►
From YouTube: SES-mtg: How to use the SES shim
Description
Recorded from the "Frozen Realms shim collaboration" meeting on Jan 22, 2019. See https://github.com/agoric/ses
Brian Warner walks us through how to install and use the current SES shim. This version of the SES shim directly supports safe evaluators for evaluating strings, but does not yet support safe module loading. We also discuss various packager alternatives for packaging modules as evaluable strings.
B
B
The
most
recent
commit
happens
to
be
the
most
recent
release
that
we
made
a
couple
of
days
ago,
so
we're
already
sitting
on
a
release
tag
and
we
don't
have
any
sort
of
stuff.
That's
sitting
on
trunk
that
hasn't
had
a
chance
to
bakery
much
npm
install'
gets
you
everything
that
SES
depends
upon
from
here,
a
reasonable
way
to
get
started.
I
think.
B
B
B
B
C
B
B
B
Yeah,
maybe
great
if
this
thing
worked
with
whatever
nodes
built-in
stuff
is
the
SAS
environment
does
not
have
a
module
loader
yet
so
the
only
thing
even
loaded
into
it
is
our
static
streams.
Wonder
why
wait
command?
Why
are
green
so
before
we
can
roll
out
a
module
loader
in
there
before?
This
is
really
useful
for
larger
of
code,
then
we'll
have
to
have
support
like
that.
B
B
A
B
B
E
A
B
A
B
B
Like
that,
so
in
this
case,
foo
is
defined
to
close
over
this
B.
The
B
is
being
provided
from
the
caller
from
the
evaluate
side,
and
this
is
a
technique
for
providing
a
creating
a
trusted,
a
trusted
proxy
of
some
sort.
So
in
this
case
not
a
proxy
a
trusted
thing,
and
this
thing
is
sitting
in
between
the
confined
realm
and
the
outer
powerful
realm,
and
the
trusted
thing
is
as
access
to
something
in
the
powerful
realm
because
it's
closed
over
one
of
these
endowments.
B
A
You
create
a
rigged
realm,
creating
the
root
realm
does
Korea,
does
use
VM,
create
context
to
create
a
a
new,
primitive
root
realm,
and
then
it
does
all
the
realm
initialization
inside
of
that,
so
that
it
creates
a
the
evaluator
is
using
the
width
on
a
proxy
track
when
you
create
a
compartment
within
a
root
realm,
we're
reusing
the
you
know,
we're
staying
within
the
same
underlying
VM
context
and
just
using
the
width
on
a
proxy
trick
to
create
a
different
evaluation
context
within
the
same
room.
Okay,.
D
So
so
I
just
would
like
to
follow
up
with
that,
because
about
nine
months
ago
I
did
try
to
compare
using
VM
context
versus
actually,
you
know
replicating
what
the
realm
Shin
does
and
there
were
potentially
performance
hazards
and
using
BN
context
that
that
might
be
worth
exploring.
I
think
it's!
You
know,
order
of
magnitude
slower
relative
to
not
creating
an
extra
context
so.
D
D
No,
no,
you
don't
so
so
you
know
like
I'm,
really
not
not
comparing
all
the
trade
offs.
So
just
you
know
it's
just
a
matter
of
I've
amended
for
some
reason.
Obviously
we
can
see
where
node
can
increase
performance
were
p.m.
context.
It's
just
something
to
keep
in
mind
that
it
might
have
been
just
temporary
as
well
when
I
was
trying
them.
What
nine
months
ago.
A
We
did,
there
is
a
another
version
of
SES,
that's
in
gestation
or
a
a
subset
of
SES.
Let's
call
it
a
single
single
root,
realm
SES
on
which
is
being
done
in
a
Salesforce
repository
being
done
with
us
in
a
sales
force
created
repository
that
is
not
yet
publicly
available
that
will
be
and
that
one
just
creates
a
and
a
an
S
basically
creates
and
initializes
an
SES
environment
within
the
root
realm
that
it
starts
in
it
does
not
it
it's.
