Some Orthodox Heresies

August 18, 2009 – 12:09 pm

Just back from a long weekend, a couple of things struck me this morning that are evident but not perhaps obvious. Reality always has multiple sides, so in true Jenny Holzer style, please accept (but not entirely) these small web-development truisms:

  • Plugins are not evil.
  • The web is a force for social change.
  • The internet centralizes power…slowly…oh so slowly…
  • CSS is the problem. Also, the solution.
  • Competition does not mean that your favorite player wins.
  • JavaScript cannot save you. Even if it could, you should not let it, for the price of this short-term salvation is the end of what you like about the web.
  • Fast is better than slow. Slow is better than closed.
  • A web that isn’t extensible will wither and die.
  • Proprietary can be incredibly fast.
  • The sooner we take HTML out of the hands of C++ hackers, the sooner we’ll screw it up.
  • Extensibility is a crutch.
  • Plugins bring the advantages of slow development, unportable code, hard failure, and security holes to a platform designed to remove them. In other words, they’re totally evil. Also, they make the web awesome.
  • Getting what you want will not make you happy. It is your inner dissonance that brought you to the web in the first place. You might as well own it.
  • “Proprietary” is the loser’s word for “I’m too lazy to copy the good parts”.
  • Small firms are always more nimble and therefore better.
  • You can’t beat big companies in the end.
  • HTML 5 is a cruel joke — I can’t wait for it to be done.
By alex | Posted in Uncategorized | Tagged | Comments (6)

JS 1.8 Function Expressions: The Opposite of “Good”

August 6, 2009 – 2:02 pm

JavaScript is crying out for a way to write functions more tersely. I’ve added my suggestion to the debate, and was vaguely aware that Mozilla had implemented “function expressions”. It wasn’t until I saw their use in the (excellent) ProtoVis examples that I realized how stomach-churningly bad the syntax for them is. Instead of dropping the word function from the declaration of lambdas, they kill the { } charachters, leaving the big visual turd at the front of the lambda while simultaneously omitting the symmetrical visual aid that allows programmers to more easily spot missing terminators.

Oof.

It’d be one thing of the feature saved enough effort (typing) to justify the confusion, but it doesn’t. Bitter syntactic sugar in a language that’s already complicated by whitespace issues should be avoided.

By alex | Posted in Uncategorized | Tagged , , , | Comments (11)

Perspective

July 23, 2009 – 7:28 pm

So after receiving a keyboard-lashing from myself and others regarding some comments he made, Chris has walked a lot of it back and bravely noted where his new perspective conflicts with the old. It takes guts to do that.

My original comments were born of my frustration the internecine strife that seems to follow every discussion about OSS licensing. It’s one of the reasons that I was so grateful for Dion’s 100-point scale for judging community because it helps put all of this stuff into a perspective that lets you evaluate what’s more likely to be good for a broad audience from what’s more likely to hurt people along the way. There will always be both individual and corporate involvement in OSS, and both are good things, but neither are unalloyed forces for lightness and right. They’ve got down-sides. OSS communities and hackers should be honest about them and evaluate them on the merits and likely outcomes. It took me a long time to come to that perspective and it’s and one that I’m happy to see Chris weighing. Kudos to him for taking it in stride.

Correction: I wrongly attributed the 100-point scale to Ben instead of Dion. Totally n00b mistake. My apologies.

By alex | Posted in Uncategorized | Comments (2)

Automated Dojo Layer Builds in ZF 1.9.0 Preview

July 23, 2009 – 12:18 pm

Early on in discussions with the excellent folks at Zend, one of the possibilities that made everyone in the room excited was the ability to use server-side smarts about client-side work to automate performance optimizations in ZF apps. After lots of great work on getting Dojo integrated, Zend Framework is making that a reality by support automated custom builds in ZF 1.9.0’s preview release.

What does this buy you? You get to use the Zend helpers for Dojo as you normally would, simplifying how you pull in code, declare components, and build your UI. What this new integration saves you is the tedium of figuring out which components you’re using everywhere, building a layer file for it, kicking off a build, and remembering to re-visit the layer definition when you project adds or removes modules. Hopefully ZF 1.9 should lower the barrier to taking advantage of the full range of Dojo-based optimizations, making it easier to prototype quickly and deploy easily. Exciting stuff!

