| 15:39 | <bradleymeck> | do we announce calendar events like the incubator call anywhere except the calendar itself? |
| 15:52 | <Bakkot> | incubator calls are announced on the reflector |
| 15:52 | <Bakkot> | e.g. the one which is ini 8 minutes has a thread here: https://github.com/tc39/Reflector/issues/308 |
| 15:55 | <shu> | bradleymeck: someone (i think jordan?) tries to pin the next one, but we only have 3 pin slots so not always pinned |
| 15:56 | <shu> | bradleymeck: but yeah, each incubator call is always announced on the reflector |
| 16:10 | <ljharb> | today's has been pinned for a month, fwiw |
| 16:11 | <ljharb> | bradleymeck: beyond irc, reflector issues, and the calendar, what would help announce them? |
| 16:15 | <bradleymeck> | not really seeking more, i just don't see much explicit short term announcement (i just read the calendar normally) |
| 16:19 | <ljharb> | kk |
| 17:00 | <leobalter> | shu bradleymeck: WRT prioritization: this seems meta. Goals vs Motivations. |
| 17:01 | <bradleymeck> | leobalter: agree |
| 17:02 | <shu> | leobalter: not sure i understand what you mean by meta there |
| 17:02 | <shu> | leobalter: i think it directly impacts how we weigh tradeoffs |
| 17:04 | <leobalter> | well, I'm just pointing on both sides I feel like things are being put as Goals or Motivations. |
| 17:05 | <shu> | sorry i don't follow |
| 17:05 | <leobalter> | both aspects are very important for any things we work on. |
| 17:06 | <leobalter> | sorry the irc / text is never helpful. |
| 17:07 | <bradleymeck> | shu: i don't think we were discussing the language's ability to provide implementation or JS recreation of guarantees, which is kind of off topic/meta discussion. it can be somewhat related to auditing of what is/will be guaranteed but not necessarily working towards a scope of what is in/out of bounds |
| 17:07 | <bradleymeck> | we disagreed on bounds at the time, but not necessarily in direction |
| 17:07 | <shu> | i think i'm fundamentally kinda confused about what we're discussing, but that makes me feel hopeful? |
| 17:08 | <shu> | sorry i'm not all here, fucking plumbing... |
| 17:09 | <leobalter> | I don't feel able to help clarifying through text chat, so I'd rather defer to a next call or something. |
| 17:09 | <bradleymeck> | shu: i think we all agree on some base premises (side effects hard to deal w/, ability to make guarantees about JS code is primary) but are too ingrained in specifics and likely having trouble coming to terms that are mutually agreed upon |
| 17:09 | <bradleymeck> | e.g. the Node problem was a subclass of Set/Map calling @@iterator this week which meant non-host code could muck with things |
| 17:10 | <shu> | bradleymeck: ah, i think node and the browsers might not have much disagreement here in practice |
| 17:10 | <bradleymeck> | or exfiltrate things... but it wasn't about arbitrary code execution |
| 17:10 | <shu> | bradleymeck: but i do stand by the Proxy point i made. Proxies added a lot of complexity and arguably was a detriment to the security of the implementation, all the while enabling a particular solution to a kind of security guarantee |
| 17:11 | <bradleymeck> | shu: we participate in the SES calls for example but are not intending to ship SES/membranes |
| 17:11 | <bradleymeck> | shu: I am not in disagreement but there was cross talk about various things only be important at VM implementation |
| 17:11 | <bradleymeck> | which isn't where most of the CVEs in our ecosystem come from |
| 17:11 | <shu> | +1 |
| 17:12 | <bradleymeck> | we do ship --frozen-intrinsics though and that does solve a lot of issues 😉 |
| 17:13 | <Bakkot> | shu yeah I think the complexity of new features vs implementation burden point is well taken |
| 17:13 | <bradleymeck> | just auditing JS code to know what it is trying to do is basically an impossible task |
| 17:15 | <bradleymeck> | so you end up having to limit host APIs, and for a lot of the times you can audit a few small bits of code that need access to powerful things (net/fs), but the ability to even audit or guard that is non-trivial like you said. hence needing to recreate various guarantees or completely disable the API. for lots of things you can't disable stuff (http server disabling http!?) |
| 17:16 | <bradleymeck> | so you do end up with some level of granting authority by exposing/passing APIs around, that is the main contention i think |
| 17:16 | <bradleymeck> | various things about what is in/out of bounds is largely still undiscussed |