The workshop will produce a report.
Guido van Rossom: as a non-consortium member, he did not have access to some background.
Chair: The ultimate aim of the workshop is to come to an understanding of what W3C could/should do in this area.
Microsoft passed on the option of speaking on OLE2.
From 1982, lesson: Portabilty is (a) hard and (b) overrated. Eg, when REXX moved from mainframe to unix noone used it -- noone used it because they needed exploitation of the local features: portability is not only the language but also everything which anyone might want to use. Now it has taken off because they introduced access to OS/2 features.
You have to get the language right, and get good extendabilty features in the language and let other people do the extension. Tradeoff: other people might have lower portability goals.
A: REXX is a general purpose end-use language, finding a lot of use binding together existing programs. VM, MVS, OS/2, PC/DOS, also ships with Amiga. Shipped for free.
A: The exploitation features are for example the local file system. Net environment is in fact quite portable with sockets.
A: In Object REXX, modularity is in fact quite good, with ability to define high level abstraction of a function. OOREXX is not yet shipping, but aiz OS/2, TSO, VM will ship (not PCDOS) and free linux port.
Java work is 5 years old. They started out trying to build somethig a bit like what the web is now. Started with c++ which was no good so it turned into a language project. The project has a yin/yang nature with these twwo sides. Portability was a big goal all along. Java was never intended as a shell language, but to be self-contained. Portability has always been very good.
The AWT interface was designed as a sensible intersection which would run anywhere without being as beefy as Galaxy, so AWT is a thin layer between between app and X or Apple rom or Windows. Existing AWT is slightly too X-oriented, but that will be fixed. Flie system abstraction: much effort put in, partial success. One help has been using URLs as a "legislated syntax". Efffort also put into security: so far running pretty well. There are a number of rogh edges. Solution is maximally parnoid assuming you can't usecrpto. We have RSA based solutions but couldn't figure out how to use it. (A: RSA has hideous patent problems, with PKP is suing itself and so impossible to deal with, and licenses are not aviailble for reimplementation only for using their code. Also commerce dept has rules that putiing crypto code on a web site is equivalent to exporting it.)
Jave is distinguishedby being more for implemetation than scripting. For example, you can impleemnt GIF or HTTP; however for JPEG for example you would need a native code generator.
A: There is debate now about what interfaces applets should have.
A: There is no way of saying that something is trused for one thing but not nthe
There is a need for many different languages, in a range from command shells (tcl, perl) to system programming.
See slides
Different laguages for dif purposees
scrpting:
performance ess important
mimimum structure
eg tcl, perl
sys prg:
need structure to manage complexity
performance may be important
tcl strengths:
Great scripting languagee
Ligght weight: small interpreter, easy to lern
Can embed in other apps (eg egacy browsers)
Free and widely used.
100k users and
Safe-Tcl
A very good model. From nathanilel Borenstein, will be hauled back into mainstream tcl. Padded cell modle: large caorse protection schemes, wth easily verifyable properties. Like a more flexible verion of user/kernel saces. This is much simpler manage than sfae OO systems where each object has different
Used comercially by FV
Out for two years
Web microscriting
Small scripts intermingled with HTML would be usefu foor eg enrty validation, simpe spreadsheetss, conditional inclusion of HTML
Hippo browser is written all in tcl/tk. 2k lines code, all to HTML level 2. Faster than many C-written browser. 10 line HTML parser. This is proposed s test-bed browser.
Conclusios:
Web should support many laguages
TCL is attractive as it is simle, embeddable, secure and free
TCL will interoperate with other langages.
The basic model is that on transmission of code, any pointers to "mutable" objects are made into network pointers. Any immutable data has to be copied (anything from outside Oblique for example). With mutable objects, state is NOT duplicated over the net, but when code moves it stays connected to its parameters.
Oblique is a scheme-like langage bult on these ideas.
Lessons: Was easy to implement given good web runtime.
2. Closures are a great way of implementing code mobility.
3. Portability of oblique based on modua 3 portbility.
Web runtime: things available from Modula-3
Network objects
Marshalling arbitrary structures
Distributed garbage collection
error propagation really working with nRPC
Unforgable pointers/identities (Module 3 has these but can't be distributed with it)
Hard things
Firewall tunneling
Real security
Reliabilty, crash recovery.
Q: How can you operate when other hosts are off-line, with slow access? Well, not unless closure has no free variables. Yu can pickle a closure and run it later when resources availebl.