A
It
does
not
create
a
new
root
realm
and
it
doesn't
so
it's
it's
not
shimming
the
full
realm
ship.
Basically,
it
does
not
have
a
make
root
realm
operation,
the
one
of
the
motive,
the
motivation
for
it.
From
our
perspective,
not
from
the
Salesforce's
perspective,
is
the
excess
javascript
engine,
which
is
a
single
root
realm
only
JavaScript
engine.
C
D
Think
it's
it's
important
to
have
both
models.
Give
as
much
parity
as
possible,
like
I,
do
a
lot
of
work
that
goes
from
node
to
the
browser
and
I
tried
workers,
and
all
of
that
and
I
found
that,
with
with
this
kind
of
experimental
harnessing
of
the
runtime
it's
it's
always
important
to
think
of
reporting
it
like
Howard
ports.
If
you
cannot
really
create
a
context
which
happens
to
be
anywhere,
you
don't
have
access
to
the
internals
of
the
runtime
yeah.
A
Yeah,
the
problem
is
that,
if
you
just
if
you
just
use
the
initialized,
my
own
realm
has
a
SAS
realm.
One
of
the
steps
in
that
initialization
is
to
freeze
all
the
primordial
and
within
a
browser
frame
that
that
works
within
the
node
default
context.
You
know
the
initial
context
that
you
that
that
you
normally
use
for
everything
in
node.
D
Okay,
that
is,
that
good
question.
I'm.
Sorry,
just
look
the
last
one:
how
about
if
every
SES
realm
gets
toxified
prime
load
yields
basically,
so
no
SES
realm
actually
gets
the
actual
prime
modules,
but
then,
when
it
evaluates,
if
there
is
like
a
literal
object
or
a
look
through
array,
well
I'm
just
wondering
because
I've
seen
people
try
to
do
that
with
zones,
for
instance
where,
but
but
I
I
see
that
there
is
a
lot
of
places
where
you
can
miss
particular
instances.
So.
A
The
so
one
problem
with
trying
to
membrane
access
to
the
primordial
since
I
I
know
that
there
is
a
some
project
that
that
did
something
like
that.
Maybe
Alex
knows
more
about
that,
but
let
me
just
raise
with
the
immediate
problems
that
comes
to
mind
is
that
some
of
the
primordial
czar
undeniable,
because
they're
reachable
directly
by
syntax.
So
if
you
evaluate
open
square
bracket
close
square
bracket,
that's
going
to
directly
a
value
to
an
object
that
inherits
from
the
original
array.
Dot
prototype,
there's
no
way
to
for,
without
rewriting
the
source
code.
A
C
Okay
mark
asked
me
to
weigh
in
here
one
classic
example:
just
FYI
is
the
own
keys
trap
of
any
proxy
handler
or
reflect
that
is
always
supposed
to
return
an
array
and
any
s
membrane,
I
know
of
a
bug
where
I
haven't
fixed.
Yet
wrapping
that
array
that's
returned
in
a
proxy
one
of
the
reasons
I
can
get
away
with
it,
but
I
haven't
done
it
yet
is
because
it's
going
through
a
proxy
to
answer
your
question
mark
about
wrapping
primordial
I
have
hard-coded
a
long
list
of
primordial
x'
in
es
membrane
and
I'm.
C
D
Yeah,
just
the
one
thing
to
point,
though:
the
performance
of
evaluating
code
inside
the
context
was
slower,
so
I
created
everything
and
I
just
ran
series
of
like
big
loops
and
in
one
of
the
pre-made
context
versus
a
shim,
okay
and
and
that
Luke
took
substan
like
almost
twice
as
much.
If
not
more
like
up
to
five
times
when
it
was
in
a
context.
