If you are reading this tutorial in order, you’ve just finished the reference capabilities chapter and your brain probably hurts. We’re sorry about that. Hopefully object capabilities, while a new concept, are less mind bending.
We touched on object capabilities previously in the tutorial, this chapter will dig in more. So, what is an object capability?
A capability is the ability to do “something”. Usually that “something” involves an external resource that you might want access to; like the filesystem or the network. This is called an object capability. Object capabilities have appeared in a number of programming languages including E.
Pony’s capabilities-secure type system is based on the object-capability model. That sounds complicated, but really it’s elegant and simple. The core idea is this:
A capability is an unforgeable token that (a) designates an object and (b) gives the program the authority to perform a specific set of actions on that object.
So what’s that token? It’s an address. A pointer. A reference. It’s just… an object.
We mentioned previously that the C FFI can be used to break pretty much every guarantee that Pony makes. This is because, once you’ve called into C, you are executing arbitrary machine code that can stomp memory addresses, write to anything, and generally be pretty badly behaved.
Trust boundaries When we talk about trust, we don’t mean things you trust because you think they are perfect. Instead, we mean things you have to trust in order to get things done, even though you know they are imperfect.