On Wed, Jul 3, 2019 at 7:31 PM Phil Hofer <xxxxxx@sunfi.sh> wrote:
Consequently, a "safe" subset of R7RS must restrict the
implementations of define-syntax, letrec-syntax, etc. to
only accept hygienic syntax transformers.
R7RS-small has no other kind of syntax transformer. On a syntax-case system, a bare lambda would indeed be dangerous, but at least {er,ir,sc,rsc}-macro-transformer are unavailable.
Depending on the implementation of the underlying syntax system, {er,ir,sc,rsc}-macro transformers may still be available. For example, Chibi has always allowed bare lambdas as macro transformers and, say, sc-macro-transformer, is implemented as a procedure returning a base lambda.
I also think it might be worth reconsidering the use of the
words "safer" in the title of this SRFI. It's not clear
what "safer" means in this context: what security guarantees
are we actually trying to achieve here?
We guarantee exactly nothing except a lower level of risk than not sandboxing at all. That's why I was careful to use language like "safer" (as in "safer sex" as opposed to "safe sex", which suggests no risk at all), "less concern", "increased assurance", and "almost certainly".
But what is the purpose of this SRFI? If the purpose is to be able to eval untrusted code in a sandbox, then it is just dangerous to offer an implementation that is, most likely, not safe on most Schemes. In this context, "safer" still means "unsafe".
I usually view "eval" as Scheme's built-in JIT-compilation facility. As much as one would never directly run untrusted code on the CPU, one would never pass user code directly to `eval'. Instead, `eval' should only be used as the back-end of custom interpreters/compilers running in Scheme. User code first has to be compiled and transformed before it is passed to `eval'. It is up to the compiler/transformer to make sure that the resulting code is safe.
For an example, we can take the psyntax implementation of the syntax-case system. It accepts R6RS programs (at least the syntax-case and the library part), transforms them into R5RS and runs the result using `eval' and `load'.
What I think what could be helpful is to make sure that there are enough primitves/guarantees that it is in fact possible to compile an arbitrary program into a safe expression. (It is immaterial whether the environment, in which this expression is evaluated, is restricted or not because it is the expression, which actually has to be restricted.)
-- Marc