D
A
I
think
what
we
can
do
is
we
can
provide
feedback,
especially
through
badly
to
node,
that
you
know,
there's
no
reason
for
execution
inside
a
created,
VM
context,
there's
no
good
reason
for
that
to
be
slower
than
execution
in
the
main
context.
So
if
it
is
slower,
that's
that
that's
an
engineering
problem
that
no
defects
not.
B
A
A
F
That
is
correct.
We
are
working
on
it,
I'd
say
it's
a
simplification
of
the
realm
proposal
and
when
we
remove
all
mechanisms
to
use
VM
or
iframe
in
order
to
create
a
new
set
of
intrinsics,
it's
tailored
to
what
we
need
to
do
that
sells
for
so
with
how
we
have
only
one
set
of
intrinsics
for
all
compartments
and
all
realms.
Basically,
and
also
there
was
a
need
for
an
engine
or
a
compartment
engine
that
would
work
on
platforms,
we're
creating
new
set
of
intrinsics
as
no
mechanism.
A
C
B
B
I
mean
Jesse
is
a
language
you
do
the
evaluating
in
some
environment
in
that
environment.
What's
that
environment
coming
from
is
that
node?
Is
that
a
web
context?
Is
that
access
correct,
and
so
you
can
use
the
compartment
mechanism
if
you
can
afford
to
freeze
all
of
the
perm
Oriels
from
your
environment
and
then
and
then
whatever
that
case
is
whatever
mechanism
by
which
you
get
an
SES
realm
or
compartment,
you
can
evaluate
Jesse
inside
no.
A
A
B
A
A
A
B
C
A
B
B
So
that
actually
throws
an
exception
date
dot.
Now
we
decided
to
have
a
return,
not
a
number,
because
that
seems
to
work
better
with
modules
like
moment,
J
s
in
which
it
is
calling
date
dot
now
during
its
initialization,
even
if
nobody
asks
for
it
and
it
doesn't
do
anything
with
the
value,
it's
kind
of
a
side
effect
of
the
way
that
was
written.
So
we
can,
we
can
cause
less
trauma
and
you
can
get
99%
of
the
functionality.
A
moment
does
not
involve
needing
to
know
what
the
current
time
is.
B
B
And
there's
a
switch
to
turn
that
on
the
problem
here
is
that
the
internationalization
functions
there
are
two
or
three
of
them
that
return
or
take
advantage
of
the
default.
Locale
that's
been
configured
on
your
platform,
which
is
going
to
come
from
some
combination
of
environment
variables,
your
asset,
things
that
are
available
on
disk,
the
way
that
node
has
been
configured
or
the
way
the
browser
has
been
configured
and
that's
not
in
terms,
and
we
don't
want
things
to
behave
differently
in
one
place
to
another.
A
Part
part
of
what
you
did,
this
isn't
necessarily
the
the
final
form
of
these
configuration
parameters,
but
part
of
the.
What
we're
trying
to
achieve
with
this
configuration
is
that
our
requirements
for
a
deterministic
sess,
the
replicated
execution
of
block
chains,
is
probably
somewhat
different
than
the
salesforce
requirements
for
a
single
route
for
a
fer
assess
with
regard
to
how
strictly
various
things
need
to
be
turned
off.
So
what
we
want
to
end
up
with
you
know
one
code
base,
but
where
the
different
requirements
are
configuration
parameters
rather
than
splitting
the
projects
you.
B
Know
there
are
situations
where
what
you
care,
the
main
thing
you're
going
to
care
about,
is
protecting
the
host
or
protecting
the
other
guests
from
this
guest.
So
you
need
to
prevent
access
to
things
that
could
be
used
to
break
out
of
confinement,
but
the
second
level
goal
that
some
environments
have
is
to
avoid
any
form
of
non
determinism
so
for
the
internationalisation
stuff.
Until
that
number
format
takes
a
low-cal
name
and
if
you
don't
provide
one,
it's
supposed
to
use
the
platform
default
and
so
to
a
first
approximation.
