w3c / strategy

team-strat, on GitHub, working in public. Current state: DRAFT

157 stars 46 forks source link

[wg/wasm] WebAssembly 2022 charter #325

Closed ericprud closed 9 months ago

ericprud commented 2 years ago

New charter proposal, reviewers please take note.

Charter Review

Charter:

What kind of charter is this? Check the relevant box / remove irrelevant branches.

[X] Existing WG recharter
If this is a charter extension or revision, link a diff from previous charter, and any issue discussion:

Communities suggested for outreach: WebAssembly Community Group

Known or potential areas of concern: This is a continuation of earlier work. It should not introduce any new i18n or a11y concerns.

Where would charter proponents like to see issues raised? (this strategy funnel issue, a different github repo, email, ...)

Anything else we should think about as we review? none

michael-n-cooper commented 2 years ago

No comments from APA.

himorin commented 2 years ago

no comment/request from i18n

samuelweiler commented 2 years ago

Commenting here since the template question about where comments should go is unanswered.

When will the working groups be seeking security and privacy reviews for these docs? I ask in part because the JS Interface Doc appears to have not been republished in over two years, and I haven't seen review requests for any of these docs lately.

I also see that the privacy and security sections in the existing WG docs are not in great shape. The security analyses in the both the base doc and the JS interface doc are too minimal and don't touch on privacy at all, and there's nothing about either in the API doc. I suggest quick attention to those.

I'm particularly curious as to the state of the base doc, which says in-line that it's CG doc, not a WG doc, as detailed here: https://github.com/WebAssembly/spec/issues/1447

More substantively on the security side, what provisions are available for auditing WebAssembly code? Are there things we can do to make it more auditable?

samuelweiler commented 2 years ago

@ericprud any thoughts re: the above, especially the ability to audit the code?

ericprud commented 2 years ago

We (@samuelweiler, @plehegar and others) discussed this in global on 12 mai. I believe we reached consensus that:

the WebAssembly browser host is more secure than the the JS browser environment so inspection for WebAssembly isn't more desirable (or achievable) than any other web app.
the WASI host environment is wide open but isn't a standard, just some experiments

There's an issue to WebAssembly/spec#1393 to integrate with Content Security Policy. See the associated proposal.

plehegar commented 1 year ago

Charter work was announced to AC last year: https://lists.w3.org/Archives/Member/w3c-ac-members/2022AprJun/0011.html

plehegar commented 11 months ago

(charter was approved by TiLT and can be sent for AC review)

plehegar commented 9 months ago

Approved https://lists.w3.org/Archives/Member/w3c-ac-members/2023OctDec/0047.html