techno.blog("Dion")

As soon as you build richer and heavier applications that have any data or logic on the client, you get into the world of security. Ajax security is a hot topic. On the one hand, the game hasn’t changed at all:

Don’t trust the client!

But we see XSS, CSRF, and other tactics being used to do bad things. With the Gears Database component, we have to think about how safe that data is. Although data on a local machine is a bad thing, we have seen people using encrypted partitions to give some level of security. What if we could have a layer of Crypto in Gears itself? This would mean that a Web developer could use Crypto anywhere in their Web application.

Dojo Offline put encryption on top of Gears. In Dojo SQL you can use a magic ENCRYPT() function in your SQL string and it will be grabbed out and encrypted for you.

“Under the covers Dojo SQL’s cryptography is powered by 256-bit AES,
using the passphrase you provide to derive the key. Specifically, we use
the JavaScript AES implementation given here if you would like to study
how it works; special thanks to Chris Veness for contributing the AES
encryption code to Dojo.”

There are some JavaScript based AES libraries such as ecmaScrypt but the performance tends to be a touch slow. This problem is going away in the future as we see ActionMonkey come alive, as well as other trace based JIT compilers for JavaScript. This is still in future land though, so what about now.

There are some big questions when you really think about what a Gears Crypto API should be:

• How low level should it be? Just a wrapper on something like openssl?
• Should we just put encryption into the existing APIs?
• What are we truly trying to solve here?

In general, when you aren’t sure, you end up getting low level APIs and you sit and wait for developers to built on top of it. This is one area where I would like to see a higher level API. In my experience, Crypto APIs are always too complex and in your face. Often you don’t want to choose a million options. You want to say “Erm, can you just encrypt this really well?”.

Would you like to see a crypto API that you could just use? If so, what would you actually like to see!

Other Future APIs

• Developer Tools
• Factory API updates
• Blob API
• Logging API
• Messaging API
• Location API
• Desktop Shortcut API
• Image Manipulation API
• Introduction to the series

Disclaimer: This is me rambling about APIs and tools that I would love to see in Gears, or the Open Web as a whole. Do you have ideas for cool Gears that make the Web better? Let us know!.

Andi Gutmans, of Zend, has put together his own list of predictions for 2008.

Andi is a really good bloke. I met him a few years back when I actually advised Zend on a couple of matters. What impressed me the most was how rounded he was. He wasn’t a “PHP is better than anything else out there” kind of guy. He appreciated aspects of other platforms, and we had some good chats about Ruby and Java. It was a real pleasure, and it caused me to take on a serious project in PHP. I had scoffed at 5000 functions in one global namespace, but there were things about PHP that I actually enjoyed, mainly from a pragmatic stand point (deployment was one!).

Let’s take a look at his thoughts:

Java on the Web continues to lose market share

This depends on what you mean by “Java”. I think that the JVM could be used more and more for deployments, even though Andi thinks that it is ill suited. LAMP is nice, but the JVM has some advantages, although it has some serious disadvantages too.

I do think that the Java community has been spreading. Some jumped on Rails. Others tried .NET. Others are playing with Python. Adventurous ones are playing with Erlang. Not all are abandoning the Java platform though. As well as staying with the new world of Spring Web Flow, Seam, Tapestry 5, and Struts 2, others are on the VM with Grails. Some of the folk that jumped to Rails are looking back at JRuby to get a better deployment model, or integration.

2008 will be a mixed year for Java, but not necessarily a bad one.

The next layer of the virtualization eco-system will start thriving

This looks exciting. I do hope that we get there in the next year or so. I want to get a computer that has a few hosts installed for me all under virtualization.

Hybrid Rich Internet Applications become an accepted “standard”

We have seen Microsoft and Adobe both giving lip service to the Ajax crowd. AIR has good support for Ajax applications. Using the Webkit engine is great, but a browser is more than a renderer, and I look to see the implementation to grow in 2008. For example, I want more plugin support (other than Flash).

I agree with Andi that noone is going to “win” this one. Flex will do well. Ajax will do well. I obviously hope that the Open Web will progress a lot with new browsers, and with Gears there to innovate, push, and be there as a platform to prop up browsers that don’t do their job.

I am not sure that I agree with the importance of the Open Ajax Alliance piece. I have yet to see anyone other than vendors talk about it. No-one seems to care.

“Hardware On Demand” becomes real

I don’t want to deal with a hosting provider anymore. I want to develop an application with a new tool (probably web based) that allows me to work through the entire develop, debug, publish lifecycle.

