
write
to
two
modules
in
that
case,
and
so
you
get
access
to
a
module
or
you
don't
and
we
don't
try
to
go
and
figure
out
what
you're,
using
from
the
module
in
order
to
apply
kind
of
automatic
continuation.
A
B
C
C
Sure
so
I
mean
a
bunch
of
this
in
the
jetpack
context,
it
was
here's
a
configuration
of
code.
What
can
we
say
about
it
that
will
improve
the
safety
properties
or
improve
the
chances
that
it's
going
to
do,
what
the
end
user
wants
it
to
do,
and
what
what
you
have
access
to
at
that
time
is
the
wiring
between
these
different
modules
and
conclusions
that
have
been
drawn
about
the
behavior
of
those
modules
that
somebody
else
wrote
down
the
last
time.
C
When,
when
you
have
an
opportunity
to
look
at
the
behavior
some
code,
then
you
can
make
more
fine-grained
decisions,
but
if
those
decisions
can't
be
saved
and
used
again
on
something
that
mostly
overlaps
with
the
current
one,
then
then
you
can't
amortize
that
work.
You
can't
amortize
that
analysis
work
and
take
advantage
of
it
again
later.
D
C
You
know
you
think
about
this.
You
might
think
about
this
as
I'm
thinking
about
running
a
program
that
somebody
has
supplied
to
me.
I
go
to
my
local
expert
and
I
say
please,
review
this
program
and
tell
me
whether
it's
going
to
do
what
I
want
it
to
do.
Does
it
represent
a
risk?
Is
it
going
to
to
do
something
against
my
wishes
and
then
tomorrow,
I
have
another
program
that
has
a
lot
of
overlap
with
this.
One.
Do
I
need
to
tell
my
expert
to
do
all
of
that
same
work
again?
C
C
C
So
a
lot
of
the
the
design
work
was
around
this
a
tool
that
all
of
these
reviewers,
the
the
gallery,
maintainer
z--,
could
use
to
share
their
conclusions
about
the
components
that
went
into
the
gallery
and
encourage
people
go
and
reuse
stuff
because
it
had
already
been
reviewed
and
and
and
meet.
It
met
some
some
description
of
what
it
was
supposed
to
do
and
those
reviewers
should
be
able
to
push
back
and
they
can
say.
Yes,
you
know
this
chalk
module
does
what
it
says.
C
Then
that's
now
visible
in
this
analysis
tool
and-
and
somebody
can
say,
Oh
any
application
that
only
needs
to
know
that
that's
dependent
upon
the
OS
module,
but
it
really
only
needs
to
know
the
name
of
the
platform
that
you're
on
should
really
be
depending
upon
this
other
thing
and
then
that's
the
sort
of
a
search
query.
You
ought
to
be
able
to
apply
the
database
that
this
analysis
tool
is
providing
to
say
Oh.
What
are
other
modules
that
are
using
this
big
one?
D
B
However,
if
you
multiply
instantiate
something,
then
you've
got
the
identity.
Discontinuity
problems,
if
the
the
world
of
one
instance
interacts
with
the
world
of
another
instance.
So,
for
example,
if
a
one
of
the
one
of
the
things
that's
within
the
making
function,
there's
a
class
declaration,
then
every
time
you
invoke
the
making
function,
your
reevaluating,
the
class
declaration
you
get
a
distinct
class
in
instances
of
one
of
those
classes-
is
not
an
instance
of
the
other.
B
If
you
move
the
class,
if
the
class
is
pure
and
therefore
you
can
move
it
outside
the
making
function,
then
you
can
avoid
the
identity
discontinuity
because
they
all
have
the
same
identity.
But
it's
still
the
case
that
anything
stateful
must
be
multiple
intentional,
so
that
was
that
was
the
case
in
e
I
argued
for
that
being
the
case
in
ACMA
script
modules,
the
original
form
of
the
Chris
qual,
hija,
broad
proposal
for
standard
modules.
That
became
common
jeaious
modules.
They
have
this
multiple
instantiation
aspect,
I.
C
Mean
I
guess
the
the
benefit
of
making
a
function
pure
in
X.
You
know:
if
a
module
only
exports
a
pure
function,
then
from
an
authority
analysis
point
of
view.
You
could
ignore
it
right.
It
can't
add
any
new
authorities
from
a
behavior
analysis.
Point
of
view,
it's
still
useful
to
look.
Look
at
that
module
will
figure
out
what
it's
going
to
do.
Write
down
a
note
about
what
it's
going
to
do
and
then
use
that
note
again
tomorrow
when
you're
reviewing
something
that's
using
that
same
module
yeah.
C
So
it's
it's
still
nice
that
it
has
an
identity
that
you
can
reference,
even
though
it
doesn't
have
any.
It
doesn't
come
with
any
authority
if,
if
your
module
graph
is
built
up
of
resource
modules
that
are
each
providing
some
authority
to
anybody
who
manages
to
import
them,
then
that's
a
bit
of
this.
C
This
graph,
that
the
analyst
can
can
pay
attention
to
and
record
and
then
when
they
have
one
module
that
imports
a
couple
of
resource
modules
and
has
a
note
that
says:
I
claim
that
I
am
attenuating
the
authority
of
these
other
modules
to
produce
some
new
products
that
are
that
that
another
module
above
me
can
consume.
