hi dmitry,
i had assumed that the sel_ldr changes were written carefully. sorry if i may have misspoke and implied otherwise. it's just that independent auditing is really critical.
when I was with Google, we hired independent security penetration testing groups to conduct security audits as well as organized a security contest. security contests work well if finding vulnerabilities will help the reputations of the white-hat auditors, obviously, for future consulting gigs, and whether this is true depends on the reputation of the companies / people involved in the project. i was not that involved in the selection of security consulting companies for the pen testing, and even if i were i am not sure how much i could tell you.
whether the community could maintain NaCl going forward is an interesting question. i don't know if any other companies are sponsoring NaCl-related work now, though at various points earlier some were. keeping NaCl going in the longer term will involve not just maintaining the trusted computing base (essentially sel_ldr), but also ensuring that the compiler and toolchain support is maintained. the glibc / GNU toolchain support was just recently dropped. the LLVM-based compiler back-end changes may survive longer, and may be easier to maintain for newer front-end changes (new language standards / extensions). this moves at a different pace than innovations that might use NaCl, obviously. but having a cross-platform sandbox is useless unless people can generate efficient code to run inside it.
in any case, "the community" needs to be more than one or three companies / independent contributors. some of the politics over NaCl was over how much control Google had over PPAPI and API evolution, and i would imagine that having one company effectively control it is not going to go over any better. but then i suck at politics. :-)
outside the browser, NaCl (and PNaCl) has limitations that can reduce its usefulness. on x86-64 the address space for the untrusted code is only 4G, and on x86-32 (maybe nobody cares) and arm (some do?) the address space is only 1G. even if all we cared about was x86-64 for all OSes, 4G is not that much space for some more modern, VM-hungry applications.
-bsy