Seaside done?

I hope this question isn't inflammatory.
I notice there's not much traffic on here any more.
Is that because Seaside is done, complete.
Or is it that Seaside has had its day and people are using other frameworks?



--
Sent from: http://forum.world.st/Seaside-General-f86180.html
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Yes - I think there's no traffic here because it is done - ie it works and
doesn't need attention.
(But my assumption could have been wrong - so hence my question).
 



--
Sent from: http://forum.world.st/Seaside-General-f86180.html
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Hi,

The discord channel has much more traffic than this list.

(https://discordapp.com/)

Also check https://pharo.org/community to generate a discord invitation.

regards,

bruno



On 24/03/2020 19:11, Jeff Gray wrote: _______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

We’re not done.
We’re small and slow.

Most of the people who still contribute have also less time to do that.
I encourage everyone to contribute via GitHub, create docs, etc… we are definitely following up (sometimes a bit too slow).

The mailinglist is alive. Discord is alive.

cheers
Johan

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

I prefer the mailing list to instant messaging, since it leaves a log
in some archive and works as rudimentary knowledge base that even so,
saved many of us several times.

That said, many of us are busy, some using Seaside daily for the last 5+ years.

But we are so busy that we're not even updating Seaside's website by a
blank placeholder with just its logo :)

Esteban A. Maringolo

On Wed, Mar 25, 2020 at 11:33 AM Johan Brichau <[hidden email]> wrote: _______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

I prefer the mailing list to instant messaging, since it leaves a log
in some archive and works as rudimentary knowledge base that even so,
saved many of us several times.
***************************************************************

Totally Agree !!!



--
Sent from: http://forum.world.st/Seaside-General-f86180.html
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Besides, Discord ain’t the greatest app for security-minded people. Can’t make a connection using my VPN without major headache. And Cox does monitor my traffic. Half a VPN is better than none.

I prefer the mailing list to instant messaging, since it leaves a log
in some archive and works as rudimentary knowledge base that even so,
saved many of us several times.
***************************************************************

Totally Agree !!!



--
Sent from: http://forum.world.st/Seaside-General-f86180.html
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Hi,

You can use Seaside REST on the server and any JS client framework to consume that services.
But i think this architecture is much expensive that generating all code on the server side.

regards,
bruno

I concur. Seaside is a great framework, and those who build and maintain it deserve our thanks.

However, I think the question was not whether it works, but what’s the current development status and whether it’s going anywhere. Without diminishing the effort of those why try to keep it current, I think it’s important to understand both the strength and the weaknesses.

Seaside is a fantastic framework to dynamically generate HTML that is in sync with the application state - continuations etc. The semantic that closely resembles HTML is great. That said, I think that like Smalltalk in general, Seaside’s destiny is to be a niche framework with a limited use mostly in tightly controlled internal environments like the one Bob describes.

‘It just works’ for a fairly narrow range of scenarios. It’s fine for an internal web application (with some limitations) but I wouldn’t use it for anything that requires a large-volume, security sensitive web app available publicly over the Internet. Here are my reasons, and to be clear - this is not intended as a criticism of those who dedicate their time and skill to keep it running:

Seaside security is fairly poor. It doesn’t offer any protection against CSRF attacks or session hijacking. The built-in basic authentication only supports MD5-hashed password which has not been considered secure since 2004. Using other authentication mechanisms is non-trivial and can lead to deploying catastrophically insecure application (don’t ask me how I know).

Seaside use of third-party JS libraries gives you two options: use a Seaside library that wraps the original JS, or use JS directly. The first option emits JS code that is several years behind (current Seaside jQuery is from 2017?), in most cases with known vulnerablities that are fairly easily exploitable. The second option robs the developer of all the nice application state integration capabilities. Both options lead to incredibly ugly JS code on the client side. Now - some people think that’s not a problem. I disagree - in a modern web application you need to be able to develop and debug at least partially in the web browser, and your JS readability will directly affect both your productivity and the quality of your code.

Last but not least, handling of volume has been issue. I don’t have experience with a deployed Seaside app on Pharo, but I know that on VW you quickly reach a point where your app performance suffers even with a couple hundred users. With GS, you need a multitude of Gems to handle even relatively modest load. I think this would be probably the worst weakness - today’s web apps are built for tens of thousands of concurrent users, and even with the use of a load balancer, this would be a limiting factor for anyone considering the deployment of a globally reachable web app.

Would I consider Seaside for a low-volume, tightly controlled internal web app? Absolutely. I would even use it for a publicly accessible web app in a geographically limited market and no sensitive data. But despite my admiration for the work that has been done, I would advise anyone against using it for anything ’serious’ on the open internet.