One of the major non-Eclipse vendors will lead a new Eclipse.org tooling project

I have mixed opinion here. I am not an Eclipse fan. It feels bloated. I don’t get “perspectives”. It suffers from not having a dictator on top making sure that it all works well together. Instead you get a million plugins. Aptana has done a good job at using Eclipse but having it not really look like Eclipse.

What about PHP?

I wonder what 2008 will be like for PHP, Andi. I have no doubt that it will continue to power a huge number of websites. But, what is PHP doing in 2008 to increase its share in the non-hacker-kiddie crowd? Is the Zend Framework going to compete with Rails and the like? How is PHP going to evolve? I want to be able to do richer DSLs with full open classes and meta-support.

I was sitting at my parents over the winter break checking up on the news. You know, how Man U are doing, laughing at the Scoble issue, the caucus news, and of course all of the details of Britney and her sister and how they are great role models for parenting.

I suddenly realised that I was doing this all on a tiny phone, and it was working out pretty well. It is a touch small, and zooming aroung can be a pain depending on the layout. You find yourself flipping between landscape and portrait, but it pretty much does the job.

Look at the difference between how I read the news the last time I was at my parents house:

And now:

I am wondering if the Kimble fits in to this picture too. I am tempted to get one. I love the idea of the device always just being on and working, and not having a monthly bill for that privilege. My only concern is whether or not I need another device. Can I just use the phone? Or, my laptop?

Speaking of laptops, ever since I got Emily an iPhone, I have seen her computer use diminish. Sure, she still does her email / browsing on it sometimes, and of course she has to be on it for Scrabulous, but in general she does most of this on her iPhone too. I am starting to grok the asian way even more, and how, especially for Joe Schmo who mainly used the computer for email/browsing, the laptop may get less and less use over time.

CES is here, and I wonder what other convergence devices are on show.

cute [kyoot] had a new definition today. Sam has been watching Pooh again, and he got a new tool bench for Christmas this year.

We walk into his room this morning and he has Eeyore in one hand, and a hammer in the other and he is trying to fix him by putting his tail on. Awwww.

Speaking of Pooh. I can’t believe that this title made it through the publishers watching eye. I don’t think that “Cooking with Pooh” will sell well:

Adam Pisoni of Geni.com has released a Ruby Gem of a new library skynet (have to love the name!), which is a Ruby implementation of MapReduce (not a wrapper on Hadoop or anything like that):

With Skynet, one can easily convert a time-consuming serial task, such as a computationally expensive Rails migration, into a distributed program running on many computers.

Skynet is an adaptive, self-upgrading, fault-tolerant, and fully distributed system with no single point of failure. It uses a “peer recovery” system where workers watch out for each other. If a worker dies or fails for any reason, another worker will notice and pick up that task. Skynet also has no special ‘master’ servers, only workers which can act as a master for any task at any time. Even these master tasks can fail and will be picked up by other workers.

In general:

Skynet works by putting “tasks” on a message queue which are picked up by skynet workers, who execute the tasks, then put their results back on the message queue. Skynet works best when it runs with your code. For example, you might have a rails app and want some code you‘ve already written to run asynchronously or in a distributed way. Skynet can run within your code by installing a skynet launcher into your app. Running this skynet launcher within your app guarantees all skynet workers will have access to your code. This will be covered later.

Skynet currently supports 2 message queue systems, TupleSpace and Mysql. By default, the TupleSpace queue is used as it is the easiest to set up, though it is less powerful and less scaleable for large installations.

If you are in Rails-land, you get some nice additions to ActiveRecord such as a distributed find:

YourModel.distributed_find(:all).each(YourClass)
YourModel.distributed_find(:all).each(:somemethod)

and send_later:

model_object.send_later(:method, options, :save)

I can’t wait to see people implementing Terminators ;)

Larry takes a high level view of the past, present, and future, to create a case for Perl 6.

I hope the future isn’t so far out that Will Smith is the only person alive to see it…. along with some Zombies.

Scripting

But basically, scripting is not a technical term. When we call something a scripting language, we’re primarily making a linguistic and cultural judgment, not a technical judgment.

I see scripting as one of the humanities. It’s our linguistic roots showing through.

Declarational

In Lua, an object is just a hash, and there’s a bit of syntactic sugar to call a hash element if it happens to contain code. Thats all there is. They don’t even have classes. Anything resembling inheritance has to be handled by explicit delegation.

