WebAssembly is an open source runtime developed under the governance of a W3C Community Group [0]. The binaries that get sent over the wire are simply more efficient ways to pack existing types of code. We will soon have a textual encoding that makes modules easy to introspect [1] and we have a long list of tooling plans to make sure that the web stays open and debuggable [2].
I think the idea is that WebAssembly apps will normally be closed-source, but browsers will ship with disassemblers, making it easy to inspect the app logic in a common text format.
Then every exe file is open-source, because we have disassemblers. Don't lie to yourself: webassembly is for closed-source applications. They will be compiled by an obscure compiler, so dissassembling back to logical code will be too costly to be practical.
We saw this many times: for v1, disassembler works perfectly and maps 1:1 from binary to code, but for version xxx.0 it's no longer true, because of various tricks and optimizations.
No one's saying wasm apps will be open source, just that there will be a reasonable way to inspect their logic. Of course making sense of certain wasm apps will be challenging. JS code can be hard to follow as well, if it was generated by a tool like GWT, or minified, or obfuscated.
I am agree, that wasm will be on par with generated/minified JS right now, but I predict that wasm will beat JS in future versions. My prediction is based on experience. It is very easy to introduce a binary thing which is hard to map to flat text. I.e. first version of wasm will be 1:1 map to JS, but NEXT versions of wasm will introduce optimizations, which are quite possible in compact binary format but are not possible in flat text format, so 1:1 map from wasm to JS will be broken.
Even if it's easier to obfusfate WebAssembly, does that matter? If you run the 2MB+ JS libraries in se today through uglify.js it becomes almost impossible to understand the macrostructure just by reading the code.
It's only through dynamic tools that we can even begin to understand minified JS today. Those are actually quite excellent: just try by starting the react or relay tools on facebook.
That ecosystem is hopefully not changing, so what remains is simply that the format is now binary. I agree that that makes me somewhat uncomfortable but realistically it doesn't really change anything.
We should make sure that browsers refuse to run any code in the future that isn’t available in its full source.
Yes, that includes ReCaptcha
/me looks angrily at Google