cap-std VS wasmtime

I believe you mean capability based, like cap-std.

There might be another reason to prefer async-std right now: the Bytecode Alliance is working on a version of std with support for capability-based security (called cap-std: https://github.com/bytecodealliance/cap-std ), and their async version is based on async-std (called cap-async-std: https://github.com/bytecodealliance/cap-std/tree/main/cap-async-std ). Given the clout that the Bytecode Alliance has, async-std might end up carving a niche out in the Wasm domain.

Would love to see something like this implemented around creating a Process in cap-std ( https://github.com/bytecodealliance/cap-std/issues/190 )

I think it's not discussed enough how things like language features shape how library APIs are formed. People usually seem to only consider the question "how would I use this feature?" and not "how would the standard library look like with this feature?", which is surprising given how much builtin libraries affect the pleasantness of a language.

One of the things I'm excited to see is the cap-std project for Rust [0] given what Pony [1] has demonstrated is possible with capabilities. I'm also hoping that languages like Koka [2] and OCaml [3] will demonstrate interesting use cases for algebraic effects.

[0] https://github.com/bytecodealliance/cap-std

[1] https://www.ponylang.io/discover

[2] https://koka-lang.github.io

[3] https://github.com/ocaml-multicore/effects-examples

I'm not sure you could hack the control flow when running bytecode on the JVM, but I strongly doubt that. (The JVM is "high-level" as pointed out previously and doesn't execute ASM like code. So there is no of the attack surface you have to care on the ASM level).

And capabilities are anyway something that belongs into the OS — and than programs need to be written accordingly. The whole point of the capability-security model is that you can't add it after the fact. That's why UNIX isn't, and never will be, a capability secure OS.

But "sanboxing" some process running on a VM is completely independent of that!

WASM won't get you anything beyond a "simple sanbox" ootb. Exactly the same as you have in the other major VM runtimes.

If you want capability-secure Rust, there is much more to that. You have to change a lot of code, and use an alternative std. lib¹. Of course you can't than use any code (or OS functionality) when it isn't also capability-secure. Otherwise the model breaks.

To be capability-secure you have actually to rewrite the world…

¹ https://github.com/bytecodealliance/cap-std

The type system could definitely help. There's all sorts of things we can do. One really cool project is https://github.com/bytecodealliance/cap-std

On the topic of unsafe being used to describe raw file descriptors, on one hand, there is a sense in which file descriptors are pointers, into another memory. They can leak, dangle, alias, or be forged, in exactly the same way. On the other, there is an open issue about this.

Just a documentation change, fortunately:

https://github.com/bytecodealliance/wasmtime/commits?author=...

They've submitted little documentation tweaks to other projects, too, for example:

https://learn.microsoft.com/en-us/cpp/overview/whats-new-cpp...

I don't know whether this is a formerly-legitimate open source contributor who went rogue, or a deep-cover persona spreading innocuous-looking documentation changes around to other projects as a smokescreen.

WebAssembly is extremely portable. WebAssembly runs on: all major web browsers, V8 runtimes like Node.js, and independent Wasm runtimes like Wasmtime, Lucet, and Wasmer.

