* Posts by _andrew

43 posts • joined 7 Dec 2019

It's the end of the world as we know it, and we should feel fine

_andrew

Re: How about backup software that anyone can use reliably?

The industry's response to the backup problem has been to keep the user's data safe, somewhere away from the users and their unreliable computers. In the cloud. (All of the other issues that go along with that move come down to differences of policy and contract terms.) Buy a new phone these days and getting your old stuff back doesn't involve restoring from a backup: it involves logging in.

_andrew

Re: Thought Experiment

ARM2-like cores are still everywhere: the smaller Cortex-M series of microcontrollers are not too dissimilar. (Thumb2 instruction set there though, not the old ARM32 or ARM26 instructions, so you couldn't just run an old RISC-OS image.)

Those are now found in things so small that you would not even have thought of it, back in Clive Sinclair's heyday. Things like earbuds, passively-powered sensors, credit cards, ...

LibreOffice 7.2 release candidate reveals effort to be Microsoft-compatible

_andrew

Re: to see "office" applications go away - pages are so last century

I'm quite a lot more confident of documents authored in markdown being useful in 75 years than any particular "office" format. Agree though that at least ODF seems to be heading in something of the right direction. I'm just not confident that a volunteer team can keep useful presentation software going for such a complicated specification in perpetuity. We'll see.

I'd say that PDF probably stands a decent chance too, except for the javascript features and editable bits.

(One of the) points about corporate wikis and web standards is that it's a different and interesting twist on longevity. The storage format isn't generally described at all, and the display implementation doesn't really matter, and can track whatever web standards exist at the time. Point is that the entire document repository is online and live all the time, so changes in the back-end ought to be applied as they go, fixing incompatibilities as they arise. As everyone who has ever had anything to do with software knows, there's a lot of "if" in that plan, and it does rather depend on your vendor staying alive, which I'm sure they love.

I used to think that (La)TeX was a good basis for document longevity, what with being open-source and readily available, but it's currently aging poorly, IMO, and interacting badly with Unicode, so I'm no-longer so confident.

Reckon I'll stick with unadorned ASCII, or perhaps markdown. Maybe troff?

_andrew
Happy

I think that I'm gradually starting to see "office" applications go away - pages are so last century

I'm sure that everyone's work environment is different, and there are no doubt many people who still use these things, but it seems to me that their grip is finally starting to slip. Not replaced by yet another document format, but by web-native modes of communication. Corporate wiki document storage, email, various chat applications where once there might have been circulated memos, even markdown files for code project documentation. Blogs. Socials. I find that I can go weeks without firing up Word. Powerpoint seems to have some extra staying power, but that now has some competition from various non-page, continuous scroll presentation tools.

America tops ITU's Global Cyber Security Index, UK in tie for second with Saudi Arabia

_andrew
Thumb Down

Sloppy report, worth the paper it's printed on.

Looked up the local country (AUS): the scatter-plot of the results is clearly buggy, so what else is wrong? We were pipped on "Technical Measures" by Mauritius, Khazakstan and Azerbaijan, so that's making a lot of sense, especially since we have essentially the same sorts of CERT bodies and reporting schemes as all of the other early-internet players. Scroll down a bit further and by the time you get to Serbia they've stopped bothering to score their dimensions out of 20, and are just making the numbers up. Reading a bit more deeply, it seems that the person in Australia who answered their questionnaire was someone at ASPI, a defense-industry funded think-tank who were among the loudest voices shouting down Huawai's role in 5G, not an actual government body or representative of any sort.

In short: don't bother. And treat anyone who makes reference to it in any forum with deep suspicion.

On the other hand, perhaps they're paying attention to our nationally-legislated ability to overrule mathematics and decrypt messages by official fiat.

Good news: Google no longer requires publishers to use the AMP format. Bad news: What replaces it might be worse

_andrew

Re: Will the Register lead the way?

At least the Register has stopped infesting their own RSS feed with AMP links. The (relatively brief) period where that was happening was the only time I've seen an AMP version of a Register article.

I've long since given up extrapolating to the community from my own experience, but I am still surprised that a tech news site like the Reg gets any significant fraction of its traffic from search engine referrals. Surely most comes from feed readers or bookmarks? Both of those are mechanisms of the open web and have nothing to do with search engines.

