I hope this question isn't inflammatory.
I notice there's not much traffic on here any more. Is that because Seaside is done, complete. Or is it that Seaside has had its day and people are using other frameworks? -- Sent from: http://forum.world.st/Seaside-General-f86180.html _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
That it lacks the mind share of the latest fad is irrelevant to me. If it is "done" is irrelevant to me also. It rocks. cheers, tty ---- On Tue, 24 Mar 2020 18:11:12 -0400 Jeff Gray <[hidden email]> wrote ----
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Yes - I think there's no traffic here because it is done - ie it works and
doesn't need attention. (But my assumption could have been wrong - so hence my question). -- Sent from: http://forum.world.st/Seaside-General-f86180.html _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
In reply to this post by Jeff Gray
Hi,
The discord channel has much more traffic than this list. (https://discordapp.com/) Also check https://pharo.org/community to generate a discord invitation. regards, bruno On 24/03/2020 19:11, Jeff Gray wrote: > I hope this question isn't inflammatory. > I notice there's not much traffic on here any more. > Is that because Seaside is done, complete. > Or is it that Seaside has had its day and people are using other frameworks? > > > > -- > Sent from: http://forum.world.st/Seaside-General-f86180.html > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
We’re not done.
We’re small and slow. Most of the people who still contribute have also less time to do that. I encourage everyone to contribute via GitHub, create docs, etc… we are definitely following up (sometimes a bit too slow). The mailinglist is alive. Discord is alive. cheers Johan > On 25 Mar 2020, at 15:20, Smalltalk <[hidden email]> wrote: > > Hi, > > The discord channel has much more traffic than this list. > > (https://discordapp.com/) > > Also check https://pharo.org/community to generate a discord invitation. > > regards, > > bruno > > > > On 24/03/2020 19:11, Jeff Gray wrote: >> I hope this question isn't inflammatory. >> I notice there's not much traffic on here any more. >> Is that because Seaside is done, complete. >> Or is it that Seaside has had its day and people are using other frameworks? >> >> >> >> -- >> Sent from: http://forum.world.st/Seaside-General-f86180.html >> _______________________________________________ >> seaside mailing list >> [hidden email] >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
I prefer the mailing list to instant messaging, since it leaves a log
in some archive and works as rudimentary knowledge base that even so, saved many of us several times. That said, many of us are busy, some using Seaside daily for the last 5+ years. But we are so busy that we're not even updating Seaside's website by a blank placeholder with just its logo :) Esteban A. Maringolo On Wed, Mar 25, 2020 at 11:33 AM Johan Brichau <[hidden email]> wrote: > > We’re not done. > We’re small and slow. > > Most of the people who still contribute have also less time to do that. > I encourage everyone to contribute via GitHub, create docs, etc… we are definitely following up (sometimes a bit too slow). > > The mailinglist is alive. Discord is alive. > > cheers > Johan > > > On 25 Mar 2020, at 15:20, Smalltalk <[hidden email]> wrote: > > > > Hi, > > > > The discord channel has much more traffic than this list. > > > > (https://discordapp.com/) > > > > Also check https://pharo.org/community to generate a discord invitation. > > > > regards, > > > > bruno > > > > > > > > On 24/03/2020 19:11, Jeff Gray wrote: > >> I hope this question isn't inflammatory. > >> I notice there's not much traffic on here any more. > >> Is that because Seaside is done, complete. > >> Or is it that Seaside has had its day and people are using other frameworks? > >> > >> > >> > >> -- > >> Sent from: http://forum.world.st/Seaside-General-f86180.html > >> _______________________________________________ > >> seaside mailing list > >> [hidden email] > >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > > _______________________________________________ > > seaside mailing list > > [hidden email] > > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
I prefer the mailing list to instant messaging, since it leaves a log
in some archive and works as rudimentary knowledge base that even so, saved many of us several times. *************************************************************** Totally Agree !!! -- Sent from: http://forum.world.st/Seaside-General-f86180.html _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Besides, Discord ain’t the greatest app for security-minded people. Can’t make a connection using my VPN without major headache. And Cox does monitor my traffic. Half a VPN is better than none.
