-
> If one writes Go or Rust, there are much better ways to run them than targeting WASM
wasm has its place, especially for contained workloads that can be wrapped in its strict capability boundaries (think, file-encoding jobs that shouldn't access anything else but said files: https://news.ycombinator.com/item?id=29112713).
> Containers are still the defacto standard.
wasmedge [0], atmo [1], krustlet [2], blueboat [3] and numerous other projects are turning up the heat [4]!
[0] https://github.com/WasmEdge/WasmEdge
[1] https://github.com/suborbital/atmo
[2] https://github.com/krustlet/krustlet
[3] https://github.com/losfair/blueboat
[4] https://news.ycombinator.com/item?id=30155295
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
spawner
Discontinued Session backend orchestrator for ambitious browser-based apps. [Moved to: https://github.com/drifting-in-space/plane]
Is the appeal of isolates in this case the cold start time or the isolation? We're working on some open source infrastructure for running sandboxed (gVisor) containers on the fly from web services[1], and one of the use cases people have is serving Jupyter notebooks which seems like it might resemble your use case?
[1] https://github.com/drifting-in-space/spawner/
-
SSVM
WasmEdge is a lightweight, high-performance, and extensible WebAssembly runtime for cloud native, edge, and decentralized applications. It powers serverless apps, embedded functions, microservices, smart contracts, and IoT devices.
> If one writes Go or Rust, there are much better ways to run them than targeting WASM
wasm has its place, especially for contained workloads that can be wrapped in its strict capability boundaries (think, file-encoding jobs that shouldn't access anything else but said files: https://news.ycombinator.com/item?id=29112713).
> Containers are still the defacto standard.
wasmedge [0], atmo [1], krustlet [2], blueboat [3] and numerous other projects are turning up the heat [4]!
[0] https://github.com/WasmEdge/WasmEdge
[1] https://github.com/suborbital/atmo
[2] https://github.com/krustlet/krustlet
[3] https://github.com/losfair/blueboat
[4] https://news.ycombinator.com/item?id=30155295
-
> If one writes Go or Rust, there are much better ways to run them than targeting WASM
wasm has its place, especially for contained workloads that can be wrapped in its strict capability boundaries (think, file-encoding jobs that shouldn't access anything else but said files: https://news.ycombinator.com/item?id=29112713).
> Containers are still the defacto standard.
wasmedge [0], atmo [1], krustlet [2], blueboat [3] and numerous other projects are turning up the heat [4]!
[0] https://github.com/WasmEdge/WasmEdge
[1] https://github.com/suborbital/atmo
[2] https://github.com/krustlet/krustlet
[3] https://github.com/losfair/blueboat
[4] https://news.ycombinator.com/item?id=30155295
-
> If one writes Go or Rust, there are much better ways to run them than targeting WASM
wasm has its place, especially for contained workloads that can be wrapped in its strict capability boundaries (think, file-encoding jobs that shouldn't access anything else but said files: https://news.ycombinator.com/item?id=29112713).
> Containers are still the defacto standard.
wasmedge [0], atmo [1], krustlet [2], blueboat [3] and numerous other projects are turning up the heat [4]!
[0] https://github.com/WasmEdge/WasmEdge
[1] https://github.com/suborbital/atmo
[2] https://github.com/krustlet/krustlet
[3] https://github.com/losfair/blueboat
[4] https://news.ycombinator.com/item?id=30155295
-
Answering the security question specifically: v8 is a runtime and not a security boundary. Escaping it isn't trivial, but it is common [1]. You should still wrap it in a proper security boundary like gVisor [2].
1. https://www.cvedetails.com/vulnerability-list/vendor_id-1224...
2. https://gvisor.dev/
-
-
-
Actually that's incorrect, there are a nunber of wasm runtimes that don't use v8. Here's links to a couple.
https://wasmtime.dev/
https://www.fastly.com/products/edge-compute
-
As you scale up with R2, D3, Email Workers etc, is it possible that the _future_ scale of touching very sensitive, "ought-to-be-secure / separate" data / code help reconsider this decision?
Without process isolation, all it takes is one bad Chromium commit or a incorrectly allow-listed JS/V8 command for this model to fall through regardless of how thorough the defense-in-depth/vetted Workers may be.
"the public clouds that run arbitrary native code in hardware VMs." -> Isn't it double whammy then that a V8 isolate + HW attack surface in combination could provide an order of magnitude more hackability?
"Last I heard there were still some lower-powered Android phones where the overhead was too high" -> I believe a Zygote-process fork was made available to Chromium at some point (https://chromium.googlesource.com/chromium/src/+/HEAD/docs/l... ?).
-
Related posts
-
Easier examples for the WasmEdge Rust SDK to get started with this Wasm runtime quickly.
-
AssemblyLift v0.2.9: BIG performance boost + new features! 🚀
-
Introducing Spin 3.0
-
The BPF instruction set architecture is now RFC 9669
-
Ask HN: If you were rewriting Emacs from scratch, what would you do differently?