Send a Program, Not a Data Structure
Posted by SunJuiceSqueezer@reddit | programming | View on Reddit | 34 comments
The release of the pretext layout library the other week sent me down a research rabbit hole around the architectural idea of "sending a program, not a data structure". I'd heard of the idea before and been exposed to it (mostly in games - ❤️ Quake), but I learnt how the idea is used in many domains. The history of Postscript is something I wasn't expecting to find so interesting, and I might do more research and writing about that.
Any way, I hope you like the blog post, and would love to hear of any systems you use or build that leverage this technique.
CompassionateSkeptic@reddit
I don’t think this is right.
I hate to give such a blunt response but I think this does two things that really prevent any viability to the argument.
I think this conflates data structure and protocol. A data structure is merely a representation of something while, relatively speaking, a protocol is an agreed upon representation of something.
I think this doesn’t consider how profoundly difficult it is to trust the senders. We have trouble trusting senders to send markup, data, and constrained-and-sandboxed programmatic enrichment inside a browser which is now as big and complex as an operating system in part just to deal with that risk. In other words, we’ve been sending the program for a while now and it’s extremely difficult to do safely. Arguing to make the hardest part to secure play the exclusive role in the ecosystem feels terribly naive at best.
I hope I just completely missed the point.
Neuro_Prime@reddit
What’s the diff between “send a program” and gRPC?
Delta-9-@reddit
You may as well ask "what's the difference between 'send a program' and HTTP." Protocols aren't programs.
Cloned_501@reddit
We had several tries at this, the Internet was an insecure mess for two decades.
ClownPFart@reddit
Yeah, thankfully now the internet sends only data (dont mind the megabytes of js behind the curtain)
TheRealPomax@reddit
No one said the 2 decades were over. Covid wrecked how time works rather splendidly.
foxsimile@reddit
JSON: the perpetual mess.
DearChickPeas@reddit
RPC? Sure sounds safe! /s
max630@reddit
Has been an insecure mess, and now the customary fix for it anybody cannot just start sending stuff, they rather should identify themselves.
tudorb@reddit
We learned from it, and any new such system would be isolated by design. JavaScript (in browsers), WASM, Solidity are examples that do this at scale without too many serious breaches.
wavefunctionp@reddit
I do. I sent my program over the wire as a string. It gets interpreted as JavaScript. And we send little patches of data in separate request.
This is literally modern web development.
And that’s before we start talking about fancy techniques like hydration or RPC
programmer-ke@reddit
Funny how I know Alan Kay would be cited even before reading.
Perhaps to address the issue of vulnerabilities the 'program' doesn't necessarily have to be turing complete.
overgenji@reddit
python has this concept of "pickling" where you can also bundle up what are more or less executable objects lol
Pharisaeus@reddit
Yeah, and this one mechanism is basically the cause of 90% of severe security vulnerabilities in python software ;)
Zardotab@reddit
That's called a "virus".
cacatl@reddit
No, it's a bacteria. Programs are like delicious Greek yogurt and not all code segment modifying programs are bad. The concept is the same, trust me! -[spoiler]Lucifer[/spoiler]
ReallySuperName@reddit
The dumb comments in this thread are depressing
quadcap@reddit
it's not as crazy as it sounds. look up REBOL/red-lang (almost the same thing)
they are homoiconic, so there's no difference between program and data structure, and they have other characteristics that encourage this
REBOL was an influence on JSON as a transport data structure
bwmat@reddit
I mean, what is a program other than a tree of symbols...
Every-Progress-1117@reddit
Lisp?
Beginning_Basis9799@reddit
Postscript as in Adobe postscript, then came Enhanced postscript. Then PDF's and a lot of tears
Pharisaeus@reddit
RCE as a service.
Never do this, unless you control the payload or have no other choice. Sandboxing is much harder than you think.
Postscript is a great example of decades of vulnerabilities. ImageTragic is another great example.
From more common things there is also python and its pickle.
addmoreice@reddit
Considering all the *staggering* number of issues with postscript and the absolutely *insane* security issues that are found constantly...no. I do not want to sent a program over a data structure, in the vast majority of situations.
In many situations, sending data is king, just because it forces both sides to agree on how to
Civil-Appeal5219@reddit
No. No. No no no no no. Please no. God no. No.
rwilcox@reddit
Use a Lisp and do both :-)
Goodie__@reddit
I find it curious. You cite HTML and CSS as an example of send a datastructure
Is javascript not sending a program? Do HTML and CSS not then form the very same primitives and building blocks you so claim are good?
No-Concern-8832@reddit
Pure HTML+CSS has no JavaScript.
manifoldjava@reddit
Curiously, this was written as if HATEOAS does not exist.
hkric41six@reddit
An ELF file is literally a data structure.
Valuable_Leopard_799@reddit
Returning to "code is data" after all.
AsIAm@reddit
If data is accompanied by instructions how to interpret that data, then yes. Otherwise no.
cbarrick@reddit
Not necessarily.
You can transmit a pure logic program, which may have denotational semantics but no operational semantics. That is, the program describes some result but doesn't prescribe any particular algorithm for computing that result.
For example, you may evaluate the program using a Prolog interpreter or an ASP interpreter, which have very different approaches to evaluating the program.
mr_birkenblatt@reddit
DAE want flash back?
omniuni@reddit
Just because a data format can contain logic structures or adjustable parameters, I'm not sure that makes it a program.