/————————————————————/ For encrypted mail use [hidden email] Get a free account at ProtonMail.com Web: https://objectnets.net and https://objectnets.org https://datascilv.com https://datascilv.org On Mar 26, 2020, at 10:55, BrunoBB <[hidden email]> wrote:
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
FWIW: we are continuing to run and build a large (600+ users) enterprise 100% Smalltalk Seaside application running on GemStone. I don't post on this list mostly because I don't have issues with Seaside. It just works. GemTalk has been excellent in supporting our GS specific Seaside issues (which would be of little interest here). Much thanks to those that build and maintain Seaside. Bob Nemec KORE / HTS
On Friday, March 27, 2020, 12:34:52 a.m. EDT, John Pfersich <[hidden email]> wrote:
Besides, Discord ain’t the greatest app for security-minded people. Can’t make a connection using my VPN without major headache. And Cox does monitor my traffic. Half a VPN is better than none. /————————————————————/ For encrypted mail use [hidden email] Get a free account at ProtonMail.com Web: https://objectnets.net and https://objectnets.org https://datascilv.com https://datascilv.org On Mar 26, 2020, at 10:55, BrunoBB <[hidden email]> wrote:
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Bob Nemec
|
I concur. Seaside is a great framework, and those who build and maintain it deserve our thanks. However, I think the question was not whether it works, but what’s the current development status and whether it’s going anywhere. Without diminishing the effort of those why try to keep it current, I think it’s important to understand both the strength and the weaknesses. Seaside is a fantastic framework to dynamically generate HTML that is in sync with the application state - continuations etc. The semantic that closely resembles HTML is great. That said, I think that like Smalltalk in general, Seaside’s destiny is to be a niche framework with a limited use mostly in tightly controlled internal environments like the one Bob describes. ‘It just works’ for a fairly narrow range of scenarios. It’s fine for an internal web application (with some limitations) but I wouldn’t use it for anything that requires a large-volume, security sensitive web app available publicly over the Internet. Here are my reasons, and to be clear - this is not intended as a criticism of those who dedicate their time and skill to keep it running: Seaside security is fairly poor. It doesn’t offer any protection against CSRF attacks or session hijacking. The built-in basic authentication only supports MD5-hashed password which has not been considered secure since 2004. Using other authentication mechanisms is non-trivial and can lead to deploying catastrophically insecure application (don’t ask me how I know). Seaside use of third-party JS libraries gives you two options: use a Seaside library that wraps the original JS, or use JS directly. The first option emits JS code that is several years behind (current Seaside jQuery is from 2017?), in most cases with known vulnerablities that are fairly easily exploitable. The second option robs the developer of all the nice application state integration capabilities. Both options lead to incredibly ugly JS code on the client side. Now - some people think that’s not a problem. I disagree - in a modern web application you need to be able to develop and debug at least partially in the web browser, and your JS readability will directly affect both your productivity and the quality of your code. Last but not least, handling of volume has been issue. I don’t have experience with a deployed Seaside app on Pharo, but I know that on VW you quickly reach a point where your app performance suffers even with a couple hundred users. With GS, you need a multitude of Gems to handle even relatively modest load. I think this would be probably the worst weakness - today’s web apps are built for tens of thousands of concurrent users, and even with the use of a load balancer, this would be a limiting factor for anyone considering the deployment of a globally reachable web app. Would I consider Seaside for a low-volume, tightly controlled internal web app? Absolutely. I would even use it for a publicly accessible web app in a geographically limited market and no sensitive data. But despite my admiration for the work that has been done, I would advise anyone against using it for anything ’serious’ on the open internet. In that sense, I think Seaide is ‘done’ and not going anywhere. It can be maintained and incrementally improved for sure, but I don’t expect any new features that would make it feasible for a large scale app delivered to the masses. Jerry Kott This message has been digitally signed. PGP Fingerprint: A9181736DD2F1B6CC7CF9E51AC8514F48C0979A5
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside signature.asc (849 bytes) Download Attachment |
Hi, You can use Seaside REST on the server and any JS client
framework to consume that services. regards, On 09/04/2020 18:40, Jerry Kott wrote:
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
In reply to this post by Jerry Kott-3
Hi Jerry,
