[BrendanEich]

You are still being free with accusations of spreading misinformation and other evils. If you want to have a real exchange, cool it! Just try to imagine how a hardball from me casting aspersions on you for suspected bad or unfair (to Mozilla; "fair" to Google) motives might feel.

Thanks for the PNaCl pointer. My comment was based on LLVM bitcode having machine word size dependencies. This was an issue a while ago. I should have checked to see if it remained one.

This correction doesn't alter the general unreadiness of PNaCl for the web, on several fronts. Pepper is one, but PNaCl performance lagging NaCl is another. The Chrome Web Store features games ported via NaCl, for performance -- not PNaCl, which would be significantly slower. On this basis alone, it's premature for you to push PNaCl ahead of Google.

> This is a far more reasonable and compelling story.

Well, gee, thanks a ton! :-|

I've been telling this story clearly since Fluent in May. That you chose not to hear it and instead flung accusations and told sob-stories about big bad Mozilla is your doing, not mine.

Here's a final clue: all browser vendors, definitely including Chrome, make the rule (not an argument) "no one gets to the machine except through our VM(s) and GC(s)" -- outside of a few dying plugins, which are even source-licensed and co-released.

And that brings back my final point: NaCl is for safer plugins, which are OS-specific anyway. The likeliest evolution of SFI or CFI enforcing compilers and runtimes as plugin hosts is via the OS, not the browser. Write a letter to Microsoft and Apple, not to Mozilla!

[haberman]

If I sound argumentative and fired up, it's because I feel like Mozilla has been casting stones on this issue for years. Imagine how you would feel if Google executives were publicly criticizing Mozilla efforts like Persona, arguing that they would never support them and no one else will either, basing their criticisms on issues that you are actively fixing.

(For what it's worth, Persona looks promising to me personally, and I also like Rust very much, a lot more than Go. I say this to demonstrate that I'm not just a Google partisan and that I admire a lot of what comes from Mozilla).

I am much happier to discuss this dispassionately on a technical basis. I'm much happier if I don't have to argue against what to me are very unfair accusations, like being as proprietary as Silverlight.

> Here's a final clue: all browser vendors, definitely including Chrome, make the rule (not an argument) "no one gets to the machine except through our VM(s) and GC(s)"

I don't understand the argument you are making, (P)NaCl are specifically designed to allow execution of untrusted code without making it run on top of a VM or GC. And (P)NaCl executables are OS-independent. I don't understand what you're getting at here.

[dmorgan]

>(P)NaCl are specifically designed to allow execution of untrusted code without making it run on top of a VM or GC

And this is the argument he's making: that does not fly by browser vendors. They DON'T want to have code run OUTSIDE their VM/GC.

[BrendanEich]

Thanks for the support, but that's not what I meant. NaCl + Pepper is like a VM where the compiler does the heavy lifting so the native code can run safely (Software Fault Isolation, SFI -- wild pointers lead to a safe non-exploitable crash), rather than a JITting or MMU- or hypervisor-based VM doing the heavy lifting at runtime.

It's quite clever, but still enough of a new thing that Chrome also sandboxes NaCl'ed code out of process. Belt and braces are good. No silver bullets.

But a VM is as a VM does. This is part of Google's VM-set and not any other browsers. The rule still applies.

Truly unsafe native code in plugins (e.g., un-NaCl'ed Flash) runs out of process too, and sandboxed to some extent, but it can cause problems that are not contained (and did at the last CanSecWest Pwn2Own contest, IIRC).

[haberman]

He said "including Chrome." Chrome supports NaCl. This does not compute.

[BrendanEich]

It's not hard: Chrome sandboxes NaCl'ed code and links it against a runtime, Pepper. That's a "VM" by any other name.

[aplzrtve]

These are shallow arguments: * pepper is "inspired" by nsapi, clarify your point. * PNaCl performance lagging isn't a solid argument, you know it'll get better, the solution might even be to cut LLVM out save for bitcode. * "nobody does this at the moment" so why does it belong in the OS?

[BrendanEich]

In reverse order:

* Why in the OS? I didn't say "belong", just "likelier". That is because plugins are native code compiled by OS-dependent toolchains, and OS vendors are few (three that matter) and lock up native code these days via SDK licenses, app store rules, and even kernel-level restrictions.

In contrast, there are four or five competitive browsers, only one of which has Pepper and the rest do not -- and will not.

* I do not know how much better PNaCl can get. The shallow argument here is your assertion that "you know it'll get better". The same could be speculated about JS performance at Emscripten-generated code, and that works cross-browser. That's the cross-browser path of least resistance, compared to the practically unpassable Pepper barrier.

* Pepper is "inspired" by lots of APIs, but here the shallow shoe fits your new-HN-user drive-by. NPAPI is a sunk cost all browsers save modern IE have paid out for years. Pepper is new and much bigger. Have you even read all the interfaces?

The bottom line is that whatever PNaCl performance wins may lie in the future -- and I will believe them when Google does as shown by Chrome Web Store games being PNaCl'ed not NaCl'ed -- Pepper is the blocker for any cross-browser adoption in reality.

This ignores principled objections to more native code on the web, as a "social ill". Let's take that up separately, because it could override any technical argument. I'm happy to stop on the Pepper point for now, since Google manifestly is stuck there.

[aplzrtve]

Why differentiate plugins? What makes a VM with JIT not a plugin save the browser vendor shipping it with the browser?

Why wouldn't other browsers have Pepper?

Compilers are as good as what they've been tuned for. In my view PNaCl's shortcoming is startup time because it lacks a JIT and LLVM's back end is too slow for now. Speed up the backend or JIT code and you'll get close to GCC performance while being portable and somewhat language agnostic.

Yes I have seen pepper, and most of the interface relates to the GPU. How is sunk cost better, when a big part of the API can be backed by what canvas relies on?

You would consider adopting PNaCl and pepper in FF if there were games that targeted them? If the code were contributed to Mozilla?

What do you mean by "more native code"? Can't view source?

I appreciate the answers.

[dmorgan]

>Why differentiate plugins? What makes a VM with JIT not a plugin save the browser vendor shipping it with the browser?

I think you answered your own question with the "save" part.

The vendor shipping it with the browser means it controls it, it has responsibility for it, it secures it, and it allows it. End of story.

>Why wouldn't other browsers have Pepper?

JS is a necessity for a web browser/vendor, and is already present in it. Pepper is not, and there are NO signs it will be. Do you see any movement towards adoption as of now? I see the opposite, the abandonment of even old style plugins.

[aplzrtve]

I'll rephrase: why is any new VM to be relegated to the OS? The presence of incumbent VMs?

JS is an incumbent. Pepper is similar to nsapi, and has nice features which are compatible with HTML5's implementation (as in canvas). Saying it shouldn't be adopted because Nobody is adopting it is circular.

What are old-style plugins? Anything not JS?

[BrendanEich]

I said clearly why Pepper is not being adopted: it is a gigantic pile of API and implementation specified only by the C++ in chromium.org svn. Other browsers cannot port all that OS and WebKit glue code except at very high cost, direct and opportunity -- and even then on a bet that Pepper + NaCl wins, and again on a treadmill far behind Chrome.

Do you actually work on a browser codebase? If so, have you worked on competing browsers' codebases at all? Do you begin to see the problem? It's not quite Active X (open source is a small help), but it's on that slope and uphill only a bit.