[erlang-questions] Two beautiful programs - or web programming made easy

Frédéric Trottier-Hébert fred.hebert@REDACTED
Tue Feb 15 02:50:11 CET 2011



On 2011-02-14, at 18:38 PM, Ryan Zezeski wrote:

> 
> 
> 2011/2/14 Frédéric Trottier-Hébert <fred.hebert@REDACTED>
> 
> This has *nothing* to do with encryption, and everything to do with not understanding the potential threats of the web correctly. It is an application-level issue, much like XSS is. And it's pretty damn important.
> 
> 
> Except when it isn't.
> 
> You make a very impressive summarization of web security problems, but there are many apps where these problems go away because they simply, don't, matter.  For example, how about building a new interface to the appmon application using this with Raphael or Protovis?  Do I really need to worry about all this crap?  I'd argue, no.  If I'm using appmon it's behind a firewall and I trust the user to be competent.  Just like 'rm -f 'in unix.  Plus, who gives a sh*t (pardon my French) about a hijacked session when someone else just cracked your gateway because of default passwords.  My point being, there are so many doors, and this focuses on one.  Getting it right is very hard, and thus very costly, and that's why I think the first thing to ask is "Does this even need to be secure?"  Given enough time, anything can be had.

I won't argue with this. You're right on this. Again I'll repeat myself by saying that as a general (and generic) pattern, the eval() in Joe's code worries me. Individual cases can be tested and proven safe on an individual basis without too much trouble.
> 
> If nothing else Joe has stumbled upon a way to rapidly produce nice-looking and feature rich GUIs in Erlang, and yet it seems everyone has somehow missed this point and focused on security and support and whatnot.  I'm glad there are Joe's in the world, otherwise it would be a pretty boring place.
> 
> Don't let perfect get in the way of good enough.  As Joe said, life is too [expletive deleted] short.
> 
> -Ryan

There is nothing wrong with what Joe is doing. There is nothing wrong with exploration. However, things already exist in Javascript and on the web in general and we shouldn't reinvent the wheel all the time because we might be coming from a different domain or we don't have the same experience as real web developers have.

 You only have to look into what people are doing with node.js. Just look at this example: http://www.screentoaster.com/watch/stUE5XQEVMRFtXQ1xVXFlYVlZX/serrano_session_sharing 
These guys are doing session sharing over the browser (including mouse movement and everything). 
You can also look at the nodeknockout as a whole: http://nodeknockout.com/teams (some links are now dead). These include multiplayer browser games, chat systems, drawing applications, charts, etc. Dreamers and innovators are at work on the web already, they're just not necessarily doing it with Erlang.

They are doing that kind of explorative nice-looking innovation we all find awesome (even if they likely don't do it 100% safe either).

I'm sorry if I sounded patronising or just bossy around this discussion, it's just that there are fantastic ideas to be inspired from in what is done by these programmers all the time. They usually do it cleaner, safer and smarter. At least on the client side.

If people can learn from Erlang when it comes to heavily concurrent and fault-tolerant applications, Erlang programmers can certainly learn from other domains when the developers working there are more specialised at what they do than we could be as a community in here.


--
Fred Hébert
http://www.erlang-solutions.com



More information about the erlang-questions mailing list