[GoLUG] Writing an internet server

Ron ron at bclug.ca
Thu Aug 21 20:11:24 EDT 2025 

Kevin Chadwick wrote on 2025-08-21 04:07:

>> Mozilla sponsored the Rust programming language because they 
>> really care about security and stability.
> 
> Yet a more secure language better suited to large programs already 
> existed in Ada so why didn't they just hit the ball running?

I don't know why they didn't choose Ada.

He (Gradon Hoare):

> Hoare emphasized prioritizing good ideas from old languages over
> new development, citing languages including CLU (1974), BETA
> (1975), Mesa (1977), NIL (1981), Erlang (1987), Newsqueak (1988),
> Napier (1988), Hermes (1990), Sather (1990), Alef (1992), and Limbo
> (1996) as influences, stating "many older languages [are] better
> than new ones", and describing the language as "technology from the
> past come to save the future from itself."[14]: 8:17 [15] Early Rust
> developer Manish Goregaokar similarly described Rust as being based
> on "mostly decades-old research."[13]

https://en.wikipedia.org/wiki/Rust_(programming_language)#2006%E2%80%932009:_Early_years


Maybe he's never heard of Ada.

Seems he's aware of many obscure languages. Maybe Ada isn't great for 
what he wanted to do.

Maybe he invented "the Litt Principle".


Since he was hired by Mozilla Research, I'm gonna give him the benefit
of the doubt on this one.


He started Rust on his own time. He had the respect of his colleagues
such that they were interested once he told them about it. His progress
was such that Mozilla sponsored it after a few years.

And now it's one of the most popular languages and is in the kernel.





>>> they would make a secure version perhaps called tortoise with a 
>>> slower js engine
>> 
>> Slowing down the JS engine would probably drive away about half 
>> their remaining user base.
> 
> No it wouldn't, download speed is a bigger issue.

The user's internet connection plays the largest part of that though.

If a page is laggy to interact with, the user likely bales.

If all pages are laggy, they upgrade internet speed or changes browsers.


"Concerned about security" and "struggles to download a web page" and 
"is fine with the page rendering slowly" is approximately no one. A Venn 
diagram of 3 distinct circles.



> Games would be an issue I guess but they could always switch between 
> two engines and allow those that care about securely browsing 
> websites to turn off v8.

That's a metric fuck-ton of work to include 2 engines. Maintaining one 
is more than even Microsoft was willing to do.

And, everyone is now downloading 2 JS engines when updating their
browser? There goes download speeds and mobile data plans.

And I can hear the screams of "blooooaaaaat!" already.


> Joey Fish says it's a shame that WASM turned into a largely js based 
> system instead of a true faster programming language enabler but I 
> don't know the details.

Who is Joey Fish?



> Yeah and browsers were faster before v8

Citation?

v8 and Mozilla's engines have been incredibly performance tuned. "Before 
v8" did *not* have JIT compiling where the JS is executed as compiled C 
code.

https://stackoverflow.com/questions/2137320/javascript-engines-advantages

https://dev.to/mainabernard/unlocking-the-v8-engine-why-your-javascript-
is-faster-than-you-think-498i




>> And, rewriting a JS engine would likely lead to new bugs. The 
>> current one is pretty well tested.
> 
> Not security bugs.

Through the power of magic thinking?  Such a massive project would 
undoubtedly introduce bugs of all kinds.


> Of course there would be logic issues. Worth it.

Worth it to whom?  The dozens of highly paid engineers doing the work?

Paid for with the zero dollars people would pay for a slower internet 
experience? Even the best browsers struggle for funding.




> have you seen how many security issues have been caused by the js 
> engine?
Yes - not many compared to the install base and "attack surface".

Anything exposed to *billions* of users on innumerable devices is going 
to have flaws and be relentlessly targeted.


There is a distinct lack of critical JS bugs when considering that.

And a quick look shows most of them in repos in Node.js packages 
affecting back-ends, not browsers.

More information about the GoLUG mailing list