►
From YouTube: SES-mtg: Compartment proposal for SES modules
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
C
D
D
So
we
had
a
call
with
EC
53
a
couple
weeks
ago
now,
I
guess
a
week
and
a
half
ago
where
we,
where
Patrick,
introduced
the
work
that
we've
been
doing
to
implement
compartments
in
the
XS
engine
there
are,
and
since
then
we
got
some
feedback
from
mark
on
a
couple
points
that
we
have
tried
to
address
and
then
so
there's
a
couple
things.
We
can
either
start
this
by.
If
people
aren't
familiar
with
the
compartment
work
that
we've
done,
we
can
start
this
by
going
through
kind
of
the
big
picture
of.
A
D
So
moddable
as
a
company
is
focused
on
embedded
JavaScript,
and
so
we
are
typically
running
on
devices
that
have
tens
of
kilobytes
free
RAM
for
execution
and
maybe
a
few
megabytes
of
space
to
hold
the
code
so
our
but
we're
running
the
same
JavaScript
language
that
you'll
find
in
a
web
browser.
So
our
runtime
characteristics
are
remarkably
different.
D
The
Sakura
Qin
script.
Work
is
interesting
to
us
because
we
very
much
want
to
be
able
to
run
third-party
code
inside
of
these
small
devices.
So
I
did
a
talk
this
past
weekend
at
Maker
Faire,
where
I
talked
about
installing
our
engine
onto
a
light,
bulb
to
control
that,
and
it
works
very
nicely,
but
we'd
like
to
be
able
to
put
third-party
apps
on
there,
for
example,
that
can
use
the
infrastructure
of
the
light
bulb
in
a
in
a
controlled
way,
but
that
they
can
run
arbitrary
JavaScript
on
there.
D
Otherwise,
so
the
the
Sakura
script
work
is
which
solves
that
problem
in
a
very
elegant,
very
clean
way,
and
so
that's
that's
very
appealing.
The
challenge
is,
how
do
we
run
it
efficiently
and
so,
rather
than
focusing
on
realms,
which
is
was
kind
of
I?
Think
the
starting
point
for
a
lot
of
this.
We
focused
on
compartments,
which
are
morally
somewhat
similar,
but
not
but
lighter-weight.
Well,.
A
A
So
both
compartments
and
root
realms
are
kinds
of
realm,
and
the
thing
that
we're
doing
that
you're
doing
that
Salesforce
is
doing
that
agaric
is
doing
is
in
the
process
of
trying
to
have
the
support
for
apartments,
be
divorced
from
the
support
for
root
realms,
so
that
you're,
when
you're
an
environment
where
there's
only
a
single
root
ground
that
you
can
still
have
multiple
compartments.
Okay,.
D
D
We
we
really
only
use
modules,
we
never
use
programs,
and
so
everything
is
everything's
running
a
strict
mode,
everything's
running
inside
a
module,
and
so
the
original
SecureAuth
script
work
really
didn't
address,
how
to
load
modules
and
and
how
to
restrict
access
to
modules,
and
so
that
was
something
that,
in
the
work
on
compartments,
that
Patrick
added
on
top
of
that
and
Mark
gave
us
some
refinements
on
in
last
week's
meeting.
So
with
that
is
background,
Patrick
do
you
wanna.
C
What's
important
to
remember
is
that
this
image
contains
all
the
buildings
and
so
on
and
all
the
buildings
are
frozen
so
by
nature.
The
way
we
are
walking.
It's
like
the
beginning
of
the
what
you
you
are
talking
about
when
you
say
that
the
to
Builder
as
securing
masculine
ones,
good
ones,
you
need
to
close
another
monumental,
that's
down
by
the
linker
the
way
it's
done
by
access
for
the
multiple
intact.
So
what
what
I
didn't
a
Patrol?
C
We
want
to
go
where
we're
arms.
Sorry,
my
pronunciation
of
that
word
is
terrible,
but
Wow,
okay,
so
I
I
work.
I
worked
on
on
excess
to
add
the
idea
of
living,
separate
planning,
contact,
separate
independent
inside
stream
inside
the
same
machine
we
didn't
I,
didn't
try
to
implement
the
wrong
stuff,
because
the
one
stuff
start
by
repeated
copying,
duplicating
the
business
and
so
on,
and
we
really
don't
want
to
do
when
we
saw
so
little
cup.