You pointed to several things in your email, and not to start a discussion on each of them, but I'd like to add my remarks. On Thu, Apr 9, 2020 at 6:40 PM Jerry Kott <[hidden email]> wrote: > > I concur. Seaside is a great framework, and those who build and maintain it deserve our thanks. > Seaside security is fairly poor. It doesn’t offer any protection against CSRF attacks or session hijacking. It currently does not, but could be added pretty easily, about session hijacking it depends on how you implement the session tracking. > The built-in basic authentication only supports MD5-hashed password which has not been considered secure since 2004. Using other authentication mechanisms is non-trivial and can lead to deploying catastrophically insecure application (don’t ask me how I know). How do you know? :) I'm still waiting for the summary of your Smalltalk security survey (more than a year ago, AFAIR). > Seaside use of third-party JS libraries gives you two options: use a Seaside library that wraps the original JS, or use JS directly. > The first option emits JS code that is several years behind (current Seaside jQuery is from 2017?), > in most cases with known vulnerablities that are fairly easily exploitable. > The second option robs the developer of all the nice application state integration capabilities. > Both options lead to incredibly ugly JS code on the client side. Now - some people think that’s not a problem. > I disagree - in a modern web application you need to be able to develop and debug at least partially in the web browser, > and your JS readability will directly affect both your productivity and the quality of your code. This is simply not true. Or not fair. :) I've been working with several JS libraries, for some years, some as part of WAFileLibrary (it is, embedded in Smalltalk code) and others externally, and for performance I concat and minify some of the external JS. The generated JS by some library wrappers is not unreadable, on the contrary, it is generated consistently the same, and it also depends on how you architecture your app. If you ever try to read the JS output of webpack or any "modern" application it will be far more unreadable. > Last but not least, handling of volume has been issue. > I don’t have experience with a deployed Seaside app on Pharo, > but I know that on VW you quickly reach a point where your app performance > suffers even with a couple hundred users. Here I kind of agree, even "a couple hundred" seems like a lot in my experience. Of course it depends on the kind of application, but for a typical backoffice kind of app, database bound, my threshold in Pharo was always around ~20 users... per VM. My solution was to have several worker VMs for this, and other worker VMs for REST APIs. > With GS, you need a multitude of Gems to handle even relatively modest load. > I think this would be probably the worst weakness - today’s web apps are built for tens of thousands of concurrent users, > and even with the use of a load balancer, this would be a limiting factor for anyone > considering the deployment of a globally reachable web app. I don't know if there is anything built with Seaside that handles tens of thousands concurrent users (it is C10K), but I don't think this has to do with Seaside itself. It's a matter than maybe no Seaside application was that successful. Going from 100, to 1K to 10K is not just technical. Maybe Allstocker is the most recent large-scale success, and you can read how they managed to do it [1]. > Would I consider Seaside for a low-volume, tightly controlled internal web app? > Absolutely. I would even use it for a publicly accessible web app in a geographically limited market and no sensitive data. > But despite my admiration for the work that has been done, I would advise anyone against using it for anything ’serious’ on the open internet. > In that sense, I think Seaside is ‘done’ and not going anywhere. > It can be maintained and incrementally improved for sure, > but I don’t expect any new features that would make it feasible > for a large scale app delivered to the masses. I think the scalability comes from both the technology and the architecture, I haven't seen a SSR app written fully in Go, and in my circle I yet have to see a large, corporate-scale, React/Vue/Angular application like the ones I've seen written in Seaside, Java or even ASP (In all verisons). The Seaside is not going nowhere, it's the tide that comes and goes :-) Regards! [1] https://pharoweekly.wordpress.com/2016/10/17/allstocker-internals/ Esteban A. Maringolo _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Hi Jerry, all,
>> Seaside security is fairly poor. It doesn’t offer any protection against CSRF attacks or session hijacking. > > It currently does not, but could be added pretty easily, about session > hijacking it depends on how you implement the session tracking. Session protection strategies can be implemented easily in Seaside using filters. In the next release (3.4.0), we added an example WASessionCookieProtectionFilter, which implements a session tracking strategy that prevents CSRF attacks. This implementation uses the Seaside framework to implement an effective session hijacking protection, and can be used in any Seaside version as far back as 3.0 There were other session protection filters already included in Seaside before, but they had practical downsides. I will agree it would have been better that it was included sooner, but then again, Seaside does not include an authentication framework either. When you say that Seaside security overall is very poor, can you compare this with other frameworks that focus on rendering web applications? Because ’security’ is way broader than what the framework allows you to do and Seaside does not even do a bad job at that point. For example, the rendering mechanism prevents explicitly from script injection attacks because all output is escaped by default, the default session keys are way better than Zoom’s meeting ids (lol ;). But if you see security-related bad practices that the Seaside framework itself promotes, please share them so we can improve. >> The built-in basic authentication only supports MD5-hashed password which has not been considered secure since 2004. Using other authentication mechanisms is non-trivial and can lead to deploying catastrophically insecure application (don’t ask me how I know). I don’t