Google has released a preliminary software development kit for Native Client, its native-code browser plug-in. The company unveiled its Native Client SDK "developer preview" with a blog post on Wednesday, calling it "an important first step in making Native Client more accessible as a tool for developing real web applications." …
The Portable Native Client project - aka PNaCl, pronounced 'pinnacle' - uses the Low Level Virtual Machine (LLVM) bitcode format. The idea is to compile C, C++, and other languages into LLVM bitcode that allows for client-side translation into the client's native instruction set.
That kinda describes java, doesn't it (that is without the language and without the inherent convenience when compared to C/C++)? Yet another virtual machine architecture, how is that new/different? (other than the fact that it would be controlled by Google as opposed to Oracle).
Here's to Larry with hopes that he will put Java back in the game. Loved his remarks regarding Schwartz's blogtastic performance.
LLVM is not a VM
Easy mistake to make, but LLVM is more akin to a compiler backend than a VM per se. It offers compilation from bitcode to assembly on multiple platforms. You can do this JIT or up-front, as you wish. LLVM doesn't force any other options e.g. garbage collection. And LLVM is pure open-source, used all over, and not controlled by Google. It's the most open standard there is for this sort of thing.
It kind of describes p-code, doesn't it, which predates Java by decades.
The advantage of NaCL is that you will be able to compile most reasonably cross platform code to work with NaCL, with relatively little effort, once some of the cross-platform gui/graphics libraries are ported to it, e.g. openGL, wxWidgets, QT. This means that countless linux programs could be made to work with little effort. No doubt google will use it to deploy office apps to PC's running Chrome OS.
Compared to Java, the chief advantage is that it is native code, and thus there is no translation/interpretation step. In addition, there is a lot more existing code written in C/C++ than java.
Beating the Crap out of MS
"That kinda describes java, doesn't it (that is without the language and without the inherent convenience when compared to C/C++)? Yet another virtual machine architecture, how is that new/different? (other than the fact that it would be controlled by Google as opposed to Oracle)."
Only "kinda". LLVM does not mandate an academic memory model like the JVM does. You *can* have any type of variable allocated on the stack, you can have destructors and you do not need Garbage Collection. Arrays do no need to be arrays of pointers. And this list is the core reason for C/C++ being so much more efficient than "managed" languages.
Netscape and SUN botched it, but Google now has the technology at their hands to give Microsoft a really, really hard time. Imagine Google Docs using client-side code which runs at native speed. Imagine a flight simulator being run inside a webpage. Imagine collaborative CAD applications without the need to go through install orgies. Imagine running photoshop inside a web page.
Imagine having to download Photoshop every time you pointed your browser at that web page.
Er, imagine having a cache in your browser that stores objects locally (what a novel idea). Your browser checks that the version of Photoshop you downloaded last time is up to date when you point your web browser at that web page, and uses that if it is, only downloading anything if an update is available.
This is just one stones throw from ActiveX, even if it is essentially virtualised and has a smidgeon of security tied to it.
How long before somebody writes an LLVM virus, as I'm sure Native Client will be bullet proof on day of arrival! ;-)
Then again I may be wrong - prove your worth Google.
How about some standardisation?
We could call it p-code, bytecode or something more wordy like "Common Intermediate Language (CIL)".. but then it would be obvious that this was just repeating other initiatives.
They should have used niblecode and saved bitcode for the next iteration
Ok ...let's cut to the chase and quit pratting around like Virgin Fairies in the Perfumed Garden
"Google is obsessed with moving all applications into what it insists on calling the cloud,..."
And what would you rather call it, Cade? A free and ubiquitous, ridiculously easily accessed, invisible and intangible, collective executive administrative vault?
Methinks cloud, which can easily be thought to be an instrument and facility in any and many of its possible iterations [CLOUD/Clouds/CLoud/C##LOUD] is much more appropriate even if it is beautifully ambiguous ..... which is a very fine form of superior security for sensitive subjective applications/sublime programs and/or subversive projects ...... with the one being being the same as the other and delivering something else, completely different, which is what Quantum Communication Control brings to the Future and Private and Pirate Parties Playing in the Public Space and ITs Cyber Places.
And just in case anyone doesn't yet know of the Essence of Quantum, this is as clear and as simple an explanation of its bits and infinite flexibility as you are ever likely to get ....... "A qubit has some similarities to a classical bit, but is overall very different. Like a bit, a qubit can have two possible values—normally a 0 or a 1. The difference is that whereas a bit must be either 0 or 1, a qubit can be 0, 1, or a superposition of both." ..... http://en.wikipedia.org/wiki/Qubit
How about 'the internet', or 'someone else's server(s) so they can scan and index all of your data'. Those work for me.
The term 'cloud' likely comes more from the fact that people often use a cloud-like bubble on technical drawings to describe the internet. I wouldn't see it any other way.
Just call it the 'Internet'. Like, you know, we have been doing since the internet's inception. See what I did there?
Don't expect NaCl apps to be able to use Qt or other libraries that contain system calls. The security of this system depends on the "sandbodx" concept and libraries like Qt do (not yet) fit properly into this. With some major effort, this would certainly be doable, though.
Or, you could realize that it is a stupid thing to do, and proceed to build a real, native video editing application for a real, local (read: offline) platform.
I think it is very unfair to compare NaCl to ActiveX. The latter only had code signing as a security mechanism. Also, afaik, world&dog could run *other people's* ActiveX applets for their nefarious purposes.
NaCl uses a very simple approach to security: 1.) No system calls allowed (good code must go through Google-created wrapper code) 2.) All jump targets are aligned to 32-byte boundaries. 2.2) Jumps can only target 32-byte boundaries 3.) Some other dangerous instructions are prohibited.