Say helloSystem: Mac-like FreeBSD project emits 0.5 release

_andrew

package systems and security

Package systems really are a bit of a crutch for the disorganised approach that modern Unix has become. Sure, they can do anything, by design, but is that what you really want? I don't know helloSystem yet, but early (PPC) vintage OSX (pre macOS) gave a considerable nod to application installation via App bundles, which was a slight warming-over of RiscOS application directories, which was a slight dilution of Plan-9 application mounts (which are arguably re-imerging in a drug-induced hallucination that is SNAP apps). Keep things self-contained and recursively mirror the Unix bin, dev, etc, lib, var, (src) hierarchy. Union mount to avoid PATH mangling for extra kudos.

Security: the FreeBSD 12.x that helloSystem is using has capsicum. Not sure if they're using it much, but that's a really good foundation to build from, if you want to head towards a modern, zero-trust security model.

Firefox 89: Can this redesign stem browser's decline?

_andrew

Re: Please, Firefox, just go away already!

I have a relatively new machine, and haven't run JetStream2 before, so just gave it a shot on Safari, Chrome and FirefoxDE (my daily driver). Safari is ahead by a good margin (172.9) from Chrome (150.0) vs FirefoxDE (91.6). The nice thing about JetStream2 is that it reports good statistics about all of the component tests, and the differences are interesting. SpiderMonkey actually wins a few rounds (eg regexp), but there are others (splay, which is claimed to be a heavy test of the garbage collector) which it loses to Safari by a factor of nearly nine. Mostly its behind by a factor of about two, which is further than I had thought.

And yet it's perfectly fast enough for me, and what I use it for. I suspect that the multi-threaded layout engine from Servo probably helps more than the last percent of wasm performance, most of the time.

JetStream2 is, as it says on the tin, a javascript engine benchmark, which doesn't say anything very much about the overall browser experience, which includes rendering, CSS, layout and all the rest.

And none of that is why I use Firefox. I use it because it's the hold-out for ecosystem diversity, because it runs on all of the platforms that I use, and because the sync protocol that gives me a uniform auto-fill and access to all of my cross-device tabs is client-side encrypted.

_andrew
FAIL

Re: Please, Firefox, just go away already!

Don't think you're really grasping the concept of internet standards here. In fact, without Firefox it is likely that web standardization would grind to a halt, because it requires two independent implementations being shown to interoperate to form one. Most of the robustness of the internet (such as it is) comes from deliberately shunning monocultures.

I don't think that you're making a great case for JavaScript performance, either. How many years has it been since JavaScript performance was well and truly good enough? Many. Sure there are probably incremental gains to be had, and better performance translates to longer battery life, which is always a good thing, but the limitations to web performance these days aren't JavaScript performance, they're inherent network bandwidth/latency/protocol limitations and the cubic truckloads of pointless surveillance scripting that gets shoveled into pages to make sure that a real human looked at the ads.

I agree with the last comment though: it was a good article.

'Biggest data grab' in NHS history stuffs GP records in a central store for 'research' – and the time to opt out is now

_andrew

When the AUS government offered exactly this boon, a year or so ago, they made quite clear that they planned to share the data with all and sundry, and that such sharing would end up being a profitable business for them. Yeah, nuh.

Of course this sort of thing sounds brilliant in the abstract, in the "wouldn't it be great for medical research" context, but then you look at the spivs and blackguards who are devising and running the thing. And you think "this is the same mob that couldn't keep the cryptojackers out". And really, how far would you trust them?

Yes, the problems are trust and competence, and our respective governments aren't doing much to show themselves trustworthy or competent.

Microsoft unveils Rust for Windows v0.9, with 'full consumption support' for the Windows API

_andrew

Re: Is anyone using Rust for anything hefty?

Well apparently fairly significant chunks of Firefox are in rust now (and all of Servo), and Dropbox seem to have used it to scale up their synchronization thing: https://dropbox.tech/infrastructure/rewriting-the-heart-of-our-sync-engine

Each of those have a few users.

The quest for faster Python: Pyston returns to open source, Facebook releases Cinder, or should devs just use PyPy?

_andrew

Re: You don't always need speed

Many years ago I thought so too, and wrote an exploratory project in Python (a compiler, of sorts). It was so excruciatingly slow that I re-wrote it in another cross-platform dynamic interpreted language that happened to have a good JIT (Racket scheme) and was completely happy ever after. Python is OK for what it is, and as a general purpose wrapper for fast C code it's quite excellent, but it has some dynamisms that are particularly egregious for attempts to go fast, after the fact.

Google putting its trust in Rust to weed out memory bugs in Android development

_andrew

Re: If uninitialized variables really are 3-5% of errors

"Why didn't they change their code to initialize all variables when they are declared long ago?"

