Feeds

Google 'Arctic Sea' – Chrome native code, ahoy!

Mozilla spies 'threat' to interwebs future

Combat fraud and increase customer satisfaction

Google has released the first official version of the software development kit for Native Client, its controversial plug-in for running native code inside the browser.

In a blog post, Google product manager Christian Stefansen called the release an "important milestone" in Google's efforts to make native code as portable and secure as JavaScript. "A big goal of this release is to enable developers to start building Native Client modules for Chrome applications," he said.

According to the release notes, the SDK is now known as "Arctic Sea". This is a departure from the project's usual household condiments theme. Google refers to Native Client as NaCl, and it uses a new plug-in interface called Pepper.

The project is designed to speed the performance of web applications, allowing apps coded in, say, C or C++ to be securely transfered over the web and executed inside the browser. JavaScript still lags behind the performance of native code, and Google is keen to work around it. The plug-in is also an "important part" of Google's upcoming Chrome OS, which only runs web-based applications.

"While the [Chrome] team has made JavaScript tremendously faster over the last two years, there's a lot of applications out there that have existing audiences that are [written in native code, such as C and C++], and there are a few that are specialized applications that need every last bit of performance the hardware can offer," Google engineering director Linus Upson told us in December. "Native Client is a way of addressing both those issues."

But the project doesn't sit particularly well with Opera and Mozilla and others who have a particularly strong belief that web applications should adhere to open industry standards. "Our mission is to promote an Open Web Platform which is the most compelling environment for modern applications," Mozilla says in a draft of its 2011 Firefox roadmap.

"Increasingly this vision is being threatened by application development models which bypass the Web in favour of directly connecting with Internet based resources in closed proprietary models." These models, the Mozilla roadmap says, include "plug-in balkanization" by the likes of Adobe Flash, the royalty-encumbered H.264 video codec, and, yes, Google's Native Client.

When we asked Google's Linus Upson about such objections to the technology, he pointed out that Native Client is open source. This really didn't address the issue. But he then expanded his defense, saying that in Google's conversations with Opera and Mozilla, the browser makers praised Native Client's design, and Upson believes they will eventually use it.

"We're starting to use Native Client internally in Chrome to help secure more and more of the browser. I wouldn't be surprised if more and more browser vendors do the same," he said. "What Native Client can do is to make it so that if you write a bug in your code – we all write bugs – it doesn't become a security vulnerability. It's an additional later of security."

Native Client is designed to ensure that each application module meets a set of structural criteria for dissembling instructions, and that it can't contain certain instruction sequences. Plus, it uses the new Pepper plug-in API, an update to the Netscape Plug-in Application Programming Interface (NPAPI) still in use with browsers like Chrome and Firefox.

"[NPAPI] is loosely specified, limited in capability and varies across browsers and operating systems. This can lead to incompatibilities, reduction in performance and some security headaches," Google has said. "[Pepper] aims to address the shortcomings of the current browser plug-in model."

Upson also believes that although Native Client is outside today's web stack, it can maintain the sort of webiness Mozilla wants. "When it comes to running programs over the web in Native Client, we're very sensitive to maintaining the qualities of the web that have made it so successful," he said.

"One of those things is that you can write applications that can run on any computer. One of the reasons we haven't widely deployed Native Client so far is we're working on something called Portable Native Client, so you're not tied to any one particular instruction set, so people can build whole new CPUs, whole new chip architectures, and [applications] won't get tied to those."

Portable Native Client – PNaCl, pronounced "pinnacle" – is a way of distributing portable versions of Native Client executables across all processors. Currently, Native Client works only with 32-bit and 64-bit x86 processors. PNaCL is designed to compile C, C++, and other languages into the Low Level Virtual Machine (LLVM) bitcode format, which allows for translation into the client to translate the code into its own native instruction set.

But for this to work across the web, browsers makers must also build the Native Client into their browsers. At the moment, the plug-in is only available with Chrome. It's turned off by default, but you can turn it on using the browser's "about:flags" dialog.

The Arctic Sea Native Client SDK includes new Pepper interfaces for compute, audio, and 2D Native Client modules – these are "close" to stable, according to Google. The company says it has beefed security as well, improving the auto-update mechanism (for making changes to the plug-in itself) and the outer sandbox (which works alongside an inner sandbox). In the "coming months," Google adds, it will add APIs for 3D graphics, local file storage, WebSockets, peer-to-peer networking, and more.

The Pepper plug-in interface is also used by the version of Adobe Flash that's now bundled with Chrome – and when Google first announced its Flash embrace, it described both Adobe and Mozilla as backers of the technology. "We are working with Adobe, Mozilla and the broader community to help define the next generation browser plug-in API," Google said in a blog post.

But not long after this announcement, Mozilla chief technology officer Brendan Eich told The Register that the open source outfit has "no official position on Pepper."

"We work by consensus in most standards bodies, including informal ones such as plugin-futures, where consensus means general agreement. Until and unless Pepper achieves consensus, it's not accurate to say that Mozilla or anyone else is 'on-board with ... Pepper,'" Eich said.

Google may see Native Client as the future of the high-performance web applications. We suspect it's even using the technology to build a new version of its Google Apps office suite. But the rest of the web may see things very differently. ®

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.