Re: Why is java considered a language for "web" or "internet" programming?
Chris Smith wrote:
Tom Forsmo <spam@nospam.net> wrote:
In particular, if your definition of safety involves enforcing security
constraints in an application involving multiple pieces of code, each
running with different trust levels, some perhaps mobile between
processing nodes, then Perl is going to be hopelessly inadequate for the
task. This kind of use case is handled very nicely in Java.
Can you explain what you mean with "multiple pieces" of code? there are
far too many possible design solutions to use a generic term like that
to make such a decision. Can you also elaborate on what you mean by
different trust levels, and what scenarios you are thinking of.
Btw, mobile code is not a scenario that perl was built for, so all the
features needed for that are not in the language. Not that perl can not
use mobile code and protect itself, it has safe mode for both code and
data. But if you want support for the same mobile code safety scenario
as the one java supports, you only need to build a library to handle it.
It does not need to be a part of the language.
There are other definitions of "safe", of course. For example,
sometimes a language is called safe when there is a lower likelihood
that programming errors will lead to security faults. Java does fairly
well in that way as well, as it performs runtime checking on a wide
variety of operations that may lead to undesired but undetected faults
in other languages, including Perl.
This is closer to the definition I think about when discussing the
issue, i.e. "secure programming. Such as the languages features that
help the programmer protect against malicious input and such. perl has
taint mode, I am not aware of any such feature in java.
There is a difference between secure programming features and security
architecture designed for different scenarios. And that
My point is that a dynamic language such as perl, is perfectly capable
of as safe code as a statically typed language such as java is, perhaps
safer.
The reason for this is twofold:
1)
There are three types in perl: scalar, array and hash. The use of these
can be checked with a syntax check execution first, runtime exceptions
can happen in both types languages and need to be handled at point.
In addition to this perl does not have c pointers, buffer overflows
etc.. It does, however have, taint and safe mode, which helps protects
data and code. If there is anything else you need you can use a library.
2)
Because creating a secure program is more about architecture and design
than about language security features. Creating a secure program depends
a lot on a safe architecture, a clean design and good programming
practises, such as: default deny, cleaned input, being wary of external
references provided (config files, urls, paths, environment etc.) etc..
In addition, any code has to be tested, so the argument that dynamically
typed languages are less safe than statically typed languages fails by
its own reasoning, at least for this language. But I have no problem
agreeing with that for other languages, such as f.ex. PHP, which in that
respect is terrible. I think python suffers from some of the same
problem, but I am not sure or to what degree. For Lisp, this is not a
security issue what so ever.
tom