Prototype vs. Class

Real organisms just copy their DNA when they reproduce. They don’t have some DNA of their own, and an @ISA array telling you which parent objects contain the rest of their DNA.

Functional or object-oriented

Of course, some of us can’t make up our minds whether we’d rather emulate the logical Sherlock Holmes or sociable Dr. Watson. Fortunately, scripting is not incompatible with either of these approaches, because both approaches can be made more approachable to normal folk.

Rob kindly kicked in some podcasting time when he was at RailsConf, and I sat on the content for far too long. It didn’t really fit right on Ajaxian, since Zed only talks about Ajax a little bit, but it was fun content and I wanted to get it out there, so I finally published the interview with Zed Shaw on the Rails community, the role of the Enterprise, the state of Ajax, JRuby and Rubinius, documentation, tests, tooling, the role of patents in software, and a whole lot of opinion.

it is interesting to listen to Zed in the wake of his Rails rant, as you see some of the seeds of that rant, but hearing them with a real voice is a lot different to the harsh medium of the pen. It is softer to hear someone jabber on, even if he still swears and has very strong opinions indeed.

People like to pick sides, but I am trying not too. There is some truth in there, and things that the Rails community can learn from at the very least. Then again, I haven’t been personally abused in his rant so it is easier for me to take than someone who was directly attacked.

A few quotes:

• On Semantic Web: Einsteins brain on a crack whores body isn’t going to happen
• I’m waiting for someone to blind-side the entire Web stack
• Some people hate me, but love Mongrel
• Where is the XP for managers

Listen to the interview directly, or subscribe to the podcast.

I have talked before about the interesting view that you get from working at a company that has many people focused on its every move.

One of the interesting types of posts are the Bob left Google! ones.

Some people assume that if Bob left, that all hell is breaking loose over in the ‘plex. Of course, if you do the maths and use common sense you see that:

• Google is a large company now. Lots of people are going to be moving on to other things. Shift happens
• Google is a large company now. Many great people are joining
• Google is a large company now. Some people may not want to work for a large company, but prefer the startup thing, or something else.
• Google is a successful company. Let’s face it, some people made insane amounts of money and can afford to do nothing, become angels, or anything else.

In some ways it is great to see a bit of a revolving door. It allows some of the new folks to come in and shake things up in different ways. This will result in great new products, and amazing updates. 2008 will be a great one for Google.

Regarding people that leave, this also doesn’t have to be a bad thing for Google. Hopefully it sends them out into the wild to start other Googley companies with connections back to us.

Nathan Stoll puts it well:

I’ve been comforted by the realization that Google benefits by my departure to tackle new endeavors. Great companies like Goldman Sachs, McKinsey & Company, Procter & Gamble, and GE all consistently turn out leaders in their fields; their employee departures complement the mother ship by spreading the culture and working ethos. Google has many more fine minds joining than it has leaving, and is training them to be technology-focused leaders with a passion for building great consumer focused services.

Since the Zed Shaw rant, everyone has been coming out of the wood work to say one of:

• Zed is a dick, and wrong
• Zed is a dick, and right
• Rails is OK, and here is why
• Rails is in trouble, and here is why

Tim Bray put his predictions out there, and Joe Gregorio responded.

One of the core problems with predicting the future, is knowing the present. When you look at “how successful Rails is” people use varying metrics:

• Woooah look at the book sales
• DHH is being really loud
• Look at the number of jobs out there
• Look at Google Trends
• I know a couple of people, and one of them is doing a startup in Rails

Obviously, they are all minor data points. To talk to Joe’s Google Trends hypothesis, you normally find that a technology takes off at some point, and lots of people start talking about it. Many of these people are not even using the technology. Some are checking it out for the first time. Some are ranting against it. A lot of this kind of talk has died down and Rails is maturing.

I am not going to predict anything about Rails. Who cares? We are seeing more projects coming online, and I have seen successful projects rolling out. When I do a new project, Rails is a serious contender, but sure it isn’t the only one.

Ok, one little prediction:

More live applications will be launched on Rails in 2008 than in 2007.

2004

“Oh man, the only content online is silly crud on YouTube of guys getting hit in the balls. Where is the quality of something like The West Wing?”

2008

“Oh man, the only content on network TV is silly reality crud. Where is the creativity of something like Ze Frank.”

With the writers strike we are seeing more and more reality shows on TV to fill the gap. On the other side of the coin we see investors grabbing the writers to get them building content online. As writers get success they can bypass the middle man, or, they can then sell back to the networks from a more powerful position.