Google 'Arctic Sea' – Chrome native code, ahoy!
Mozilla spies 'threat' to interwebs future
Google has released the first official version of the software development kit for Native Client, its controversial plug-in for running native code inside the browser.
According to the release notes, the SDK is now known as "Arctic Sea". This is a departure from the project's usual household condiments theme. Google refers to Native Client as NaCl, and it uses a new plug-in interface called Pepper.
But the project doesn't sit particularly well with Opera and Mozilla and others who have a particularly strong belief that web applications should adhere to open industry standards. "Our mission is to promote an Open Web Platform which is the most compelling environment for modern applications," Mozilla says in a draft of its 2011 Firefox roadmap.
"Increasingly this vision is being threatened by application development models which bypass the Web in favour of directly connecting with Internet based resources in closed proprietary models." These models, the Mozilla roadmap says, include "plug-in balkanization" by the likes of Adobe Flash, the royalty-encumbered H.264 video codec, and, yes, Google's Native Client.
When we asked Google's Linus Upson about such objections to the technology, he pointed out that Native Client is open source. This really didn't address the issue. But he then expanded his defense, saying that in Google's conversations with Opera and Mozilla, the browser makers praised Native Client's design, and Upson believes they will eventually use it.
"We're starting to use Native Client internally in Chrome to help secure more and more of the browser. I wouldn't be surprised if more and more browser vendors do the same," he said. "What Native Client can do is to make it so that if you write a bug in your code – we all write bugs – it doesn't become a security vulnerability. It's an additional later of security."
Native Client is designed to ensure that each application module meets a set of structural criteria for dissembling instructions, and that it can't contain certain instruction sequences. Plus, it uses the new Pepper plug-in API, an update to the Netscape Plug-in Application Programming Interface (NPAPI) still in use with browsers like Chrome and Firefox.
"[NPAPI] is loosely specified, limited in capability and varies across browsers and operating systems. This can lead to incompatibilities, reduction in performance and some security headaches," Google has said. "[Pepper] aims to address the shortcomings of the current browser plug-in model."
Upson also believes that although Native Client is outside today's web stack, it can maintain the sort of webiness Mozilla wants. "When it comes to running programs over the web in Native Client, we're very sensitive to maintaining the qualities of the web that have made it so successful," he said.
"One of those things is that you can write applications that can run on any computer. One of the reasons we haven't widely deployed Native Client so far is we're working on something called Portable Native Client, so you're not tied to any one particular instruction set, so people can build whole new CPUs, whole new chip architectures, and [applications] won't get tied to those."
Portable Native Client – PNaCl, pronounced "pinnacle" – is a way of distributing portable versions of Native Client executables across all processors. Currently, Native Client works only with 32-bit and 64-bit x86 processors. PNaCL is designed to compile C, C++, and other languages into the Low Level Virtual Machine (LLVM) bitcode format, which allows for translation into the client to translate the code into its own native instruction set.
But for this to work across the web, browsers makers must also build the Native Client into their browsers. At the moment, the plug-in is only available with Chrome. It's turned off by default, but you can turn it on using the browser's "about:flags" dialog.
The Arctic Sea Native Client SDK includes new Pepper interfaces for compute, audio, and 2D Native Client modules – these are "close" to stable, according to Google. The company says it has beefed security as well, improving the auto-update mechanism (for making changes to the plug-in itself) and the outer sandbox (which works alongside an inner sandbox). In the "coming months," Google adds, it will add APIs for 3D graphics, local file storage, WebSockets, peer-to-peer networking, and more.
The Pepper plug-in interface is also used by the version of Adobe Flash that's now bundled with Chrome – and when Google first announced its Flash embrace, it described both Adobe and Mozilla as backers of the technology. "We are working with Adobe, Mozilla and the broader community to help define the next generation browser plug-in API," Google said in a blog post.
But not long after this announcement, Mozilla chief technology officer Brendan Eich told The Register that the open source outfit has "no official position on Pepper."
"We work by consensus in most standards bodies, including informal ones such as plugin-futures, where consensus means general agreement. Until and unless Pepper achieves consensus, it's not accurate to say that Mozilla or anyone else is 'on-board with ... Pepper,'" Eich said.
Google may see Native Client as the future of the high-performance web applications. We suspect it's even using the technology to build a new version of its Google Apps office suite. But the rest of the web may see things very differently. ®
Sponsored: 2016 Cyberthreat defense report