B
A
B
A
B
Might
be
I've
definitely
seen
cases
where
test
unit
test
cases
that
need
to
invoke
some
other
program
and
parse.
Its
output
will
set
an
environment
variable
to
set
the
locale
to
BC
before
doing
that,
so
that,
if
you
run
that
test
on
the
machine
that's
configured
for
French
or
Spanish,
you
won't
wind
up
with
a
different
output
from
the
program
than
pauses
your
test.
So
to
fail.
So.
B
A
B
A
A
B
You
can
evaluate
a
directory
full
of
code
into
one
of
the
cess
compartments
and
you
do
that
by
setting
up
an
index
fjs
which
is
allowed
to
have
imports
that
call
in
grab
things
from
other
inputs.
The
way
that
we
do
that
in
the
playground,
bat
is
to
use
roll-up
and
use
the
API
for
roll-up
to
turn
this
starting
point
and
everything
that
references
into
a
single
string
that
can
be
evaluated
inside
the
room.
B
So
at
the
moment
you
know
you
you're,
on
your
own,
for
trying
to
get
more
than
just
single
strings
in
to
assess
compartment,
but
you
can
follow
the
pattern
that
is
being
done
in
our
claim
back
to
get
more
than
one
thing
in
there
it's
mm-hmm.
We
were
still
a
lot
of
work
to
do
on
this.
We
don't
have
a
console
dot
log
object
in
there
in
the
playground
that
we're
able
to
inject
an
object
called
log.
A
B
Than
console
that
log
there's
something
funny
taking
place
with
name
conflicts
and
when
rollup
sees
you
using,
let's
do
that
when
rollup
sees
the
code,
that's
being
loaded
as
using
console
dot
log,
it
appears
to
rewrite
that
name
to
avoid
conflicts
with
something
else.
That's
in
scope
at
that
point,
and
so
we've
not
yet
successfully
found
a
reasonable
way
of
getting
the
traditional
console
dialog
to
be
available
to
the
code.
It's
getting
programming.
B
That's
as
far
as
we've
gotten
on
that,
obviously
we
want
to
take
cess
to
the
point
where
it
can
mode
in
multiple
modules
and
be
able
to
reason
about
what
a
module
should
be
allowed
to
import.
We
need
to
have
an
API
to
control
and
module
loader.
That's
also
the
point
where
we
want
to
talk
about
authority
and
modules
and
resource
modules
and
pier
modules,
so
we'll
probably
wait
until
we
nail
down
some
of
the
loaders
syntax
before
we
try
and
add
that
in
size,
I.
C
Just
wanted
to
that
thing
around
console
dialogue
and
I.
Did
it
originally
important
console
dot
log
into
my
Jessica
files,
but
I
found
I'd
rather
to
find
the
custom
log
interface
and
not
use
all
the
quirks
console
dot.
Log
has
might
be
something
to
consider
since
console
that
log
may
not
be
available
I.
Don't
that
part's
yeah.
B
Yeah
all
I
really
want
is
that
the
code
that
you
write,
that
you
run
in
your
unit
tests
and
uses
console
that
log
as
you
debug
stuff,
is
the
same
code
that
you
can
import
into
your
obsess
room
so
like
having
console
that
log
having
one
having
log
or
console
that
log
or
my
special
debug
log
or
whatever
is
fine
but
it'd,
be
great.
If
I
could
use
the
same
thing
in
both
of
those
departments.
D
I'm,
just
a
point
about
console
functions:
they're
they're
basically
made
to
actually
be
you
can
detach
them
from
the
console.
Like
you
don't
need
to
say,
console
that
log
yeah,
you
don't
have
to
preserve
the
reference
of
this
being
console
for
them
to
work.
That
helps
me
a
lot
because
I
export
them
from
a
module
and
whatever
I
end
up
overriding
console
log
or
console
one
or
whatever.
C
B
So
just
providing
an
endowment
calling
console
caused
roll-up
or
something
in
that
source
code
rewriting
process
to
see
a
conflict
between
the
console,
I
was
trying
to
add
to
it
and
the
console
it
thought
that
was
already
present
and
so
what
we
renamed
one
of
them.
So
I
was
able
to
provide
a
log
function.
Just
fine,
but
trying
to
provide
in
console
it
comes
up
about
anything,
was
running
the
problems
that
I
couldn't
so.
A
A
The
meta
mask
project,
which
is
a
project
in
as
that's
in
the
blockchain
ecosystem.
It's
basically
a
browser
user
interface
for
smart
contract
applications
running
on
it
there
so
meta
masks
they're
using
browserify
as
their
packager,
and
they
are
now.
They
now
have
a
project
called
sea
sofa
which
is
trying
to
make
a
cess
module
version
of
browserify.
D
One
thing
to
point
out
about
variable
renaming
in
roll-up
yeah,
if
you,
if
your
variable
is
imported
from
a
particular
module,
so
let's
say
I
have
this
module
that
exports
consul
in
that
module
its
treated
as
an
outside
module?
It's
not
part
of
it,
like
you,
can
figure
roll-up
to
assume
that
this
is
in
an
external
module.
So
if
you're
importing
everything
from
that
particular
path
for
the
exporter
of
console,
so
every
single
module
that
uses
console
starts
out
by
importing
counsel
from
the
same
particular
location.
D
B
Has
to
be
stratified
and
turn
into
a
single
stream,
so
it
can
be
loaded
inside
sets
so
in
the
playground
that
has
some
code
that
lives
in
the
primal
realm
and
gives
it
access
to
the
network.
That's
what
gives
it
access
to
the
local
disk
to
download
a
disordered
state
to
find
primal
primal
realm
is
the
outermost
realm.
That
still
has
the
the
host
authorities
like
require
an
access
to
the
nodes
standard
library.
B
So
a
functioning
application
will
need
to
have
access
to
that
in
order
to
talk
to
the
outside
world
in
some
fashion,
but
most
of
the
code,
you
want
to
run
in
a
more
confined
environment,
so
the
playground
that
consists
of
some
Io
code
sitting
out
in
the
primal
realm
that
is
made
available
as
endowments
to
carefully
written
code.
That
is
there's
working
for
us
that
is
inside
the
SAS
realm.
That
code,
that's
inside
the
cess
realm
is
then
loading
and
evaluating
the
untrusted
code
that
the
guests
of
the
bat
is.
B
Being
loaded
into
that
same
environment,
but
at
that
point
it's
safe
because
we
frozen
all
the
primordial
and
we're
using
the
safety
bow
for
that.
But,
as
a
result,
a
lot
of
this
code
is
getting
stringify
and
turned
into
a
single
string,
so
I
can
be
passed
into
SAS,
not
evaluated,
and
the
code
that
is
trying
to
define
the
console
that
would
be
made
available
to
the
third
thing
is
getting
turned
into
the
the
single
string.
B
E
And
I
just
wanted
to
bring
up
the
point
that,
if
we're
relying
on
tooling
heuristics,
it
could
be
dangerous
to
fall
into
a
sense
of
security.
Where
we've
carefully
curated
our
source
tree
such
that
we
don't
have
a
collision.
And
then
we
can
accidentally
introduce
something
that
does
produce
a
collision.
A
A
A
What's
with
regard
to
this
question,
let's
ask
for
you
know
both
or
either
so
for
any
module
systems.
Is
there
a
packager
that
is
trying
to
be
really
careful
to
be
exactly
semantics?
Preserving
of
the
module
semantics
and
si
would
seem
to
be
a
good
starting
point
for
turning
it
into
a
packager
that
we
can
have
confidence
in.
C
E
A
A
A
B
B
A
D
B
C
D
Could
also
note
introduced
an
export
from
the
module
module
and
that's
create
required
function.
It
creates
a
required
function.
It's
a
very,
very
crude
way
for
now
to
use
an
S
and
in
order
for
you
to
create
a
required
function
relative
to
a
particular
path
and
then
use
that
to
resolve
or
all
your
requires
that
you
want.
A
D
Yet
so
can
I
phrase
that
a
bit
differently,
like
nine
months
ago,
when
I
was
doing
testing
between
a
shimmed
realm
and
a
VM
context
to
try
to
see
how
you
know
where
the
performance
benefits
of
creating
realm
as
a
shim
can
actually
come
on.
The
shim
was
a
lot
faster
compared
to
evaluating
the
same
loop
inside
a
context.
D
So
so
it
was
not
the
creation
of
the
context
that
was
creating
the
concern
for
me,
but
rather,
if
I
throw
it
out
against
the
context
that
already
exists,
that
that
code
seems
to
be
running
a
bit
slower.
So
I
haven't
really
looked
into
whether
that
was
just
a
temporary
thing
at
the
time,
but
it
was
something
that
I
would
like
to
keep
in
mind
down
the
road
with
a
little
bit
more
testing.
E
B
F
D
Like
I
recall
when
I,
when
I
was
testing
like
it
was,
it
was
definitely
closer
to
two
and
sometimes
more
but
but
again
I
wasn't
really
doing
you
know
fine-grain
testing
to
actually
measure
this
I
was
just
seeing
it,
as
you
know,
as
I
was
testing
the
performance
of
the
Shem,
not
the
actual
context.
So
again
you
know,
like
I,
think
the
fair
thing
to
to
take
out
of
business.
D
We
should
just
keep
it
in
mind
and
come
up
with
a
way
to
explore
that,
if
we're
going
to
use
context,
as
the
you
know,
go
to
approach,
just
clarify
that
I
did
not
really
scientifically,
you
know,
try
to
document
in
any
way,
but
we've
got
an
observation
deck
that
you
know.
I
was
kind
of
actually
feeling
good
for
a
couple
days.
You
know
like
looking
at
the
times,
but
then
you
know
it
wasn't
really
done
to
document
this,
but.
D
My
shim
was
completely
different
than
what
we're
doing
here.
It
was
the
bare
bone.
What
I
was
basically
looking
at
ways
to
get
rid
of
particular
hooks
like
has,
would
always
return
false
stuff,
like
that,
so
so,
I
was
really
playing
around
with
that
concept
of
the
object
context,
which
is
actually
a
proxy
and
how
you
can
make
that
faster
by
taking
shortcuts.
D
F
Why
and-
and
we
got
onto
that
sweet
one
of
the
reason
was
to
compare
car
and
and
and
and
around
ship
to
have
an
idea
of
did
we
achieve
anything
in
terms
of
performance
with
the
quality
of
the
code
and
we
notice
that
the
shame
is
faster
than
car
casa.
If
you
go
to
the
test
page
that
run
a
few
of
those
jet
stream
example
that
it
verbatim
copied
there
and.
F
We
could
like
you,
could
go
to
that
page
at
car
page
and
and
and
run
those
tests,
and
when
we
run
the
same
tests
in
the
browser
and
in
the
shim
we
get
that
for
most
tests.
The
shim
is
faster
than
running
tests
naked
in
the
browser,
and
it's
still
positing
us,
which
said,
although
it's
not
a
large,
it's
not
like
two
times,
but
we
get
about
depending
on
the
tests
about
10%
difference.
We.
A
F
A
D
A
F
D
Might
verify
it
is
because
I
tried
it
because
I
was
actually
very
very
like
when
I
saw
the
code
for
the
constants
I
was
like
oh
yeah.
That's
how
you
do
it!
That's
how
you
make
code
run
fast,
so
it
clicked
and
I
played
around
with
that
concept.
When
you
do
that
constant
declaration
at
the
top
of
your
code,
it
actually
eliminates
the
time
it
takes
to
go
through
the
prototype
of
the
window
proxy,
all
right,
yeah
yeah.
It
actually
helps
even
in
any
function.
D
If
you
create
constants
as
long
as
your
function,
you
knows
where
the
other
variable
constants
and
they're.
Definitely
if
you're
gonna
refer
it's
in
the
same,
an
entry
you
know
couple
of
times,
especially
if
you're
using
Chrome
I
think
chrome
does
that
automatically
in
you
know
subsequent
optimizations
of
functions
that
other
browsers
don't
well.
F
A
A
D
A
So
when
I
say
we're
not
there,
yet
we're
not
there.
Yet,
with
regard
to
the
sass
and
the
public
repository
and
that's
because
of
three
outstanding
pieces
of
security
engineering
that
we
haven't
moved
into
the
public
repository.
Yet
oh
there's
those
are
listed
as
as
security
bugs
on
the
SES
issue.
Tracker,
but
Salesforce
is
using
sass
in
a
security
critical
way
in
production,
supporting
five
million
developers
and
they've
got
bug
bounties
out
on
hacker
one
yeah.
F
And
and
our
experience
over
the
past
two
years
has
been
gradually
better
specially
over
the
past
year,
since
we
started
to
collaborate
more
closely
with
sess
and
now
for
the
new
lightning
web
component
framework
that
has
been
released
in
December.
You
cannot
disable
that
security
feature.
It's
people
have
to
live
with
it,
so
we
set
the
bar
really
high
that
people
have
to
run
inside
sess
and
inside
of
our
other
security
membranes,
which
are
very
similar
to
tomato
in
concept
but
very
different
in
implementation.
F
A
Happened
at
the
same
time
by
one
person,
but
all
of
those
are
low-impact
with
regard
to
the
overall
security
goals
obsess.
So
with
regard
to
those
three
discovered
flaws,
had
there
been
production
use
of
sess
before
those
flaws
were
discovered,
an
attacker
using
those
flaws
would
not
have
been
able
to
compromise
much,
although
they
would
have
been
able
to
or
though
they
you
know,
they
were
able
to
win
the
side-channel
challenge.
Side
channels
are
really
hard.
A
The
attempt
to
plug
slide
is
probably
going
to
remain
an
especially
delicate
security
property
and
was
not
a
claim
that
is
relevant
to
the
integrity
properties
obsess,
which
is
where
I
expect.
Most
of
the
usage
should
be,
and
also
I
just
mentioned.
You
know:
Google's
been
using
kaha
with
the
with
the
earlier
version
of
cess
in
production
and
supporting
other
developers
using
in
production
in
security,
critical
ways
for
many
many
years.
D
B
A
For
example,
memory
on
safety,
bugs
that
can
be
exploited
from
vanilla
JavaScript,
then
they
likely
can
be
exploited
from
the
Nellis
s.
So
some
bugs
in
the
underlying
JavaScript
engine
can
compromise
the
security
of
running
cess
on
that
javascript
engine.
So
that's
that's.
Why
gorrik
for
the
high
security
uses
obsess
including
cess
running
on
public
blockchains,
is
planning
to
run
it
on
excess
rather
than
running
it
on
a
javascript
engine
that
has
been
optimized
for
speed
and
incorporates
a
complex
JIT.
A
B
And
I
saw
some
really
interesting
bugs
about
that
just
a
couple
of
weeks
ago,
that
was
talking
about
a
version
of
chromium
from
a
few
months
back
that
had
a
confusion
between
positive
zero
and
negative
zero
in
the
way
that
the
JIT
compared
those
verses.
The
way
the
regular
one-time
code
moves
back
Wow
and
they
actually
built
a
capture-the-flag
puzzle,
surrounded
that
one
that
one
issue
Wow
Wow.