These properties make NaCl verifiers very simple. Consequentially, it will be feasible to create correct implementations. The technical concept is very simple and very solid.
Having said that, it would definitely not hurt to use additional mechanisms like AppArmor/SE Linux or BSD Jails to add a second layer of defense. It seems there is nothing equivalent on Windows as of today. IE8 has something like it, but MS has not made it publicly accessible for other programs, including other browsers.
I take your points, but I dont know of a single internet service (or any system) that is bullet proofed, let alone one thats bulletproofed from day one, and saying its simple so it must be easier to secure is indeed quite a feasible concept, but ultimately untrue.
Just take pretty much every major web service, the simple fact that they are popular is enough for hackers to invest a lot of time into breaking into them just because cracking 1000 email addresses might bag them one credit card number, or full person profile for info theft - no system is perfect, even GMail accounts have been broken into.
Take for instance a pretty resistant (to hacking) system like the PS3, it has been compromised despite the copious Cell chip code signing and all the other protective measures taken. Google have a way better track record than Sony, MS, Apple etc, but its not spotless.
I'd give it six months tops, from Chromium OS proper release to a black market posting online somewhere on how to create spam-zombie-bots using Chromium OS systems.
I am somewhat uneasy about this.
So the downlaoded code runs within the browser...
I wonder how difficult it would be for some malicious code to subvert the actually browser.
One suggestion to mitigate against this obviously is to only run over the wire java, flash etc in a machine, virtualised or otherwise you can afford to let get compromised. And assume that this is always the case, that it is compromised. This is the approach I favour. I use said machine to game, run all the dodgy stuff etc.
I am guessing I will never ever install chrome on any machine I would imagine I would even actually begin to depend on.
I might allow LLVM...
But executing some x86 blob compiled for fecking C? At least with JS the hackers are looking for holes to exploit, not a shotgun already pointing at your head - was your nads, but we had a bit of stack overflow/array barf into some data area that just happened to hold some data suspiciously looking like a syscall instruction...
With the ample evidence of exactly how companies treat their customers, if the internet is available to them, coming out of the games industry why would people want to use any internet-based services for applications that cost? (And yes, I include Google's services and applications, they cost quite a bit even if it isn't in direct cash).
Look at Ubisoft and EA Games. How long until you can't use an application without your card being automatically charged, or you being denied access to an application because you aren't connected to the internet for them to monitor what you're doing. Worse, what happens when the companies screw up and you've made payments but never received the service in return? Consumer legal recourse to claim anything back is not only difficult (almost impossible when the company's team of lawyers join in) but pretty much a non-happener when the company is international and you can't chase down anyone in your country bound by the country's laws.
I like to buy software and use it on my computer. I like to unplug the network and keep playing my game, typing my documents, listening to my music, watching my video, etc.
"Native Client - NaCl for short"
or Salt as they call it round here.
If you have time, look at the youtube videos on NaCl. The whole concept is very simple and elegant.
Having said that, certainly it will have some security issues, like any new software.
"Or, you could realize that it is a stupid thing to do, and proceed to build a real, native video editing application for a real, local (read: offline) platform."
HTML5 will have local storage (ala Google Gears) and a proper NaCl implementation will of course cache downloaded and verified executables for quick startup. Also, your application components could be loaded in a modular, incremental fashion whenever you need another feature or piece of data.
Soon you will have 100Mbit Internet in your home. That will change a lot about our perception of "online" and "offline".
Also, NaCl could be used in intranet scenarios to distribute code for a company. Instead of installing that CATIA for an hour, you would just point your browser to http://cad.mycorp.eu and start modifying the airliner you work on. All updates and admin stuff done by your corporate IT folks.
"Soon you will have 100Mbit Internet in your home."
I've heard that one before -- circa 2000, if I am not wrong.
Native and offline
I don't think Google's dream of cloud only computing will come to pass. There will always be people that want to use offline applications on a cloud independent operating system. (Hopefully that will always be a version of Windows.)
If nothing else, then the black markets, underground activities and good old media piracy will ensure there is always a demand for offline computing option for the masses. If everything legitimate moves to the cloud, then expect a shadow cloud to be formed for those of us that want the internet to work the way it does currently.
Non-Portable Native Client
So if there's a 'Portable' Native Client, doesn't that make the normal one the 'Non-Portable' Native Client? I cannot understand how they think distributing binaries compiled for a select few machine architectures is suitable as a web standard. Even the ARM port they're doing will only work on a few select ARM architectures - it won't even work on Cortex 'M' chips.
And yes, the LLVM version is basically Java, only a bit 'lite'. History repeating.
ActiveX or Flash?
Sounds like googlesoft / microogle nonsense to me.
Looking at the evolution of the company, and the more and more ludicrous stuff that it's getting itself involved with, i'd say that sooner or later we'll see a new upstart company coming along to take the throne. Looking forward to it.
When are google going to start games manufacturing?
I remember times when...
....ability to run machine code from a website was called a bug. Now they tell me it's a feature?
Hmmm, what the point
Why doesn't Google just push the whole idea of the network computer (Great Idea BTW) cause this is where this is heading. Still not clear why they just simple didn't shift the focus to enhance Java Applet type model.
"Still not clear why they just simple didn't shift the focus to enhance Java Applet type model"
Maybe that is because there are systematic reasons for the low performance of Java and .Net ? Garbage Collection, only pointer/primitive arrays, no objects on the stack, no destructors and so on ?
In a lot of places in Germany you can already get 100Mbit/s over the TV cable:
According to a friend of mine, one actually gets those 100Mbit/s.