C
The
programming
in
the
buffet
is
very
for
us
to
test
and
in
no
way
isn't
like
what
should
be
at
the
end
or
whatever.
It's
really
like
the
to
create
a
compartment.
You
use.
The
compartment
comes
filter
which
is
more
like
the
world
car
and
anything
else,
meaning
that
it
takes
a
home
which
is
the
module,
the
specifier
of
the
module
that
will
begin.
The
execution
of
the
atom
and
donors
is
what
you
are
familiar
with.
C
It's
the
object
whose
properties
are
added
to
the
global
object
of
the
department
before
to
TMP
object
modules,
and
we
will
get
there
in
more
detail.
Details
later
is
an
object
that
defined
a
whitelist
of
module
at
the
compartment
and
teleport.
The
idea
is
that
need
some
way
to
constrain
what
modules
can
import
inside
your
compartment
options
are
a
lot
like
the
world
corruption,
so
the
default
for
us
access
is
type
module
because
that's
the
only
same
spot,
so
I
don't
know.
I
scorn
that
yeah.
E
C
Some
conventional
properties-
currently
we
can
have
all
kind
of
simulates
to
be
I,
mean
to
be
investigated.
The
when
you
will
be
when
you
create
a
compartment.
You
get
an
instance
of
compartment
and
this
instance
of
compartment
up
to
us
to
handle
difficulties.
The
first
one
is
named
global
and
it's
the
global
object
of
the
compartment
and
the
second
one
is
nice
code
is
named
expert
and
it's
the
module
module
namespace
of
the
compartment.
C
C
Firstly,
you
can
use
compatible
with
step
ahead
global
global
scope,
so
in
Manorville
baja
I
mean
we
talk
about
mud
and
up
because
that's
that
name
like
the
up
is
basically
the
staff
compartment.
It's
the
it's.
The
is
the
same
that
long's
the
microcontroller
that
to
the
microcontroller
and
then
we
can
load
on
the
fly.
What
we
called
mod,
which
are
typically
something
you
want
to
find
in
the
city
to
and
compact,
so.
A
C
So
the
stuff
compartment
cool,
define,
lives
like
same
thing
and
then
when
we
scroll
and
then,
if
you
ate
a
compartment
with
mug
just
so
that
model
before
you
come
back
with
mark
and
then
leaves
if
you
test
and
then
multiply
by
the
test
function
inside
the
compartment
twice
and
across
the
field
are
0
0,
1,
1,
those
the
club,
X
and
globally
increment
function,
separate,
even
they're,
separated
globally.
You
know
what
you
can,
of
course
also
is
to
share
global.
C
C
C
A
C
C
So
read
from
a
module
example:
let's
let's
say
I'm,
not
you
that
we
will
use
increment
of
jazz,
which
has
a
lot
of
evil
acts
and
an
explosion
before
Sam
Sann
that
so
bifel
at
some
time.
The
compartments
load
module
separately
through
compartment,
if
also
separate
modules,
for
instance,
let's
not
just
the
module
that
will
be
important
to
mentor
in
cement
and
export
function.
C
And
then
in
the
admin
to
be
exact,
same
thing,
involvement,
one
comment
and
if
a
test
from
from
that,
then,
if
the,
if
the
application
is
creating
a
new
compartment
with
mud
and
execute
the
same
test
and
then
not
exposed
test,
because
that
access
to
the
test
function
to
the
module
name
space
of
mother,
it
will
get
0,
1
1
the
locals.
In
fact,
the
implement
compartment
has
been
loaded
twice
instance
here
twice,
and
so
they
are
like
separate
X
variable
and
separate
increment
increment
function.
C
C
Reloading
module
is
part
of
that
like
a
clean
time,
so
before
honey,
a
clean
time,
the
excess
linker,
the
module
that
are
listed
there
and
store
there.
So
the
bodies
are
executed
at
build
time,
but
at
some
time,
and
so
all
those
created
object
and
program
and
some
are
stored
in
column
distributing
that
by
food
there.