cpu: 4 disk: 60 memory: 12 arch: host hostname: colima autoActivate: true forwardAgent: false # I only tested this with 'docker', not 'containerd': runtime: docker kubernetes: enabled: false version: v1.24.3+k3s1 k3sArgs: [] network: address: true dns: [] dnsHosts: host.docker.internal: host.lima.internal # Added: # - containerd-snapshotter: true (meaning containerd will be used for pulling images) docker: features: buildkit: true containerd-snapshotter: true vmType: vz rosetta: true mountType: virtiofs mountInotify: false cpuType: host # This provisioning script installs build dependencies, WasmEdge and builds the WASM runtime shims for containerd. # NOTE: this takes a LOOONG time! provision: - mode: system script: | [ -f /etc/docker/daemon.json ] && echo "Already provisioned!" && exit 0 echo "Installing system updates:" apt-get update -y apt-get upgrade -y echo "Installing WasmEdge and runwasi build dependencies:" # NOTE: packages curl, git and python3 already installed: apt-get install -y make gcc build-essential pkgconf libtool libsystemd-dev libprotobuf-c-dev libcap-dev libseccomp-dev libyajl-dev libgcrypt20-dev go-md2man autoconf automake criu pkg-config libdbus-glib-1-dev libelf-dev libclang-dev libzstd-dev protobuf-compiler apt-get clean -y - mode: user script: | [ -f /etc/docker/daemon.json ] && echo "Already provisioned!" && exit 0 # # Setting vars for this script: # # Which WASM runtimes to install (wasmedge, wasmtime and wasmer are supported): WASM_RUNTIMES="wasmedge wasmtime wasmer" # # Location of the containerd config file: CONTAINERD_CONFIG="/etc/containerd/config.toml" # # Target location for the WASM runtimes and containerd shims ($TARGET/bin and $TARGET/lib): TARGET="/usr/local" # # Install rustup: # echo "Installing rustup for building runwasi:" curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain none -y source "$HOME/.cargo/env" # # Install selected WASM runtimes and containerd shims: # [[ -z "${WASM_RUNTIMES// /}" ]] && echo "No WASM runtimes selected - exiting!" && exit 0 git clone https://github.com/containerd/runwasi echo "Installing WASM runtimes and building containerd shims: ${WASM_RUNTIMES}:" sudo mkdir -p /etc/containerd/ containerd config default | sudo tee $CONTAINERD_CONFIG >/dev/null for runtimeName in $WASM_RUNTIMES; do case $runtimeName in wasmedge) echo "Installing WasmEdge:" curl -sSfL https://raw.githubusercontent.com/WasmEdge/WasmEdge/master/utils/install.sh | sudo bash -s -- -p $TARGET echo echo "`wasmedge -v` installed!" ;; wasmtime) echo "Installing wasmtime:" curl -sSfL https://wasmtime.dev/install.sh | bash sudo cp .wasmtime/bin/* ${TARGET}/bin/ rm -rf .wasmtime echo "`wasmtime -V` installed!" ;; wasmer) echo "Installing wasmer:" curl -sSfL https://get.wasmer.io | sh sudo cp .wasmer/bin/* ${TARGET}/bin/ sudo cp .wasmer/lib/* ${TARGET}/lib/ rm -rf .wasmer echo "`wasmer -V` installed!" ;; *) echo "ERROR: WASM runtime $runtimeName is not supported!" exit 1 ;; esac cd runwasi echo "Building containerd-shim-${runtimeName}:" cargo build -p containerd-shim-${runtimeName} --release echo "Installing containerd-shim-${runtimeName}-v1:" sudo install ./target/release/containerd-shim-${runtimeName}-v1 ${TARGET}/bin sudo ln -sf ${TARGET}/bin/containerd-shim-${runtimeName}-v1 ${TARGET}/bin/containerd-shim-${runtimeName}d-v1 sudo ln -sf ${TARGET}/bin/containerd-shim-${runtimeName}-v1 ${TARGET}/bin/containerd-${runtimeName}d echo "containerd-shim-${runtimeName} installed." cd .. echo "[plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.${runtimeName}]" | sudo tee -a $CONTAINERD_CONFIG >/dev/null echo " runtime_type = \"io.containerd.${runtimeName}.v1\"" | sudo tee -a $CONTAINERD_CONFIG >/dev/null done echo "containerd WASM runtimes and shims installed." # # Restart the systemctl services to pick up the installed shims. # NOTE: We need to 'stop' docker because at this point the actual daemon.json config is not yet provisioned: # echo "Restarting/reloading docker/containerd services:" sudo systemctl daemon-reload sudo systemctl restart containerd sudo systemctl stop docker sshConfig: true mounts: [] env: {}

When you say wasm container, you mean something like wasmtime that provides a non-browser wasm runtime?

https://github.com/bytecodealliance/wasmtime

We can't run this directly from the command line unless we install some runtime like wasmtime:

The roadmap I linked above. The WASI folks have done a poor job at communicating, no doubt, but I'm surprised someone like yourself literally building a competitor spec isn't following what they are doing closely.

Just for you I did some googling: see here[0] for the current status of WASI threads overall, or here[1] and here[2] for what they are up to with WASI in general. In this PR[3] you can see they enabled threads (atomic instructions and shared memory, not thread creation) by default in wasmtime. And in this[4] repository you can see they are actively developing the thread creation API and have it as their #1 priority.

If folks want to use WASIX as a quick and dirty hack to compile existing programs, then by all means, have at it! I can see that being a technical win. Just know that your WASIX program isn't going to run natively in wasmtime (arguably the best WASM runtime today), nor will it run in browsers, because they're not going to expose WASIX - they're going to go with the standards instead. so far you're the only person I've met that thinks exposing POSIX fork() to WASM is a good idea, seemingly because it just lets you build existing apps 'without modification'.

Comical you accuse me of being polarizing, while pushing for your world with two competing WASI standards, two competing thread creation APIs, and a split WASM ecosystem overall.

[0] https://github.com/bytecodealliance/jco/issues/247#issuecomm...

[1] https://bytecodealliance.org/articles/wasmtime-and-cranelift...

[2] https://bytecodealliance.org/articles/webassembly-the-update...

[3] https://github.com/bytecodealliance/wasmtime/pull/7285

[4] https://github.com/WebAssembly/shared-everything-threads

Thanks for the question!

Spin could definitely run in more places than what we have pre-built binaries for. Specifically, we could run on all platforms Wasmtime supports today (https://github.com/bytecodealliance/wasmtime/releases/tag/v1...), including RISC and S390X, for example.

And while we have been experimenting a bit with running Spin on RISC, we haven't really had the bandwidth or requirement to build a production build for those yet.

Are you interested in a specific operating system or CPU architecture? Would love to understand your scenario.

> I used to think we'd eventually get to capability based security, but now I see we'll always be stuck with application permission flags, the almost worthless bastard cousin, instead.

My hope is that WASI will introduce capability based security to the mainstream on non-mobile computers [0] - it might just take some time for them to get it right. (And hopefully no half-baked status-quo-reinforcing regressive single—runtime-backed alternatives win in the meantime.)

[0]: https://github.com/bytecodealliance/wasmtime/blob/main/docs/...

WasmTime finished finished the RFC for the implementation details in June: https://github.com/bytecodealliance/wasmtime/issues/5032

[3]: https://github.com/bytecodealliance/wasmtime/pull/2611