safe & encapsulated envs?

[Han-Wen Nienhuys]

Hi y'all

the GUILE development list seems a little quiet these days. I hope
something is still happenigng on the GUILE front.  In any case, I have
two questions

1.      How do I create safe execution environments?

I'm asking for LilyPond: LilyPond includes rather deep GUILE
integration, and you can execute arbitrary scheme code from within a
LilyPond input file.  This opens a huge security risk, of course. So
I'm interested in finding a way to disallow dangerous operations from
being executed from an untrusted file.

How do I do this?  A grep for "safe" in the docs and the source code
didn't yield anything.

2.     How do I encapsulate the execution environment?

I probably need to explain this a little more. Right now, a lilypond
run looks like

    * load .scm Scheme initialization files

    for every user input file:

        * load .ly LilyPond initialization file

        * load .ly user input file, execute Scheme contained within.


The problem is that user files may change the state of the
interpreter. So, if A.ly contains some (set! .. ) statement, the
results of

        lilypond A.ly B.ly

and

        lilypond B.ly A.ly

may differ.  I would like to change it to be like

    * load .scm Scheme initialization files

    for every user input file

        * open new environment

         * .ly LilyPond initialization

         * .ly user input

        * throw away environment

so that each .ly file starts out with the same settings.


Is such a thing possible? If yes, how do I do it/where do I read up on
this? I realize that it might not be possible to start out with
entirely the same state, but it would be nice if the effect of
assignments would be reverted.

3. (stupid question)

Is this the right list for this type of question?


Please CC me on replies, I'm not on this list.


-- 

Han-Wen Nienhuys   |   address@hidden    | http://www.cs.uu.nl/~hanwen/