So
the
yes.
C
C
So,
even
if
they
are
not
they,
they
cannot
change
so
access
as
ultimately
that
if,
if
machine
an
engine
is
trying
to
change
something
that
syndrome
is
not
full,
the
object
is
automatically
a
last
in
ham,
and
so
you
can
object
all
the
closure
is
automatically
Allison
come
on
Tandy
Tandy
modified.
So
no,
let's
imagine
that
we
build
with
in
the
instrument
module
reloaded
so
share
and
we
have
the
exact
same
good
before
so.
C
The
exact
same
module,
important
in
math
and
fishing
and
same
actual
important
in
cement
and
tracing,
and
then
also
creating
the
compartment
and
execute
inspected
before.
But
now
we
have
the
three
XS
/
0
1
2
3,
because
the
increment
module
is
shared
by
the
mod
and
and
so
and
the
X
variable,
the
the
initial
version
of
it
will
be
hot.
C
But
since
it's
not
it's
not
a
concern,
the
truth,
there
will
be
I
asked
in
ham
when
it
be
modified,
so
that
that's
this
day's
example
with
Global's
and
modules
to
show
that
we
can
improve
like
separation
and
sharing
using
a
total
scope
of
the
merchants.
The
the
next
step
is
which
which
yes
exactly
module
maps,
which
means
what
we,
what
we
pass
to
the
compartment
to
constrain,
which
modules
modules
can
import
it
coming
inside
the
compartment
there,
because
I've
discussed
a
lot
about
that
and
it's
not
over,
but
currently
the
the
compartment.
C
C
C
A
E
So
I
had
a
couple
questions
about
this,
namely
right
now
it
takes
strings
as
the
values.
So
is
it
possible
to
share
modules
between
compartments
and
also
what
dude,
if
you're,
dealing
with
something
that's
not
whitelisted.
Is
that
something
like
a
dynamic
in
court
is
that
being
booked
at
at
all?
No.
C
C
C
C
So
the
trend,
the
of
when
you
create
a
compartment,
the
map
you
pass,
cannot
can
only
give
access
to
module
that
the
commend
the
compassion
and
can
access
itself.
So
you
cannot,
you
cannot
like
give
access
to
something
you
don't
have
access
to
to
be
sure
to
enforce
a
transfer
and
that's
new
since
last
time
you
told
pattern
as
his
own
compartment
inspector,
so
there
is
like
the
compartment
path.
C
You
do
not
one
explore
Testament,
which
for
test
it
start
with
the
whole
I
will
show
and
then
for
the
one
documenting
means
one
and
then
become
plus
one
for
the
one
that
ultimately,
the
this
is
more
like.
I
mean
it's
motivate
Academy
same,
but
the
the
fact
is
what's
interesting
is
the
discrete
application
as
the
possibility
not
only
to
restrict
what
Madame
can
do,
but
to
really
define
an
environment
where,
like
the
same,
the
same
specifier
get
access
to
a
different
version
of
the
same
for
coming
in
the
face,
and
some.
A
C
C
I
mean
most
I
mean
most
whatever,
sometimes,
if
no
evaluator,
so
the
evaluation
and
so
on,
are
just
not
there,
but
it's
possible
if
you
ever
be
issue
ever
a
bigger
microcontroller,
and
so
we
can
of
evaluator
inside
inside
excess.
So
for
that,
for
that
access
try
to
implement
what
the
math
specified
was.
A
Patrick,
let
me
repeat
the
question
here,
so
what
we
did
in
realm
shrim
and
the
SES
gem
is
that
we
gave
each
compartment
its
own
function,
constructor
and
its
own
eval
function
and
as
you're,
showing
at
the
top
of
the
shared
screen.
Here,
the
we
also
replaced
the
the
built-in
constructor
that
the
built-in
shared
constructor,
but
that
the
constructor
property
on
function
prototype
points
back
to.
We
replace
that
with
something
that
always
throws
your
sh
I
did
that
for
generator
function,
async
function
and
async
generator
function.
A
What
we
did
not
do
was
create
a
separate
/
compartment
evaluator
for
a
generator
function.