That's
another
kind
of
analysis
you
can
do
and
you
can
you
can.
C
You
can
check
that
off
as
saying
yes,
yes,
based
on
my
understanding
of
this
code,
this
particular
module
will
provide
the
limited
authority
it
claims
it
will
and
that
becomes
a
bit
harder
to
work
with.
If
all
that
thing
is
doing
is
providing
a
pure
function,
because,
yes,
it
doesn't
have
any
authority
which
means,
wherever
you're
there
doing
that
the
analysis
about
who
gets
that
Authority.
That
analysis
has
to
happen
somewhere
else
and
that
analysis
may
be
taking
place
inside
a
parent
module.
C
That's
invoking
the
pure
function
and
rearranging
it
somehow
which,
which
means
it's
not
getting
its
authority
from
the
peer
module,
it's
getting
it
from
something
else,
probably
something
bigger
with
higher
amounts
of
authority
to
it.
So
it's
kind
of
like
you,
you
you
you
things
are
now
more
coarse
and
you
don't
have
as
many
different
places
to
go
and
write
down
these
notes
about
what
the
behavior
was
so.
B
The
concerns
that
you're
trying
to
address
don't
all
of
those
concerns
are
not
just
concerns
at
initialization
time.
Among
modules,
community
review
is
just
as
relevant
to
say
the
following
class
that
only
exists
at
run
time
or
the
following
function
that
only
exists
at
run.
Time
has
parameters
that
are
asking
for
objects
that
are
much
more
capable
than
what
it
actually
needs
and
should
actually
be
asking
for
this
much
more
limited,
yeah
young
type.
A
B
And
the
same
community
review
of
the
division
of
authority
that
happens
at
initialization
and
the
demand
for
authority
that
needs
to
be
accommodated
and
in
this
transaction
sure
is,
is
not
fundamentally
different
than
the
candidated
review
of
AP
is
in
general,
both
what
is
provided
and
what
is
demanded.
I.
C
I
think
that's
right.
I
don't
currently
know
how
to
had
a
reason
about
how
to
do
that
review.
When
the
asks
you
know
the
the.
What
does
a
given
piece
of
code?
What
does
this
author
want
to
get
access
to,
or
what
does
the
author
believe?
Their
code
needs
to
do
the
job
that
it's
claimed?
It's
gonna
do
so
so
mark
and
I.
B
C
C
So
so
I'm
trying
to
turn
on
to
a
blog
post,
because
it
kind
of
ties
into
what
we
know
we're
doing
with
cess
and
patterns
for
instantiating
these
things
and
what
I'm
kind
of
recognizing
is
that
there
are
there.
Some
of
the
ways
of
asking
for
Authority
are
more
statically
obvious
than
others,
and
there's
this
this.
C
D
D
A
A
B
D
All
right
so
so
I
just
have
a
concern.
Can
you
hear
me?
I
have
my
thumbs
up,
because
I
can
hear
that.
Okay,
my
concern
is
that
when
a
function
goes
somewhere,
it
shouldn't
and
gets
executed
a
module.
Factory
is,
unlike
other
code
functions
and
it's
being
mistakenly
invoked
elsewhere
is
a
very
risky
territory,
but
it's
not
necessarily
wrong
to
have
module
factories.
It's
just
maybe
I'm
I'm
worried
about
wrongly
invoked
module
factories
not
being
as
damaging
as
wrongly
invoked
functions.
I
better,
not.
B
D
D
A
function
that
is
a
module
factory
being
invoked
from
the
error.
Good
yeah
is,
is
not
the
same
as
a
function.
That
is
just
a
function
being
by
error
because
of
a
bug.
The
concern
I
have
is
that
module
factories
are
indistinguishable
from
other
functions
that
are
being
called
in
the
wrong
place
because
of
bad
code.
D
D
Somebody's
playing
with
us
here,
okay,
so
I'm,
saying
that,
unlike
other
functions
that
exist
already
in
the
code,
this
new
module
factory
function
invoked
by
accident
in
the
wrong
place.
It
has
has
completely
different
concerns
attached
to
it
compared
to
other
functions
that
already-existing
code
and.
D
You're,
cutting
I
I,
don't
think
it's
it's
possible
to
make
this
less
confusing
with
all
the
interruptions.
So
maybe
we
can
adjourn.
B
So
follow
the
last
guy
I
think
we're
going
to
because
everything
was
working
recently.
I
think
we
get
Jen
soon
33
4,
but
just
to
I
think
this
last
question
is
worth
getting
your
answer
on
record,
though
so
I
asked
what
are
those
additional
concerns
because
I'm
seeing
them
different,
modulus
versus
arbitrary
function
and
then,
when
you're
hearing
I
was
seeing
a
microphone
I'd
go
up
and
down,
but
I
was
not
hearing
anything
and
now
I'm
gonna,
be
it.
D
Yeah
I
don't
know
the
concerns
are
the
unknown
concerns
that
come
from
new
functions,
mixing
with
code
that
it
would
before
them.
D
On
that,
then
my
perspective
and
my
thoughts
are
always
drawn
to
migration,
and
how
do
we
deal
with
the
pre-existing
code,
if
you
just
provide
less
capability,
then
I
think
that's
the
best
model
like
there.
The
interface
of
something
that's
already
been
written,
doesn't
need
to
change.
It's
just
that
an
extension
to.