Q: applctaions. A: ??
Q: Represntation of objects when passed? A: Parse trees now, would like be able to use byte code.
Q: Terms? A: Distributed forfree with Modular-3.
Q: Closure model sounds like mrakettingfrom General Magic -- sounds similar. A: Doesn't sound similar -- I thing their agents copy the entire stack.
HTTP 1.0 web server
Highly extensible: can hang a procedure off anything off any URL subtre: "path handlers"
Allows safe uploading
Clearly written
Brand-new not even released
Lessons
Uploaded scheme code runs in the scheme 48 safe machine.
* Control of bindng-space is the critical element. Scheme 48 module system provides security and determines the mobile/system interface.
* Safe code has a new importance.
* Current web specs are not carefully designed.
* You're nowher if you haven't got a GUI. If scheme48 had aa broswer, would have much higher visibilty.
* A persavive, high-level paradigm, suchas first class functions, or objets, pays off.
Olin wants to work on how to safe code fast. Many rough edges.
Richard Kelsey (?) has a very differet system, rather like the Oblique system with network pointers. This is not web related, but does move code around.
Olin would now to work on safe code, thinks
Mutimedia scripting language
Heritage is dillon, connoln lisp.
1.0 docus was CDRom based delivery.
Compiled to byte code. Low level, not parse tree. Conclude that portable services are necessary. For example comprehensive GUI model multimedia model -- no system widgets, but pwerful compositing model. Built-in video integrated in case the platform doesn't have it, also sound re-sampling etc are guaranteed. If your write to the 1.0 API we guarantee portability to new platforms. Can combine code and media into a single object file.
Lessons learned:
Fonts are the hairest problem, have to pass platform fontnames in ugh.
Multiple realtime cloks available.
No IPR supprt, but foreign funvtion interface.
Realtime garbage collect defaults to every 20ms.
Addition to handlout comparison:O, clusres not mobile
All yes except weal thread-aware I/O, TCP API will be RSN. (check)
Q: scriptx and the web A: Now "dynamic comosition" allows incremental load of multimedia objects loading over the web. Have scriptx running as CGI server.
Break
Python has ticks in all the boxes. Python is midway between scripting nd sys language: wide dynamic range. Useful for 5-10 line scrits, to multimedia 2k line programs.
Security is rather cheme-48 like, with arbitray domains. Python had the ability for moodules to peek into the python RTS which was a security hole.
Someone at orgeon state is wing on python-enabled mosaic.
There is not an on/off security model. There is a trusted surrounded eenvironment, which then can inject a controlled amount of functionality into a padded cell. For example you can override a file open function with a more restricted
Could easily translte python ino Guile or Scheme48, but python app API has many POSIX, which makes porting more difficult.
Applications: web clients and servers, non web-related srvices on the net. Python was not designed for web portability, but is very suitable for it. An CNRI, we plan to use python for Knowbots. We are already pickling python functons and shipping. Current python can't have a pickled stack as C stack is interleaved. See www.python.org for more information.
Jim: Two types of security: by name space, and by explicit security parameters passed to objetcs. Olin: security by name space is capabilities. John Ousterhouse: no, capabilities are more the low level object-based security type.
Brainstorming topics
1-18 Services and Interfaces: naming svcs
Services/InterfacesDo we need just common byte code or also APIs?
2-20 security mechanisms
3-1 Performance - interpret or compile?
4-16 Do we need multiple languages?
5-3 Formal semantics, proof
6-8 FFI: Interoperability, ILU and Corba?
7-1 Transport: Do we need more than HTTP? Parallel?
8-20 Model: mobile code/closures/continuations
9-1 Legal issues, availabilities, copyrights, IPR
10-2 accountig, controllig access to resoures
11-9 Mixing code with HML
12-7 More abstract higher level interfaces
nixed Export control (nixed by chair -- see)
OneMany langauges
Services:
GUI: Need high or low
Net
local file system
GUI
General discussion about standardization. The advantages of a high level description combined with the option of low level total specification.
Jim Gettys asserts most apps do not have the GUI as the app itself as oppose to multiledia app where the GUI IS the app.
Open doc model compared with html...
API negotiation breakout group
Context: defining an interface
way of describing interface
byte code negotiation
interface naming
negotiate resources (only HTTP negotiation)
resource discovery (no existing solutions)
download (eg javaa using HTTP)
Points made:
Conflict between OS and browser ways of dynamically loading things.