Async
function,
an
async
generator
function,
because
those
things
don't
have
global
names
in
ACMA
script
does
not
give
them
global
name
and
therefore,
there's
no
there's
no
names
in
which
to
provide
gun
per
compartment.
Yes,.
C
A
C
A
C
C
A
So
the
the
way
I
I
like
to
write
down
an
indirect
eval
call
to
avoid
having
it
look
like
a
direct
eval
is
my
convention,
which
is
ugly,
is
open.
Paren,
1,
comma
eval,
close
paren,
open,
paren
quote
X
plus
plus
close
quote
close
paren
expression
surrounding
the
lookup
of
the
lexical
name.
Eval
I've
prevents
the
the
overall
function,
call
from
being
parsed
as
a
direct
eval
special
for.
C
C
A
C
A
A
C
That's
like
instead,
instead
of
even
like
the
name
of
the
property
being
an
identifier,
specifier
and
the
value
being
path,
we
keep
the
name
because
that's
the
same
that
compatibly
using
their
intro
statement,
so
we
keep
the
specifier
and
then
this
is
replaced
by
a
new
back
symbol
like
something
is
just
a
symbol
that
that
the
compartment
itself
cannot
know
what
it
what's
inside.
We
try
that
to
see
if
it
works,
if
it
still
work
and
ever
since
they
were
so,
there
is
no,
there
is
no.
No,
there
is
no
need
for
access
to
wave.
C
A
C
And
so
that
that
way-
and
in
fact
I
see
that's
even
the
version
that
crime
he
committed
in
the
brain
tree.
So
that's
why
it's
with
that
that
I
tested
this
morning
and
and
so
it's
so
I'm,
not
I'm,
really
not
specialized
about
like
I
deem
information
and
and
all
those
things
so
I.
It's
up
to
I
mean
these
cooking's
going
to
tell
me
or
to
know
more,
because
you
know
much
more
about
this
problem.
The
time
that
I
do.
But
what
I
I
just
wanted
to
show
here
is
that
each
possible,
like.
C
C
C
E
C
E
E
A
C
C
C
A
C
A
B
C
The
only
place
where
we
defined
what
is
share
and
not
share
is
to
be
a
bill
time
because
to
share
no
module.
The
linker
means
to
execute
its
its
body
at
the
time
and
and
that's
that
old
module
is
share
the
end
and
so,
but
and
but
20
I
didn't
provide
any
way
from
Batman's
to
know
which
module
be
share.
Not
if
it
is
something
that
you
believe
and
we
can
is
another
accessor
to
get
live
the
list
of
the
trade
module
and
on
the
list
of
the.
C
B
Can
can
I
clarify
my
concern,
or
or
or
the
scenario
that
I'm
thinking
of
I'm
mapping
app
to
a
particular
specifier
and
dot
specifier
has
not
been
imported
and
in
one
compartment
in
the
map,
I'm
importing,
app
and
app
is
importing
something
else
that
maps
to
a
different
specifier
in
that
particular
compartment
does
that
affect
which
which
module
app
gets
to
receive?
Just
because
the
module
map
of
the
compartment
modifies
dispense
of
the
particular
you
know
specifier
using
its
own
map,
or
it
does
app
get.
C
Doesn't
change
I
mean
we
can
imagine
query
feature
to
change
it
from
heap?
Is
insane
so
inside
one
compartment
the
exact
same
pattern,
the
same
identifier
will
be
always
mapped
to
the
same
module,
but
you
can
create
compartment
that
will
be
separate
compartment
that
will
access
module
a
to
the
same
module
even
on
name
of
a
different
different
module
with
the
same
name
and.
B
That
module
can
be
linked
to
a
mapping
from
the
original
compartment
from
which
it
was
created.
You
know
exposing
a
link
from
app
to
increment
of
a
different
module.
You
know
because
it
has
already
been
instantiated.
That's
that's
what
I
you
know:
okay,
I
guess,
I
guess:
I
I
need
to
go
through
the
doc
a
little
bit
more
to
clarify
the
question,
but.
C
A
A
Yeah
so
so,
and
the
preload
list
is
going
to
the
system
as
a
whole.
So
that's
that's
basically,
where
my
concern
is
that
you
might
want
a
finer-grained
share
of
instance,
linkage.
