nsb@THUMPER.BELLCORE.COM (Nathaniel Borenstein) (08/15/90)
Yes, there are several examples of such systems, the earliest of which I know of is Vittal's R2D2. Another is the Andrew system, using the Ness extension language -- arbitrary programs can be included, but the user is asked if he "trusts the sender" before the program is executed. (He's also given help scanning for dangerous statements.) I consider the security of such systems totally unacceptable, as I suspect most of you agree. (I did a test with Andrew + Ness and found that most people were incredibly willing to trust such programs without reading them.) The language I've been working on does indeed have a restricted environment and language that prevents such problems. It also has some interesting properties that make it much more portable in terms of user interface environment and also more portable between mailers. Since several people have asked me for more details, I'll post a detailed explanation of the language on this mailing list as soon as the explanation clears the Bellcore approval process. -- Nathaniel