In that sense, I think Seaide is ‘done’ and not going anywhere. It can be maintained and incrementally improved for sure, but I don’t expect any new features that would make it feasible for a large scale app delivered to the masses.

 

Jerry Kott

This message has been digitally signed. 

PGP Fingerprint:

A9181736DD2F1B6CC7CF9E51AC8514F48C0979A5

On 09-04-2020, at 8:30 AM, Bob Nemec <[hidden email]> wrote:

FWIW: we are continuing to run and build a large (600+ users) enterprise 100% Smalltalk Seaside application running on GemStone. I don't post on this list mostly because I don't have issues with Seaside. It just works. GemTalk has been excellent in supporting our GS specific Seaside issues (which would be of little interest here). 

Much thanks to those that build and maintain Seaside. 

Bob Nemec

KORE / HTS

On Friday, March 27, 2020, 12:34:52 a.m. EDT, John Pfersich <[hidden email]> wrote:

Besides, Discord ain’t the greatest app for security-minded people. Can’t make a connection using my VPN without major headache. And Cox does monitor my traffic. Half a VPN is better than none.

/————————————————————/

For encrypted mail use [hidden email]

Get a free account at ProtonMail.com

Web: https://objectnets.net and https://objectnets.org

https://datascilv.com https://datascilv.org

On Mar 26, 2020, at 10:55, BrunoBB <[hidden email]> wrote:

I prefer the mailing list to instant messaging, since it leaves a log
in some archive and works as rudimentary knowledge base that even so,
saved many of us several times.
***************************************************************

Totally Agree !!!



--
Sent from: http://forum.world.st/Seaside-General-f86180.html
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Hi Jerry,

You pointed to several things in your email, and not to start a
discussion on each of them, but I'd like to add my remarks.

On Thu, Apr 9, 2020 at 6:40 PM Jerry Kott <[hidden email]> wrote:
>
> I concur. Seaside is a great framework, and those who build and maintain it deserve our thanks.

> Seaside security is fairly poor. It doesn’t offer any protection against CSRF attacks or session hijacking.

It currently does not, but could be added pretty easily, about session
hijacking it depends on how you implement the session tracking.

> The built-in basic authentication only supports MD5-hashed password which has not been considered secure since 2004. Using other authentication mechanisms is non-trivial and can lead to deploying catastrophically insecure application (don’t ask me how I know).

How do you know? :)
I'm still waiting for the summary of your Smalltalk security survey
(more than a year ago, AFAIR).

> Seaside use of third-party JS libraries gives you two options: use a Seaside library that wraps the original JS, or use JS directly.
> The first option emits JS code that is several years behind (current Seaside jQuery is from 2017?),
>  in most cases with known vulnerablities that are fairly easily exploitable.
> The second option robs the developer of all the nice application state integration capabilities.
> Both options lead to incredibly ugly JS code on the client side. Now - some people think that’s not a problem.
> I disagree - in a modern web application you need to be able to develop and debug at least partially in the web browser,
> and your JS readability will directly affect both your productivity and the quality of your code.

This is simply not true. Or not fair. :)
I've been working with several JS libraries, for some years, some as
part of WAFileLibrary (it is, embedded in Smalltalk code) and others
externally, and for performance I concat and minify some of the
external JS.
The generated JS by some library wrappers is not unreadable, on the
contrary, it is generated consistently the same, and it also depends
on how you architecture your app.
If you ever try to read the JS output of webpack or any "modern"
application it will be far more unreadable.

> Last but not least, handling of volume has been issue.
> I don’t have experience with a deployed Seaside app on Pharo,
> but I know that on VW you quickly reach a point where your app performance
> suffers even with a couple hundred users.

Here I kind of agree, even "a couple hundred" seems like a lot in my experience.
Of course it depends on the kind of application, but for a typical
backoffice kind of app, database bound, my threshold in Pharo was
always around ~20 users... per VM. My solution was to have several
worker VMs for this, and other worker VMs for REST APIs.

> With GS, you need a multitude of Gems to handle even relatively modest load.
> I think this would be probably the worst weakness - today’s web apps are built for tens of thousands of concurrent users,
> and even with the use of a load balancer, this would be a limiting factor for anyone
> considering the deployment of a globally reachable web app.

I don't know if there is anything built with Seaside that handles tens
of thousands concurrent users (it is C10K), but I don't think this has
to do with Seaside itself. It's a matter than maybe no Seaside
application was that successful. Going from 100, to 1K to 10K is not
just technical. Maybe Allstocker is the most recent large-scale
success, and you can read how they managed to do it [1].