In
other
words,
you
have
a
compartment,
a
that
loads,
increment
and
instantiates
it,
and
then
you
have
a
compartment
B
that
is
able
to
import
increment.
A
C
A
C
A
I
think
what
we're
going
to
need,
but
not
not
urgently,
but
we
should
we
should
work
it
out-
is
the
ability
to
have
a
module
map
that
causes
wiring
specified
wiring
between
modules,
through
renaming
of
specifiers,
of
shared
instances
when
we
want
shared
instances.
But
but
as
with
your
preload
thing,
we
need
to
make
sure
that
that
we
can
distinguish
you.
We
can
separately
Express
when
we
want
to
share
instances
versus
just
when
we're
trying
to
map
specifier
names
in
order
to
share
source
code.
C
C
A
So,
from
our
perspective,
increment
is
a
resource
module
and
to
have
increment,
be
globally.
Shared
from
the
point
of
view
of
SCS
is
strange,
because
what
that
means
is
that
that
everything
within
that
SCS
system
has
access
to
the
same
increment
instance,
and
can
there
boy
can
there
by
all
communicate
with
each
other?
Yes,.
A
C
C
Then,
when
it's
about
the
home
page,
he
checked
if
the,
if
all
the
closure
are
constants
and
if
all
the
objects
that
have
been
created
by
the
values
module
for
them,
then
there's,
if
you
know
this
new
way
to
elastic-
and
we
do
that
because
the
aliasing
mechanism
is
expensive.
So
we
try
to
it
as
little
as
possible
like
a
table
singing
oh.
A
C
A
D
E
D
A
So
for
fer,
so
this
is
one
of
these
wonderful
alignments
between
your
implementation
concerns
and
security
concerns.
They
both
push
very
very
much
in
the
same
direction
Amin.
So
let
me
let
me
suggest
that,
with
the
preload
declaration
that
you're,
showing
that
you
could,
you
could
distinguish
two
forms
of
preload
preload
of
pure
things
versus
preload
of
alias
of
effects,
and
if
you
and
the
reason
to
distinguish
them
from
a
security
perspective,
is
that
preload
of
pure
things
is
safe.
It
does
not
allow
any
communication
and,
and
generally
that's
the
way
we've
been
thinking
about.
A
A
While
your
structure
is
very
very
parallel
to
what
we've
been
thinking
with
your
preload
being
like
the
shirt
loader,
but
the
if
you
just
had
let's
say
two
different
preload
directives
where
the
default
one
is
the
one
where
you
were,
you
were
essentially
asserting
that
the
module
is
pure
so
that,
if
you
accidentally
had
a
module
like
increment,
that
was
on
that
list,
that
you
would
get
a
build
time.
Error.
C
A
So,
for
example,
if
we
have,
if
there's
a
class,
let's
say
a
top-level
class
inside
a
pure
module,
then
different
than
then,
if
compartments,
x
and
y,
both
import
the
class
and
then
one
of
them-
instantiate
sit,
let's
say:
class
foo,
so
x
and
y.
Both
import
class
foo
X
instantiate
sit
to
create
an
instance
of
foo
and
passes
it
to
why?
Why
we'll
for?
Why
does
instance
of
food
it
will
find?
The
answer
is
yes,
yes,.
C
A
If
they
were
not
pre-loaded
and
everybody
got
their
own
copy
of
the
module,
even
if
it
was
pure,
they
would
be
separate
identities.
Okay,
good
good.
We
call
that
identity,
discontinuity
is
identity.
Discontinuity
is
when
you've
got
what
is
conceptually
a
single
abstraction,
but
because
it's
separately
evaluated
with
separate
identities
that
you
have.
A
A
E
B
B
A
C
B
B
B
There's
start
imports,
mojo
right,
so
so
an
example
to
I'm
setting
my
entry
point
to
start,
and
here
also
you're
saying
there
will
be
two
instances
of
mojo
created
or
would
start
since
it
refers
to
the
same
mapping,
get
the
previous
instance
of
mojo,
which
use
factory
a.
C
C
B
B
A
They're,
just
I
think
I
think
we
all
arrived
at
blissful
clarity.