Granularity of download affects decision process
Interface namig question --UUID of
Choice: visble metadata or recursive laoding
Matching two trees -- needed and available and potential
Some people want to just know which OS they are running on.
Leave it up to the applet -- or the system?
no ideas.
neither completeley.
Security (group2)
Object is to make firewlall managr feel good aout wht people
Model: kernel and user space with thin straw.
Model: soup of objects with capabilities
k/u space model faoured as esier to sell.
Attack model discussed. Assumption made that the questions of authentication for example can be left to security group.
k/u model needs some way of extending the straw to a thick one
Application (gp 3)
Problem model the classes needed for forms
document
forms
widget
field
button
methods are for exmple
on_entry()
on_exit()
color()
<LINK> links document to code.
Callback from page to code, and from code to change page and browser.
Subclassing used for specific types, and subclass= attribute in HTML allows subclass in code to be identified. Eg <INPUT TYPE=TEXT CLASS=SSN>
Demo by Kaleida labs. Used reality lab. Phill felt that the use of higher level
Break
What next?
What are the dangers if we do nothing (let 1000 fflowers bloom)?
Both publishers and browsers will have too much to deal with.
Market will continue to go monolithic. Browsers will be monolithic.
The security front will have to move forward will be
Are there any particular modules which w3c wuld like to see efined early rather than later?
Could we see style sheets?
Can we have the necessry for interoperation between different scripting languages?
Problem of letting 100 flwers bloom is that industry will settle on the lowest common demnominator?
JO: We can't make a better choice than the market.
TBL: Sme piolt projets would e interesting
JO: Fine grained microscripting -- API for that -- would be a good project.
JO: interlanguage
Maybe there should be a way of defining code to be associated with a given HTML form.
We should define API for form validation only.
Make a 90% solution only -- no more
Don't start on the scriptx slipery slope
We need always a mix of declarative HTML and procedural code attached.
Apps: Forms vaidation, conditional text, spread sheets.
Sewcurity modl willl be linked to what language you use? With tcl, yes.
Chairman's suggestions: that someone put on the table at least one solution for each of:
Event defiitions for 3 apps avove (forms&c)
Browser plug-in protocol
Interface naming and discovery protocol
[Idea: the resource converter(jpeg, gif) is an instance of converter() which you may have many instances of. This is rather nice in fact]
One (7th floor) idea is that any computaional problem is described and given to an agent whhich searches for a program which has already been written
Should we work on a definition language? PHB: That was what ASN/1 was supposed to be! JO: You won't be able to get ery far with complex data types. John Klensin: when you use an API (eg openSoundPort) , unless you can query the interface as to its capabilities, then you end up with something too inflexiblele with too many impicit assumptions made by the app.
Areas of concern are represented by the working groups. The groups should generate requirements documents. For security, for example, can we have a list of features for level(n) secure systems?
Can we just go with Java byte code? No, horsepwer requirements are too big? No, there will be many systems competing. No, we can't adopt the byte code without adopting the language: its the runtime classes which you need: the OOREXX parse tree interprter is faster than byt code; the scriptx rutime is used directly be the langage.
What will thegroup report? Intro+4 groups.
Kaleida are working on SOM and OpenDOC, ILU are working on COM. In fact Kaleida could use Java byte code, but the runtime would have to be available. Suppose the Kaleida and OOREXX runtimes were to cohabit? The bigg roblem would be garbage collection. Kaleida would need a high-res cock not normally available for example.
What about runtime compilaton? Scriptx architecturally can do. It wouldn't make sense for Tcl because everything is a string. Scheme gives you typially factor of 10 for small loops.
Conclude: many languages, byte codes. Jim: no, 80% solution allows only one language in one machine. Conclude: need system function for eg authenication. Conclude: Can interoperate 80% level with just all languages having an interface to C. The GC problem is the bg one unless you duck it -- see Jim. Harald: downoading should be high granularity, module per uRL, with browser caching doing the maagemnt of what is already loaded.
What should w3c do?
Make plugin method
Define runtime non language-specific ? Aaagh...
PHB: If one defne a padded cell, one has defined n API whether you like it or not..
In what language shuld w3c distribute code? J Klensin: not in something exprimental: IPR and maturity must be suitable for MCI to be able to make product with min tweak. Kaleida: We want to be able to put w3c C code into product. JK: we hev paid for unencumbered code.
JK pointed out w3c obligaion to produce unenumbered code.