[Seaside] Seaside done?

Thu Apr 9 21:40:24 UTC 2020

I concur. Seaside is a great framework, and those who build and maintain it deserve our thanks.

However, I think the question was not whether it works, but what’s the current development status and whether it’s going anywhere. Without diminishing the effort of those why try to keep it current, I think it’s important to understand both the strength and the weaknesses.

Seaside is a fantastic framework to dynamically generate HTML that is in sync with the application state - continuations etc. The semantic that closely resembles HTML is great. That said, I think that like Smalltalk in general, Seaside’s destiny is to be a niche framework with a limited use mostly in tightly controlled internal environments like the one Bob describes.

‘It just works’ for a fairly narrow range of scenarios. It’s fine for an internal web application (with some limitations) but I wouldn’t use it for anything that requires a large-volume, security sensitive web app available publicly over the Internet. Here are my reasons, and to be clear - this is not intended as a criticism of those who dedicate their time and skill to keep it running:

Seaside security is fairly poor. It doesn’t offer any protection against CSRF attacks or session hijacking. The built-in basic authentication only supports MD5-hashed password which has not been considered secure since 2004. Using other authentication mechanisms is non-trivial and can lead to deploying catastrophically insecure application (don’t ask me how I know).

Seaside use of third-party JS libraries gives you two options: use a Seaside library that wraps the original JS, or use JS directly. The first option emits JS code that is several years behind (current Seaside jQuery is from 2017?), in most cases with known vulnerablities that are fairly easily exploitable. The second option robs the developer of all the nice application state integration capabilities. Both options lead to incredibly ugly JS code on the client side. Now - some people think that’s not a problem. I disagree - in a modern web application you need to be able to develop and debug at least partially in the web browser, and your JS readability will directly affect both your productivity and the quality of your code.

Last but not least, handling of volume has been issue. I don’t have experience with a deployed Seaside app on Pharo, but I know that on VW you quickly reach a point where your app performance suffers even with a couple hundred users. With GS, you need a multitude of Gems to handle even relatively modest load. I think this would be probably the worst weakness - today’s web apps are built for tens of thousands of concurrent users, and even with the use of a load balancer, this would be a limiting factor for anyone considering the deployment of a globally reachable web app.

Would I consider Seaside for a low-volume, tightly controlled internal web app? Absolutely. I would even use it for a publicly accessible web app in a geographically limited market and no sensitive data. But despite my admiration for the work that has been done, I would advise anyone against using it for anything ’serious’ on the open internet.

In that sense, I think Seaide is ‘done’ and not going anywhere. It can be maintained and incrementally improved for sure, but I don’t expect any new features that would make it feasible for a large scale app delivered to the masses.

Jerry Kott
This message has been digitally signed.
PGP Fingerprint:
A9181736DD2F1B6CC7CF9E51AC8514F48C0979A5

> On 09-04-2020, at 8:30 AM, Bob Nemec <bobn at rogers.com> wrote:
> 
> FWIW: we are continuing to run and build a large (600+ users) enterprise 100% Smalltalk Seaside application running on GemStone. I don't post on this list mostly because I don't have issues with Seaside. It just works. GemTalk has been excellent in supporting our GS specific Seaside issues (which would be of little interest here).
> 
> Much thanks to those that build and maintain Seaside.
> 
> Bob Nemec
> KORE / HTS
> 
> 
> On Friday, March 27, 2020, 12:34:52 a.m. EDT, John Pfersich <jpfersich at gmail.com> wrote:
> 
> 
> Besides, Discord ain’t the greatest app for security-minded people. Can’t make a connection using my VPN without major headache. And Cox does monitor my traffic. Half a VPN is better than none.
> 
> /————————————————————/
> For encrypted mail use jgpfersich at protonmail.com
> Get a free account at ProtonMail.com
> Web: https://objectnets.net and https://objectnets.org
> https://datascilv.com https://datascilv.org
> 
> 
>> On Mar 26, 2020, at 10:55, BrunoBB <smalltalk at adinet.com.uy> wrote:
>> 
> 
>> I prefer the mailing list to instant messaging, since it leaves a log
>> in some archive and works as rudimentary knowledge base that even so,
>> saved many of us several times.
>> ***************************************************************
>> 
>> Totally Agree !!!
>> 
>> 
>> 
>> --
>> Sent from: http://forum.world.st/Seaside-General-f86180.html
>> _______________________________________________
>> seaside mailing list
>> seaside at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> 
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org <mailto:seaside at lists.squeakfoundation.org>
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside <http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/seaside/attachments/20200409/362828bb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.squeakfoundation.org/pipermail/seaside/attachments/20200409/362828bb/attachment-0001.sig>