Had an interesting discussion with blowmage (Mike Moore) over Twitter. I said that having the “param1/param2″ pattern in the ASP.NET MVC made me itchy from a security standpoint. He replied.
Eh, just don’t add them to the URL. The ASP.NET MVC assumes you know what you are doing. I’m sick of frameworks babysitting me.
and yet you use a managed language that holds your hand and cleans up your memory for you.
Which came out a little harsher than I meant. But my gist is, isn’t a GC system babysitting you already? How much abstraction do you want out of a framework?
Bottom line is: a web application, is basically an abstraction for sending and receiving headers and HTML to/from a browser. You can dress that process up with domain models and other abstractions. But you *can* build a web application strictly using sockets if you really don’t want to be babysat.
Now that’s absolute crazy talk. No one wants to build an eCommerce site by sending packets over a pipe. That’d be a crazy as writing an operating system today using 32-bit/64-bit x86 assembly. So we accept some levels of abstraction. In fact, we embrace abstraction. Hunting down errors in a memory dump is no fun. Neither is making sure all of your string buffers are properly allocated and sized. We don’t want to have to malloc() and free() char buffers when we want to concatenate strings, so we make a StringBuilder class that handles all the nastiness for us.
It’s also not fun to get stuck in a framework that is so opinionated that when you stray from it’s primrose path you are assaulted by rabid dogs. Opinionated software is good, but a framework should allow you to inject your own opinion.
So what do you really want out of a framework. Ultimately, I think developers really want a framework that will nerf the sharp corners of the underlying hardware for us. We want to be babysat.But we also want the freedom to rip things out and route around the hard parts. And frankly, we want frameworks that work for us, not against us. It’s when the framework is working against us that we rail and rant and cry out for change.
Me? I want the full on Star Trek-Computer:write-me-a-program-that-will-let-me-sell-my-”My Little Pony”-collection-on-eBay” framework.
Feel free to leave your own thoughts below. Difficulty: No Linking to Spolskys “Leaky Abstractions”
5 Comments
Woo hoo! I totally got linked to from lazycoder.com! And no stupid rel=”nofollow” crap either. My PageRank is going to go from a 4 to a 7 overnight! Linkbaiting over Twitter totally works!
(Although you need to downcase me to “blowmage”. The upper “Blowmage” is so weird looking.)
Here’s a shocker: I disagree. I do want to code at a consistent level of abstraction, and I do want the ability to inject my own opinions. But I don’t want to be babysat. And I don’t see how having a framework with or without the feature of marking your values as “secure” works either FOR or AGAINST us. This isn’t a technology issue, its a developer issue.
I’m all for having a framework that is extensible enough to allow you to place restrictions on what it is allowed to do in a straight-forward manner. (If you really distrust the folks you are working with enough to add it.) But I don’t want that crap included in core. If it is included in core then I won’t use your web framework. And if said framework is your platform’s flagship framework, then I’ll probably move off your platform as well. That’s not a threat, just the reality. I want synergy with the tools I use, and I’m not afraid to leave a framework or platform to get it.
The sad thing to me is that the mentality that you are describing is exactly how we got WebForms. The concern was that folks don’t understand web development enough so Microsoft abstracted reality away in order to save developers from themselves. I’m not advocating complexity for complexity’s sake, just a clean, extensible, testable framework that I can build my apps on. I really like what I’ve seem of the ASP.NET MVC framework so far. And picking on it for allowing you to control your URLs seems rather FUDdy to me.
Looking at it from a “millions of people who may or may not have a high degree of skill” perspective, I think that having a “babysitting” mode on by default is a “good thing. Provided that devs with a higher level of skill can turn it off easily. Back to the GC feature. 99% of the time, developers are OK with the built-in GC feature in Ruby/Javascript/.NET/Java. Why?
1) Because it stays out of your way
2) Because, at least in .NET, you can match the performance of hand-tuned, non-GC’d code. http://blogs.msdn.com/ricom/archive/2005/05/19/420158.aspx
To a certain point. And you still have the option to directly manipulate memory if you need the performance, marking code as unsafe in C# and using C extensions in Ruby. So it’s a babysitting feature that’s pretty useful. When the babysitting feature gets in the way, like the ASP.NET page lifecycle or Rubys ActiveRecord, for more skilled developers it needs to be refactored.
In any case, it’s not about the ASP.NET MVC framework (speaking of needing a better name…) because I haven’t seen the framework at all. Guthrie, Hanselman, and Haack haven’t blogged about it yet so I can’t really comment on what the framework does or doesn’t do for you. Discussing it just provided a spark for this post.
But I’m a firm advocate for the advancement of Mort’s everywhere.
http://www.lazycoder.com/weblog/index.php/archives/2006/03/17/we-are-all-mort/
http://www.lazycoder.com/weblog/index.php/archives/2007/03/11/when-non-programmers-write-software/
So I think having a babysitting feature that doesn’t get in the way of more skilled developers is a good thing.
If you’re hoping a link from me will provide any traffic or any increase in anything except time wasted, you’re in for a surprise.
I’m probably the worst blogger in the world. Hardly ever post, I have no idea what my page rank is and don’t care. I don’t monitor when it goes up or down. I’m more interested in people commenting and posting their own thoughts than making my site “sticky”. It’s the only way I learn.
ScottHa, as he will be hereafter known as, has posted his videos from ALT.NET conf.
http://www.hanselman.com/blog/ScottGuMVCPresentationAndScottHaScreencastFromALTNETConference.aspx
For what it’s worth (I actually have the MVC bits here in front of me) you define your routes explicitly, and expose them in the same way. It would take a conscious effort to do what you describe.
Also - the controller is business logic, so you wouldn’t just expose an arbitrary delete (at least that’s the idea).
But you also wouldn’t allow javascript to be entered into the comment field on a web page and emitted unescaped/unscrubbed right? Well sure, NOW we know that.
Post a Comment