Because to a first-order approximation, the code in question is not "their" code. Most of these systems are enormous agglomerations of third-party open source libraries. Probably 80 or 90%. Sure, if you cared to look into that library you might fix it, but then you have a change against the up-stream that you have to track, or try to persuade the maintainer, if there is one, to wake up and accept it. Or publish it as a fork. Or merge your change back in when upstream does release a new version that changes something else. Ob xkcd: https://xkcd.com/2347/

Best not to look.

Facebook says dump of 533m accounts is old news. But my date of birth, name, etc haven't changed in years, Zuck

_andrew
FAIL

It could be worse

The extremely clever federal government in Australia is currently debating legislation that would require "social media" sites to access 100 "points" of identification data (passport, drivers license, birth certificate etc) on creation of accounts. Exactly the same sort of stuff (and the same amount) as required to open a bank account. Notionally it's in order to "prevent anonymous online bullying", but won't it be great when this sort of data leak includes all of that extra, juicy information!

Google's multi-platform app framework Flutter reaches version 2, expands to the web

_andrew

Re: The Dart part is a definite deal breaker

All of the prominent (modern) GUI layers have their own language now. On Apple products it's Swift (transitioning from objective-C), on Windows it's essentially C#, although there are other options. On Android it's Java (transitioning to Kotlin). On the web (and that includes Electron apps on desktops) it's JavaScript. All of these have an FFI (Foreign Function Interface) escape hatch to C, so you can still nominally keep application logic separate and portable, but it isn't obvious that many people actually do that (you have to squint to see it for the web, but it's there in wasm and emsscripten). Flutter is (supposedly) the native GUI layer for Fuchsia, so it isn't all that surprising that it has its own language too. Being cross-platform is a pretty good way to build up a library of applications that will be ready to run on Fuschia, if it ever materializes.

Qt is keeping a cross-platform story going for C++, but it's clearly a lot of work, because Qt licenses are expensive (IMO).

Australia facepalms as Facebook blocks bookstores, sport, health services instead of just news

_andrew
Facepalm

Re: Screaming from the over-entitled masses

Doesn't have to be commercial news. The govt, Murdoch and Nine wrote the definition of "news" in the law so broad that they didn't think that FB or G would be able to escape it. It's basically "anything that Australians might find interesting". Doesn't even need to be in the public interest. Sport. Everything. Read the leg: it's on the web. FB's only doing what it can to follow the "else" clause, and not fit the definition of a company that can be arbitrarily blagged.

Facebook bans sharing of news in Australia – starting now – rather than submit to pay-for-news-plan

_andrew

Re: What is the Fuss ?

Google doesn't have the "friends and family sharing" business model to fall back on, that Facebook does, so they've gone the other way (it appears) and struck the necessary (they hope) deals. And they seem to be staying as a full-service search engine. Game's not over yet, so perhaps they'll change their mind, but the result looks workable to me.

Foundation thrillogy: Rust programming language gets new home and million-dollar spending account

_andrew

The blog is also (I think mistakenly) equating "popularity" with longevity. Or even positing "ubiquity" as the only stable place on the popularity curve. He went back to COBOL and Fortran as identifying niches, but the Lisp family (especially some of the schemes) are still kicking along, with many implementations and many users, just not as many as JavaScript.

LLVM did kick the language design business along mightily, IMO. Before LLVM you had to be prepared to write your own optimization passes and target the several interesting processor instruction sets, or do without either or both, or use something like C as an intermediate compilation step, an abstract assembly language. There are some interesting language constructs, like closures, that aren't easy to do from C, so that's a bit limiting (notwithstanding Chicken).

And now for something completely different: A lightweight, fast browser that won't slurp your data

_andrew

Where did you see webkit in that article? Seemed like a convincing story of a ground-up renderer that couldn't even do most of HTML until recently. Servo-style multi-threading is a strong anti-WebKit indicator IMO. Completely different idea. Yay for genetic diversity, IMO.

The revolution will not be televised because my television has been radicalised

_andrew
Meh

Re: The algorithms

The term "AI", as used here is a bit grandiose, IMO. There's no "inteligence" involved. It's just an optimization process. A control system, if you will, but instead of an air conditioner being controlled, it's people. So it's a big, complicated control system, but it's just an optimization process. The trick with optimization processes is always around the definition of the goal.