see how this can be true. Seaside has no built-in authentication mechanism. It depends on what you (can) use in the Smalltalk you are running it on. If you choose to store passwords in clear text, there is nothing that any website framework will do to keep you from doing that. If you are referring to existing authentication libraries implemented for Seaside, that may be true, but it’s by no means inherent to the framework. >> Last but not least, handling of volume has been issue. >> I don’t have experience with a deployed Seaside app on Pharo, >> but I know that on VW you quickly reach a point where your app performance >> suffers even with a couple hundred users. > > Here I kind of agree, even "a couple hundred" seems like a lot in my experience. > Of course it depends on the kind of application, but for a typical > backoffice kind of app, database bound, my threshold in Pharo was > always around ~20 users... per VM. My solution was to have several > worker VMs for this, and other worker VMs for REST APIs. This discussion heavily depends on what your application is doing. In my experience, the performance bottleneck is mostly found outside of Seaside (i.e. in your application code or database). The biggest performance-related impact that Seaside adds is because of its continuation state, which consumes a lot of memory (and database transactions if you run Gemstone). I will not say that this definitely impacts your application, but similarly, it does add functionality that other frameworks are not offering. All in all, if you write your application in C instead of Smalltalk, the same discussion would apply. Now, that being said, the continuation state-tracking has become obsolete in the current world and it would be good if we can improve Seaside’s performance by making that optional. It actually is already possible in the framework, but there are caveats. Would be great if someone wants to explore that direction, btw. >> With GS, you need a multitude of Gems to handle even relatively modest load. >> I think this would be probably the worst weakness - today’s web apps are built for tens of thousands of concurrent users, >> and even with the use of a load balancer, this would be a limiting factor for anyone >> considering the deployment of a globally reachable web app. There is maybe a little gap between an ‘internal web app for 2 people’ and a ‘globally reachable web app’ :) We’re running gemstone instances of Yesplan with 150 concurrent users easily and the bottleneck on the number of users is entirely related to the application and not Seaside (although the thing I said above does apply). Since we’re running multiple instances, we currently serve 10K concurrent users easily. Maybe using NodeJs, you could run less instances, but there’s a limit to what any single-instance setup using any framework can do. > The Seaside is not going nowhere, it's the tide that comes and goes :-) I like that quote ;) Cheers Johan _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Thanks for everyone's feedback. I am not going to get drawn into ‘compare Seaside vs. X’. Zoom is hardly a benchmark we should be using anyway. As for other web frameworks, there are so many different criteria and usage scenarios that any attempt for comparison would immediately raise objections from someone, and this thread could quickly devolve into a ‘what about …’ kind of discussion. WAAdmin class >> register:asApplicationAt:user:password: uses WAAuthConfiguration and WAAuthenticationFilter so there IS a default authentication of components. However, I may have been wrong in stating that the algorithm used is MD5. I remember if from a couple of years ago, and in any way this appears to be GRPlatform specific, so not exactly a Seaside issue. My humble apologies. I know about the authentication issues because I’ve seen them, and I had to fix them. I can’t discuss details because I am bound by confidentiality and intellectual property agreements. So… don’t ask :) When it comes to security concerns, again comparisons with other tools are pointless. What matters is ‘is X vulnerable, and if so, is it exploitable’. That ‘it can be fixed easily’ doesn’t matter. I am aware that Seaside escapes all output so (AFAIK) there is no XSS vulnerability. I’d be only too happy to see more action on Seaside because it IS a great framework, and I look forward to subject it to a bit more formal security tests if I get a change. I don’t want to change the subject of this thread, so I am going to write about the security survey in another thread. Here I’ll just mention that I reported on it quite extensively at ESUG 2018. I mentioned both in my presentation and in the mailing lists the creation of a Smalltalk security google group, interest from the community has been minimal. I stopped paying the $30/month for Survey Monkey after about a year, but I do have the raw data somewhere. As I said - subject for another thread. Keep up the good work - don’t take my reservations the wrong way. Seaside has its place, it’s just that it has been and will remain a niche. Jerry Kott This message has been digitally signed. PGP Fingerprint: A9181736DD2F1B6CC7CF9E51AC8514F48C0979A5
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside signature.asc (849 bytes) Download Attachment |
That’s also the reason why I’m not commenting. The hazard of being a consultant (NDAs) though I find Seaside to be a useful tool in certain contexts.
/—————————————————————/ For encrypted mail use [hidden email] - Free account at ProtonMail.com Web: https://objectnets.net and https://objectnets.org https://datascilv.com https://datascilv.org On Apr 11, 2020, at 21:48, Jerry Kott <[hidden email]> wrote:
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Free forum by Nabble | Edit this page |