By alex | Posted in Uncategorized | Tagged , , , | Comments (1)

OSCON dojo.beer() Tonight!

July 22, 2009 – 7:50 am

Sorry for the late notice, but the inimitable Matthew Russell has organized another dojo.beer() event for 7pm tonight (Wed, July 22nd) at O’Flaherty’s pub in San Jose, near the convention center. Should be a great time, so if you’re in the area, hopefully we’ll see you there!

By alex | Posted in community, dojo | Tagged , | Comments Off

Benchmarking Is Hard: Reddit Edition

June 24, 2009 – 7:22 pm

In which I partially defend Microsoft and further lament the state of tech “journalism”.

A very short open letter:

Dear interwebs:

Please stop mis-representing the results of benchmarks. Or, at a minimum, please stop blogging the results in snide language that shows your biases. It makes the scientific method sad.

Thank you.

Alex Russell

Today’s example of failure made manifest comes via Reddit’s programming section (easy target, I know), but deserves some special attention thanks to such witty repartee as:

Using slow-motion video? What a great idea. Maybe we can benchmark operating systems like that.

Maybe we can….and maybe we should. It might yield improvements in areas of OS performance that impact user experience. With a methodology that represents end-user perception, you should be able to calculate the impact of different scheduling algorithms on UI responsiveness, something that desktop Linux has struggled with.

The test under mockery may have problems, but they’re not the ones the author assumes. It turns out that watching for visual indications of “doneness” is a better-than-average way to judge overall browser performance (assuming fixed hardware, testing from multiple network topologies, etc.). After all, perceived performance in browsing is all that matters. No one discounts a website’s performance because when you visit they happen to let browsers cache resources that get used across pages or because they use a CDN to improve resource loading parallelism. In the real world, anything you can do to improve the perceived latency of a web site or application is a win.

MSFT’s test methodology (pdf) does a good job in balancing several factors that affect latency for end-users, including resources that are loaded after onload or in sub-documents, potential DNS lookup timing issues, and the effects of network-level parallelism on page loading. Or at least it would in theory. The IE team’s published methodology is silent on points such as how and where DNS caches may be in play and what was done to mitigate them, but the level of overall rigor is quite good.

So what’s wrong with the MSFT test? Not much, except that they didn’t publish their code or make the test rig available for new releases of browsers to be run against. As a result, the data is more likely to be incorrect because it’s stale than to be incorrect due to methodology problems. New browser versions are being released all the time, rendering the conclusions from the Microsoft study already obsolete. Making the tests repeatable by opening up the test rig or filling in the gaps in the methodology would fix that issue while lending the tests the kind of credibility that the Sun Spider and V8 benchmarks now enjoy.

This stands in stark opposition to this latest “benchmark”. Indeed, while the source code was posted, it only deepens my despair. By loading the “real world sites” from a local copy, much of the excellent work being done to improve browser performance at the network level is totally eliminated. Given the complexity of real-world sites and the number of resources loaded by say, Facebook.com, changes that eliminate the effects of the network make the tests highly suspect. While excoriating JavaScript benchmarks as not representing the real world accurately, the test author eliminated perhaps the largest contributor to page loading latency and perceived performance. Ugg.

Instead of testing real-world websites (where network topology and browser networking makes a difference), the author tested local, “dehydrated” versions of websites. The result is that “loading times” weren’t tested, but rather a test of “local resource serving times and site-specific optimizations around the onload event” was run . Testing load times would have accounted for resources loaded after the onload event fired, too. There’s reason to think that neither time to load from local disk nor time for a page to fire the onload handler dominate (or even indicate) real world performance.

I’m grateful that this test showed that Chrome loads and renders things quickly from local disk. I also have no doubt that Chrome loads real websites very quickly, but this test doesn’t speak to that.

It’s frustrating that the Reddits and Slashdots of the world have such poor collective memory and such faulty filtering that they can’t seem to keep themselves from promoting these types of bias re-enforcing stories on a regular basis. Why, oh why, can’t we have better tech journalism?

By alex | Posted in Uncategorized | Tagged , , | Comments (15)

Online Shrinksafe App Fixed

June 23, 2009 – 11:10 pm

I’m not sure how long it was b0rked, but the online ShrinkSafe app is back up and working.

By alex | Posted in Uncategorized | Tagged , , | Comments (2)

A Visual History of Dojo

June 9, 2009 – 6:16 pm

Dojo’s has as long a history as any chunk of JavaScript in wide use, and it’s easy to forget how long the road has been and how far the project has come. Will of the Lucid Desktop project has put together a code_swarm visualization of the project’s history to date. Lots of fun to see old friends appear and think back on when what happened:

Thanks, Will!

By alex | Posted in Uncategorized | Tagged , , | Comments (2)

A Quick Word On Dojo and Patents

May 26, 2009 – 11:19 am

A relatively light-on-data article is up at Slashdot right now, and it casts aspersions both on the IBMers who contribute to Dojo and on the Foundation itself based on the Free Software party line that all software patents are inherently evil.

I won’t address the background point regarding software patents here. I’ll only to say that reasonable people can disagree on this, particularly when it comes to proposed solutions. What I would like to focus some attention on is the background that this patent filing is made against.

IBM has executed a CCLA with the Dojo Foundation. This agreement gives Dojo (and the rest of the OSS community) a license to whatever patent rights may be embodied in contributions of code. While IBM may file patents on things they build and contribute to Dojo, there’s no risk to any users regarding use of that code or “submarine” issues of patent infringement. As a result of the Dojo Foundation’s insistence that ALL code come with CLAs, Dojo is more trustable in terms of IP than most of the JavaScript you can choose to use. A similar patent claim in a less rigorously developed toolkit would indeed be apocalyptic, but the Dojo community has adopted a mature process for dealing with IP that both makes the concerns plain and then works to eliminate them, step-by-step. That’s what licensing agreements are, after all: links in the chain that together help you trust that your anchor is indeed set.

It’s clear to me that IBM filed this patent fully aware that they were giving away all follow-on rights to enforce it in anything but a defensive way for the benefit of the Foundation and users of Dojo. After watching IBM counsel decimate SCO in court, does anyone in the OSS world really think that IBM’s lawyers are fools? And if so, to what end?

It’s sad that Slashdot hasn’t, for a decade of coverage of IP issues, learned that licensing is harder than the zealots would have you believe and that malice isn’t always the intent of those who participate in communities with a commercial interest.

The good news here, of course, is that IBM is just as generous today toward the OSS and Dojo communities as they were yesterday. We have the legal documents to prove it.

By alex | Posted in Uncategorized | Tagged , , , | Comments (15)

Chrome 2.0: Bam!

May 21, 2009 – 2:01 pm

No less than the Times has chastised the Chrome team’s marketing efforts, noting unsubtly that for months now we’ve been burying the lead: Chrome’s killer feature isn’t that it’s got an awesome UI (it does) or that it supports new web features…no, the real story that we haven’t been telling well is that it’s wicked fast.

I’m sure all the blags will be a-twitter with this shortly, but Chrome 2.0 is now out to everyone, and it’s even faster. Yes, V8 got even more polish (new compiler infrastructure FTW!), but the big speed news from my perspective comes from other parts of the browser. Chrome 2.0 moves fully away from the Windows networking stack to Chrome’s faster networking infrastructure and includes changes to memory allocation that make the DOM go like hell. There’s lots of great feature work in 2.0, of course, but now’s not the time for us to bury the real story: Chrome, fast as it was, just got even faster. Thanks to silent auto-update, it’ll even make the web faster faster.

Bam!

By alex | Posted in Uncategorized | Tagged , | Comments (7)

On JS “Lambdas”

May 20, 2009 – 10:01 am

The ES working group is hard at work on “Harmony”, the goals of which are significantly more sane than previous attempts to build a new language from JavaScript. Namely, they’re being careful to be able to express things in new syntax based on old syntax. This is referred to as “de-sugaring”. Many new bits of syntax will be expressed in old syntax in a resulting spec, and so it will be with any new lambda syntax.

One of the things I find most persistently annoying about the language as we have it is the verbose and wordy way of saying “build me a new invokable thing”. Since JS builds dynamic scopes based on on functions, this is particularly annoying when writing event handlers, callbacks, and arguments to forEach and friends. Needless to say, these are the things we do all the time in JavaScript. If there was anything that deserved syntactic sugar, this is it.

This brings us to “lambdas”. Languages like Ruby have a great syntax for expressing “a thing you can invoke” in a terse way. Python has something along these lines based on the keyword lambda, but Guido insists on keeping them neutered based on (AFAICT from in-person discussions) a dislike of functional programming. Java is dangerously close to getting useful closures but it’s so syntactically handicapped that it’ll probably be another decade before the masses rebel and demand a terse way to say what they mean. Or maybe they’ll all have just defected to JRuby. For most of these languages, being able to say “here’s a new invokable thing” tersely is a Nice To Have feature. No real-world program will be slowed down by the size of a keyword. Indeed, Java makes you do so much work for the compiler that it’s practically taken as a badge of honor that you have to type it all out over and over and over.

JavaScript is different. Unlike nearly every other language, the terseness of JavaScript code is a key determinant in the performance of a web application. The bigger your scripts, the slower your app loads. It’s as simple as that.

It’s a crime, then, that we still have to type:

1
2
3
4
5

node.addEventListener("click", function(evt){ /* ... */ }, false);
 
// or
 
[/* ... */].forEach(function(i){ /* ... */ });

The syntax for “an anonymous invokable thing” should be a lot shorter given how much exercise it gets in the real world. What real-world script authors don’t need is something other than “a shorter way to say function“. Anything different than this isn’t strictly useful. Anything that requires you to use a more wordy syntax to name arguments is a failure, and anything that uses a name longer than the shortest possible thing just re-introduces that bug that needs fixing in the first place. There have been proposals at the ES working group to date regarding “lambdas” and most assume that they will be something that serves to make implementer’s roles easier when it comes to de-sugaring but fail in one of these ways. Folks who write actual scripts should start speaking up and telling the Harmony working group what needs to be clearly and un-ambiguiously said:

Don’t fuck with the semantics of function, just let me stop typing it so often

What might a better syntax for function look like?

The best that Erik and I could come up with that is relatively unambiguious for parsers, doesn’t introduce hard-to-type characters on certain keyboard layouts, and doesn’t mess with the semantics of function(){} is this:

1
2
3
4
5
6
7
8
9
10
11
12

// empty function body, zero arguments
var lambda = #(){ /*... */ };
 
// empty function body, arguments list elided away
var lambda = #{ /* ... */ };
 
// we can re-write the previous examples as:
node.addEventListener("click", #(evt){ /* ... */ }, false);
 
// and
 
[/* ... */].forEach(#(i){ /* ... */ });

The long history of the word “lambda” coupled with the different interpretations that various languages place on them make using the word “lambda” to say “a short name for something you can invoke” particularly loaded. Perhaps instead we should just call this new syntax that crams a lot of meaning into a short “keyword” something else entirely.

“Cramdas”, anyone?

Update: …and James Padolsey makes it so!.

By alex | Posted in Uncategorized | Tagged , , | Comments (28)

Dojo Wins Mobile Slickspeed Shootout

May 14, 2009 – 12:26 pm

Stefan K. has posted a fascinating run-down of mobile browser performance with regards to JavaScript toolkits. No big shock, but Dojo once again brings home the bacon. I’d love to see these tests re-run with TaskSpeed instead of SlickSpeed, but when you’re doing progressive enhancement it turns out that selector engine performance really matters. Dojo continues to do very well in both TaskSpeed and SlickSpeed because the Acme selector engine is so darned fast. In the real world, selector speed matters and the faster it gets, the more queries we seem to do.

I’m not entirely sold that the right solution going forward is to use the toolkits we already have, but if you’re building a mobile app today and you’re going to use a toolkit, it looks like (as on desktop browsers), Dojo should be your first choice. The webkitMobile variant of Dojo points to one possible way out of the “what to do about mobile?” conundrum regarding size and IE-induced bloat, but I have some hope that WebKit will improve quickly enough to make the toolkits of today obsolete on mobile phones entirely. Time will tell.

Hat tip: the Uxebu blog

By alex | Posted in Uncategorized | Tagged , , , , | Comments Off

ZF 1.8 Is Out

May 7, 2009 – 2:17 pm

Congrats to the Zend Framework team on releasing ZF 1.8! This release updates the Dojo/Dijit integration and includes Dojo 1.3. Not only can you use the ZF view helpers to generate existing widgets, now you can use the view helpers to declare instances of your own components too.

If you haven’t tried out ZF, it really does make building sophisticated Dojo-based UI’s really simple. A bit part of that is that it helps automate a lot of the stuff that may be confusing when you’re first starting out with Dojo.

By alex | Posted in Uncategorized | Tagged , , , , | Comments Off

Acme: Sometimes Being Generic Is A Win

May 6, 2009 – 12:27 pm

Shane O’Sullivan, recently minted as as Dojo committer, has updated his GreaseMonkey script for skipping welcome screens to use Acme instead of Sizzle. Short story: fewer browser crashes and better performance.

If you’re not using Dojo, now might be a good time to ask why your library isn’t using Acme too.

By alex | Posted in Uncategorized | Tagged , , , | Comments (2)

Perspective Is Not A Liquid Asset

May 5, 2009 – 1:11 pm

ZDNet has an article out discussing a study that shows that that Chrome’s (Open Source) auto-update system makes the browser more secure than the alternatives. Disclosure: Google co-authored the study. I work for Google, on Chrome. Caveat emptor.

Back when I did security for a living, I quickly noted a distinction between those who saw things as white vs. black and those who viewed things in risks. White vs. black is the mentality of the attacker (you only need to pwn one system, not every system) and of green defenders who can’t yet distinguish severity or haven’t been thought to think about defense in depth. A risk-based view of security pays a lot more attention to questions of who you’re securing a system against and for how long. In this world view, threats are risks to be evaluated and mitigated, not a constant stream of sky-is-falling crises. A risk based view says “yes, the sky might be falling somewhere, but what are the odds it’s falling on me? And even if it is, what’s the worst that can happen?” If the likelihood is high and the severity is high, spend a lot of time on it. When you view security in terms of risks to be mitigated, you make very different tradeoffs. If you think you need to (or even can) control and eliminate every risk, than you might be tempted to build brittle systems. If, on the other hand, you acknowledge that humans are invoked (and are fallible) and that sometimes things break, you might give up a little control to get to a better place on average and be willing to suffer some minor setbacks on the way there.

The difference between Chrome’s update system and that of other browsers is that the Chrome updater turns the dial all the way in the direction of mitigation, treating the window of vulnerability as the most important factor in the risk of an attack. It’s more important in this world to mitigate an attack than to have asked the user if they want their system to be updated. Is there any other right answer to that question for most users than “yes”?

Here’s where the knives come out: rational people with very different perspectives often want totally different things. System administrators for large organizations – tallented people whose job it is to personally assess and deal with risks – may disagree with this policy since it introduces new risks which they can’t effectively mitigate. The Chrome answer to these concerns has been to treat them as the special case they are. You can easily get the standalone installer that doesn’t include auto-update, but it’s not something that’s advertised on the main download page. Why? Because it’s not what will keep most users secure.

The default Chrome update model is designed around the perspective of the average Chrome user. Not the vocal minority of those who know enough to build Chrome from source or even for corporate IT administrators. Their needs are real, and their perspective is valid, but it is not common and should not dominate the discussion about what is best for the majority. If we’ve learned anything through most GUI Open Source projects, it’s that developers have a hard time empathizing with the needs and skills of most users. This shows up in many places, but perhaps the most curious place of all is the extra confirmation box that asks you if you’d like to have a secure browser or an insecure browser. To anyone but an IT administrator or a developer, it’s not a legitimate choice, it’s an opportunity for failure with the deck stacked against you.

I’m glad the Chrome team has prioritized security through convenience at the expense of the illusion of control. It’s one of those things that’s obvious once you change your perspective. Too bad it’s not nearly as easy as it sounds. Everyone’s selling their point of view, but there are predictably few buyers amongst the already enfranchised.

Hat tip: Glen’s excellent ChatGraph.

By alex | Posted in chrome, google, security, work | Tagged , , , | Comments (7)