Recent work on human intelligence has suggested that the ability to tell stories that aren't about immediately tangible things is the defining characteristic of Homo Sapiens, and is what separates us from the Neanderthals and Denisovans. It's how we create religion and motivate notions of tribal identity. We have a definite predisposition to create "explanations" for the things that happen, even the ones that "just happen". A bug in the wetware, perhaps.

Geekbench stats show Apple Silicon MacBook Air trouncing pricey 16-inch MacBook Pro

_andrew

Re: guessing

Pictures suggest that they're side-by-side on a carrier, like the HBM GPU memory of a few years ago, or the chiplets on AMD processors. I've read at least one comment that that is at least partly to avoid the differential-expansion problems that stacked combinations seem to suffer.

Apple now Arm'd to the teeth: MacBook Air and Pro, Mac mini to be powered by custom M1 chips rather than Intel

_andrew

Re: Confusing much?

More confusingly, there are a few extra half-steps in there. All of PowerPC, x86 and Arm have had architecture changes from 32-bit to 64-bit versions within those steps (32-bit Arm only on iPhone though). These sneak past because the hardware itself manages a lot of the backward-compatibility, so hardly anyone whinges, but they are extra instruction set changes that have to be handled by the OS and software ecosystem (compilers, developers, etc).

The upshot is that Apple developers are really quite good at it by now, after all that training.

Linux Mint pushes out its own Chromium build to help users avoid Canonical's Snap Store

_andrew

Re: Is this the year of Linux on the desktop?

Of course! What else are you going to run on your RPi 400? https://www.theregister.com/2020/11/02/pi-400/

_andrew

Re: No.

Moving to a Wayland + XWayland model seems to have a couple of nice advantages: you get the networking for the apps that can do that, and the X part doesn't have to concern itself with actually driving displays, which is the part that has been described "abandonware".

That model clearly leaves the option open for _other_ network-aware protocols to slot in beside XWayland at the same time. I used to have a soft-spot for Display Postscript, and might even still have the manual somewhere. Or perhaps QNX Photon, or Plan9's 9P?

Remember when the keyboard was the computer? You can now relive those heady days with the Raspberry Pi 400

_andrew

Re: 4GB

While true, don't forget that the first few generations of "real workstations" that ran BSD-derived Unix had one thousandth the memory (and one hundredth the clock frequency). Clearly software bloat is still very much a thing. (Yeah, like running your browser in a VM image just because...)

SiFive inches closer to offering a true RISC-V PC: Latest five-core dev board includes PCIe, SSD interfaces

_andrew

Strip off the decoder...

Not especially likely, as that would expose micro-architectural details that you probably want to be able to vary from model to model, such as number and structure of pipelines and size of re-order/re-name buffers.

Has been done before though, twice: Transmeta did essentially exactly that, replacing the x86 decode logic with a software dynamic compilation system that targeted an in-order VLIW processor to do the work. Nvidia's "Denver" cores and follow-up (as seen in the Nexus-9 tablet and several of the car-AI modules) do a very similar thing but for an Arm source-instruction-set.

Both work nicely on loopy, numerical code, but quite poorly on large, non-loopy code like user interfaces, database engines and operating systems.

Interestingly, Dave Ditzel was involved in both of those designs, and is now founder of Esperanto, a RISC-V company.

Is Google fudging search rankings to benefit pages that embed YouTube vids? Or is this just another ‘bug’?

_andrew

Re: iframe and probably object/embed too

I'm in favour of anything that down-rates pages that have different-size advertisements that make the text that I'm trying to read jump up and down as they change and force page reformats. Not that I use search or ratings to get to most of the web, but if big-G can use its influence on the ones that do, then I'm for it.

Google screwed rivals to protect monopoly, says Uncle Sam in antitrust lawsuit: We go inside the Sherman parked on a Silicon Valley lawn

_andrew
Coat

The default search on the default browser on the default operating system on every PC...

... is not Google. Yes they have the mobile market mostly stitched up, but that happened long after they were established as far-and-away the best search option.

What do you imagine will happen if Apple are forced to stop accepting Google's placement coin for search defaults? I'd expect that the _only_ effect will be that apple has to raise that extra revenue elsewhere, by putting up their prices: almost everyone will choose Google themselves, given the choice, because the alternatives are worse.

Worst outcome, I expect, will be the death of Firefox, which lives entirely on the income of that default search placement.

I remember the days of Yahoo! curated links and AltaVista. I'll choose Google any day.

After ten years, the Google vs Oracle API copyright mega-battle finally hit the Supreme Court – and we listened in

_andrew

Re: Declarations and implementations

Java doesn't have declarations, only implementations. The things that show up in javadocs that look like declarations are extracted from the .class files automatically. There _is_ no source file to claim copyright on in this case. The claim is over the structure and names of the base classes themselves, irrespective of their origin.

And to comment on a different topic up-stream: the fact that no-one has filed suit against GNU classpath is almost certainly that no-one cares, because it is costing no-one any assumed business. Or perhaps they will, once this case goes Oracle's way.

_andrew

Re: The case is about the APIs themselves

In Java there isn't any "API source code", as such: there is only implementation and the resulting .class files, and (pertinently here) the javadoc and interface description that can be mechanically extracted from the .class files. I'm pretty sure that that's what they're arguing about: the list of classes, methods and function names from the Java base library set. Names, arguments, structure. There isn't a source file with copyright notices on it, like a C header file. To be compatible, even a clean-room implementation would have to give you the same result.

_andrew

Re: The devel is in the details - Part II

As near as I can tell, this case does not turn on whether or not the APIs in question were a clean-room implementation or not. The case is about the APIs themselves, absent any implementation at all.

_andrew

Re: The devel is in the details

I think that you'll find that the border between "language" and API is fuzzier than you are making out. Not all programming interfaces exist just as function prototypes in a C-like syntax: some syntax is api. Every word in forth, smalltalk and lisp/scheme "languages" is a function API. Whether access to an API is by changing an instruction pointer value or a dialog in a particular serialised protocol (say, HTTP, or CORBA) is unlikely to make any significant difference to the principle at stake here. Sure, Matlab and SQL are languages, but they're also the APIs to a database and matrix engine, and within them there are both procedures and functions that have specific meanings. Now SQL has been standardized, but it originally belonged to IBM, and not all standards (even ISO standards) have free terms, let alone RAND, especially where patents are involved.

That OpenGL was open-sourced by SGI themselves may or may not be pertinent. Java was open-sourced by its creator too. Clearly the details do matter, but I think that reasonable people can disagree about the significance and meaning of specific details.

I'm not saying that there are impending court cases in any of these examples. Just pointing out that the activity in question is, on one form or another, common practice and has long historical record.

If we're really, really lucky, the ruling on the current case will be narrow enough that we (other than google and oracle specifically) can go about our business as before.

_andrew

Re: If Oracle wins, you lose?

Off the top of my head, and without checking any of the details and original license terms:

Any non-SGI implementation of OpenGL, probably including both WebGL and the Mesa library.

Octave and/or whatever common library APIs they reproduced from Matlab.

Win32 and DirectX reimplementations in Wine and Crossover and ReactOS.

Probably every SQL database implementation, including Oracle's...

Every VT100 (or derivative) compatible terminal, including xterm.

The list is not small, when you think about it a bit.

US senators propose yet another problematic Section 230 shakeup: As long as someone says it on the web, you can't hide it away

_andrew

There was editorial before socials

It's never that simple though.

You're always going to have to support take-down orders to comply with little issues like the law of various jurisdictions.

Usenet had cancelbots and curated feeds.

Even at the raw IP level, whole networks used to be de-peered if they continued to host illegal (or just awful or inconvenient like spam) content, collateral-damage to co-hosted domains be damned.

There is always some "editing".

Facebook rejects Australia's pay-for-news plan, proposes its own idea: How about no more articles at all, sunshine?

_andrew

Re: Opening up for competition from others

Well I'm sure that Bing (Microsoft) are rubbing their hands in anticipation. The rule only applies to the named companies (Facebook and Google), not to search engines or social media in general. The treasurer has the power to add other companies to the list, but for now that's it.

Of course it won't actually make people use Bing: the default search engine on the built-in browser on the most popular operating system on PCs and never the less everyone goes out of their way to install Chrome and Google search. That has to be telling them something...

_andrew

Re: Klaatu Barata Nikto!

No, not content. Anything that smells like news, from anywhere, that an Australian might read. links shared between friends counts.

The stupid regulation was drafted in full knowledge of what happened in Spain and Germany, and they tried to be clever and write it in a way that would not just result in Australian news being dropped.

Relying on plain-text email is a 'barrier to entry' for kernel development, says Linux Foundation board member

_andrew

Re: Is setting up a non-shitty email client really that hard?

Apple Mail is perfectly capable of sending and displaying plain text email, and I'm fairly sure that the default is the correct option: reply according to the source message type.

The display or non-display of full email addresses in the composition bar is also an option: you could choose to show the whole thing to avoid your (own) confusion. What you see of email addresses when composing or reading has no relationship with what your recipients see: that will be up to their email clients and the settings that they've configured.

Apple Mail does have a couple of infelicities that I'd prefer it didn't: the "load remote content" switch is global; you can't train it that certain senders are OK but most aren't, and so the only safe way to operate (no automatic download of images) requires an extra click for the messages that you do want to see images in. It also has this "guess which outgoing account is most appropriate" mechanism, and I have also had it choose to send work email from my home account, and that in turn has been because I have the default real-name display turned on. It has improved a bit lately, in that it does display your full email address in the From: field when composing, but you still have to be paying attention if it guesses incorrectly.

That said, Apple Mail is still my favorite email client, by far. I never found its equal when I ran a Unix desktop, and don't know of anything comparable on Windows, either.

Australia to force Google and Facebook to pay for news and reveal algorithm changes before they whack web traffic

_andrew

Re: If you require them to tell you exactly what algorithm they use

The corollary of that argument is that similar regulation would be required for all web sites, to ensure that their "internet shop-front signage" was not lying. So trade-practices laws should apply to "SEO", and with any luck put the practice (mostly) out of business.

Seems much more likely that what would really happen is that the game would be over and we'd be back to search results as useful as those of AltaVista.

Be careful what you wish for...

Apple to keep Intel at Arm's length: macOS shifts from x86 to homegrown common CPU arch, will run iOS apps

_andrew

Re: Compatibility is gonna be a problem.

Might be a (small) problem for developers, but it won't be much of a problem for users. Apple has already trained developers that they need to keep up. Their cunning plan, over many years, is to stop un-maintained code from working at all. Ergo: all code that runs at all on a modern mac is actively maintained. And the next version will have Arm-supporting fat binaries.

_andrew

Re: Really?

Recent benchmarks on some sites have put the A13 in the iPhone 11 as faster than the latest MacBook Pro 13-inch. Definitely in the ballpark.

The Register has commented favourably about several server-grade Arm parts being installed by the rack-load in AWS, Azure and GWS, so the "Mac Pro" grade parts should be fine too (Apple's cores are stronger than the ones in those many-core parts).

And for aspiration, Fujitsu just pipped the Supercomputer list by a cool factor of two and a half, entirely based on Arm cores with the new SVE vector instruction set, not a GPU in sight.

Freed from the office, home workers roam sunlit uplands of IPv6... 2 metres apart

_andrew

Re: IPv6 by default

You know that actual firewalls work as a firewall too, it's not just NAT. My shiny new IPv6-capable router from the NBN update had the obvious firewall installed (no incoming connections), just like the NAT default. I'd be very surprised if any ISP's specified or supplied router came with no firewall. That would be mad.

HMD Global pokes head out of quarantine to show off 3 new Nokia mobiles

_andrew

Re: Shipping a new device with MicroUSB?

Never mind the power connector: look at the 28-day standby rating! That's back to what phones used to achieve, before they became "smart" and needed to be charged every night. If true, that's a major achievement, and almost worth giving up 5G and a 64MPixel camera for ;-)

WebAssembly gets nod from W3C and, most likely, an embrace from cryptojackers online

_andrew
Boffin

Re: More secure than Java how?

WASM is very like Java in many respects, but has a significant difference. That difference is very likely why it has taken it as long as it has to gain any kind of traction. The difference is that Java defined a fairly standard sort of standard library, with access to essentially all of the host operating system's resources. Java web applets nominally had a restricted set of APIs available, but they aren't all that restricted, and the big problem is that the libraries are huge, and implemented on top of (not-memory-safe) C and C++ code that turned out to be full of bugs that could be exploited. WASM has no standard libraries, and no object model. Indeed, it has no inherent access to _any_ APIs at all. It's just a blob of code that has access to a pre-allocated chunk of memory. All it can do is run its program when asked by the JavaScript attached to its host web page, which will have to extract the result from a chunk of raw shared memory set up for that purpose beforehand. So the only system access that WASM code has is through the host JavaScript.

At first, host JavaScript just did the specific things that WASM wanted, and it was fairly gnarly. Now though, various groups have gone to the bother of writing fairly sophisticated libraries of interface routines, function-calling mechanisms with argument marshalling and so on, so that fairly normal sorts of developments can in fact be done. But the restrictions are still those of the browser JavaScript, which although not unblemished is not bad at security. Essentially, the sandboxing is significantly stronger this time around.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021