Thursday, June 25, 2009

At Least We Knew Where Clinton Was

Turns out South Carolina mystery man Mark Sanford was out getting his package stimulated. First Ensign, now this.

Feel free to insert your own remark about astonishing Republican hypocrisy here. I'm worn out.

Friday, June 19, 2009

It's The Framework, Stupid

I'm looking at Scala. It uses static typing, albeit in a sophisticated, type-inferred-when-we-can way. But still: plenty of syntax, and rules, rules, rules. The last static language I learned was Java, about ten years ago. Since then, I've been much more interested in dynamic languages like Python and Ruby.

So why Scala? Because of Lift. I think we're at a point where framework trumps language, and I want to give Lift a try. Hence, Scala.

So why Lift? Because the value of a framework is in the code you don't write, and the worries you don't have. I've been learning/thinking about web security lately, and it's not trivial. Passwords, for example: pretty much everyone knows that passwords shouldn't be stored as plain text. But do you understand why adding a salt to the hash matters? Why you should use a different salt for each password? Why storing the salts as plain text right next to the passwords is not a risk? Which hash you should use? (If you want to dive into all this, here's a good starting point. Read the comments, too.)

There's a lot to it, and that's just passwords. There are plenty more ways to screw up web security, and I'd just as soon hand all that off to the framework. So, when I read this blog post by David Pollak, the creator of Lift, the stuff under the Lift offers unparalleled security heading got me all excited. It sounds like Lift has security baked in.

Contrast that with Rails, where there's still no canonical authentication/authorization solution. Plugins? Sure. But this functionality is critical. It belongs in core. That makes the code better, because you've got more people using it, looking at it, poking at it. And everyone gets the fixes automatically when they upgrade. Then there's the unescaped HTML thing. Rails still leaves it up to you, the developer. Over-all, I'm left feeling that security just isn't high on the list for the Rails core team. But leaving it to us application developers is dangerous.

Lift looks like a potential big win. It'll take me a little extra time to get the basics of Scala into my head, but I expect to make that time up pretty quickly. Within a project or two, if Lift works out for me. After that, it's all upside.