I'm reading so much discourse about the new HarfBuzz wasm renderer on Twitter, Github and Phoronix comments and it strikes me as very surprising how little people who claim to care about security actually know about how modern computers and computer software stacks work.
Using wasm with a tiny api layer and a relatively well made runtime is safe. If you don't do JIT or crazy optimizations, a wasm implementation can be trivially validated and made to be safe. The fact that it "runs code" and "oh my god they made llama.ttf!!! this is horrible how do I turn it off" means completely and absolutely nothing.
It makes me almost wonder if this is somehow a malicious attack on HarfBuzz, an excellent project. Or maybe the fact that the technology is called "Web" "Assembly" gives people the wrong idea. By default there is nothing "Web" about WASM, aside from the fact that it was made for web browsers primarily. If anything, being made for Web Browsers first of all should be a bonus, because web browsers are the biggest attack surface and therefore have to be designed around that.
But no, it's easier to just spout bullshit online how the harfbuzz authors are sponsored by the CIA to put backdoors into font rendering. Absolute bullshit.