> Would I consider Seaside for a low-volume, tightly controlled internal web app?
> Absolutely. I would even use it for a publicly accessible web app in a geographically limited market and no sensitive data.
> But despite my admiration for the work that has been done, I would advise anyone against using it for anything ’serious’ on the open internet.

> In that sense, I think Seaside is ‘done’ and not going anywhere.
> It can be maintained and incrementally improved for sure,
> but I don’t expect any new features that would make it feasible
> for a large scale app delivered to the masses.

I think the scalability comes from both the technology and the
architecture, I haven't seen a SSR app written fully in Go, and in my
circle I yet have to see a large, corporate-scale, React/Vue/Angular
application like the ones I've seen written in Seaside, Java or even
ASP (In all verisons).

The Seaside is not going nowhere, it's the tide that comes and goes :-)

Regards!

[1] https://pharoweekly.wordpress.com/2016/10/17/allstocker-internals/


Esteban A. Maringolo
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Hi Jerry, all,

>> Seaside security is fairly poor. It doesn’t offer any protection against CSRF attacks or session hijacking.
>
> It currently does not, but could be added pretty easily, about session
> hijacking it depends on how you implement the session tracking.

Session protection strategies can be implemented easily in Seaside using filters.
In the next release (3.4.0), we added an example WASessionCookieProtectionFilter, which implements a session tracking strategy that prevents CSRF attacks.
This implementation uses the Seaside framework to implement an effective session hijacking protection, and can be used in any Seaside version as far back as 3.0

There were other session protection filters already included in Seaside before, but they had practical downsides.
I will agree it would have been better that it was included sooner, but then again, Seaside does not include an authentication framework either.

When you say that Seaside security overall is very poor, can you compare this with other frameworks that focus on rendering web applications? Because ’security’ is way broader than what the framework allows you to do and Seaside does not even do a bad job at that point. For example, the rendering mechanism prevents explicitly from script injection attacks because all output is escaped by default, the default session keys are way better than Zoom’s meeting ids (lol ;). But if you see security-related bad practices that the Seaside framework itself promotes, please share them so we can improve.

>> The built-in basic authentication only supports MD5-hashed password which has not been considered secure since 2004. Using other authentication mechanisms is non-trivial and can lead to deploying catastrophically insecure application (don’t ask me how I know).

I don’t see how this can be true. Seaside has no built-in authentication mechanism. It depends on what you (can) use in the Smalltalk you are running it on.
If you choose to store passwords in clear text, there is nothing that any website framework will do to keep you from doing that.
If you are referring to existing authentication libraries implemented for Seaside, that may be true, but it’s by no means inherent to the framework.

This discussion heavily depends on what your application is doing.
In my experience, the performance bottleneck is mostly found outside of Seaside (i.e. in your application code or database). The biggest performance-related impact that Seaside adds is because of its continuation state, which consumes a lot of memory (and database transactions if you run Gemstone). I will not say that this definitely impacts your application, but similarly, it does add functionality that other frameworks are not offering.

All in all, if you write your application in C instead of Smalltalk, the same discussion would apply.

Now, that being said, the continuation state-tracking has become obsolete in the current world and it would be good if we can improve Seaside’s performance by making that optional. It actually is already possible in the framework, but there are caveats. Would be great if someone wants to explore that direction, btw.

>> With GS, you need a multitude of Gems to handle even relatively modest load.
>> I think this would be probably the worst weakness - today’s web apps are built for tens of thousands of concurrent users,
>> and even with the use of a load balancer, this would be a limiting factor for anyone
>> considering the deployment of a globally reachable web app.

There is maybe a little gap between an ‘internal web app for 2 people’ and a ‘globally reachable web app’ :)

We’re running gemstone instances of Yesplan with 150 concurrent users easily and the bottleneck on the number of users is entirely related to the application and not Seaside (although the thing I said above does apply).
Since we’re running multiple instances, we currently serve 10K concurrent users easily.

Maybe using NodeJs, you could run less instances, but there’s a limit to what any single-instance setup using any framework can do.

> The Seaside is not going nowhere, it's the tide that comes and goes :-)

I like that quote ;)

Cheers
Johan
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

That’s also the reason why I’m not commenting. The hazard of being a consultant (NDAs) though I find Seaside to be a useful tool in certain contexts.

I can’t discuss details because I am bound by confidentiality and intellectual property agreements. So… don’t ask :)

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside