These are chat archives for jdubray/sam

18th
Mar 2016
Jean-Jacques Dubray
@jdubray
Mar 18 2016 00:06
well, I have actually looked at that number for a month and it has not moved by one unit. The number is impressive enough (say compared to SAM) but it is clearly not growing (anymore). I am very interested in understanding how people build communities... Not that I am good at it or seek to be good at it, so I pay a lot of attention to the whole process (Dan, Andre, ...).
Again, if Andre wants cycle to be around in a year or two, he will need to go to the next level. It won't happen on what I see, though I can see how dedicated his followers are. Incidentally, I am not trying to find or create followers.
Stardrive ENGG
@HighOnDrive
Mar 18 2016 00:20
@jdubray What do you mean? The counter needle has moved up by a 1000 every month or few weeks during the past three months or so. The CycleConf should take it to the next level again :+1:
There you go, SAM questions in the Cycle gitter room :fire:
Jean-Jacques Dubray
@jdubray
Mar 18 2016 00:25
blob
684 people not moved much for the last month
Stardrive ENGG
@HighOnDrive
Mar 18 2016 00:27
Ah, I thought you meant repo stars :smile:
Jean-Jacques Dubray
@jdubray
Mar 18 2016 00:29
yes, that's a metric, but in the end I would consider Gitter or Stackoverflow as a pretty representative metric of the health of a community / ecosystem.
you mentioned:
See how fast Cycle has been growing on their gitter counter,
Stardrive ENGG
@HighOnDrive
Mar 18 2016 00:39
Well, lets not say something like electric guitar would not take off, way back when there were not a zillion rock records on shelves yet. Cycle and it's paradigm are still in it's infancy, yet there is not one guru who does not see it as breaking new ground.
Jean-Jacques Dubray
@jdubray
Mar 18 2016 00:40
I am no guru, but so far I am unimpressed by a bunch of wires. I have seen a lot of wires in my career and they come and go.
(sorry I shouldn't do that but I am just having fun)
:-)
Stardrive ENGG
@HighOnDrive
Mar 18 2016 00:41
Likewise :smile:
Jean-Jacques Dubray
@jdubray
Mar 18 2016 00:42
:-)
Stardrive ENGG
@HighOnDrive
Mar 18 2016 04:26
@jdubray Glad I checked out your "snarf" link, you've got to check your facts before making such erroneous and assumptive claims. More here: https://gitter.im/cyclejs/core
weepy
@weepy
Mar 18 2016 07:54
What was all that about ? What has snarf got to do with cycle other than it has a file with that name ?
Jean-Jacques Dubray
@jdubray
Mar 18 2016 09:48
all I was trying to point out is that only link that comes back when you google cycle.js and security is "snarf". I would prefer if people would point me to links that provide some pen testing results or secure coding patterns in cycle.js.
I don't know many projects these days that get deployed without their fair share of pen testing.
weepy
@weepy
Mar 18 2016 09:49
Pen testing is only as good as the tester so a bit unreliable
Jean-Jacques Dubray
@jdubray
Mar 18 2016 09:50
agreed, but the next question is what else?
@HighOnDrive this is not a question of FUD, this a question if you want to be serious about competing with ng and react, that question will come front and center.
I would argue that the only reason ng is so popular is probably because it is perceived to be the most secure Web framework.
weepy
@weepy
Mar 18 2016 09:54
I dunno - security is only as strong its weakest link. This seems like a distraction.
Jean-Jacques Dubray
@jdubray
Mar 18 2016 09:59
I am no expert, it just doesn't look good when some of the pen testing suite plow through your app, it's just pen testing is not available to the average dev

via @HighOnDrive

Some fine record and replay that you might like: http://rr-project.org/

Jean-Jacques Dubray
@jdubray
Mar 18 2016 10:10

as you as you have strings coming from and to HTML, the question will come, so you take this simple cycle.js code and it is legitimate to ask if anyone has carried out pen testing on it. This is not data binding in the {{ }} sense, but still you can just as well inject malicious code as soon as you take control of a string embedded in some HTML (of course it's even worse in the other direction since the attacker has control of the input fields)

div([
          label('Name:'),
          input('.field', {attributes: {type: 'text'}}),
          hr(),
          h1('Hello ' + name),
        ])

not quite sure why @HighOnDrive believes that's FUDing? It's a reasonable question to ask how the intent is constructed when the user submits some data or what will happen if "name" contains some HTML elements?

when you google ng+pen testing you get a bunch of references, such as that one: https://www.veracode.com/blog/2015/07/angularjs-expression-security-internals
weepy
@weepy
Mar 18 2016 11:46
this is interesting
weepy
@weepy
Mar 18 2016 12:56
Well I'm sure there's an easy way to secure cyclejs. You're critism
Your criticism comes across as a bit snarky
IMHO
Jean-Jacques Dubray
@jdubray
Mar 18 2016 13:48
there is always a way but when you see these results https://files.gitter.im/jdubray/sam/6oXv/blob you wonder why React has not fixed them from the get go?
weepy
@weepy
Mar 18 2016 15:16
right but how is this relevant to SAM ?
Jean-Jacques Dubray
@jdubray
Mar 18 2016 15:49
I am still evaluating the best way to implement SAM, can I recommend cycle.js? So far I'd have a hard time without more visibility on that topic.
Considering the entanglement of streams, not sure that's viable at this point.
weepy
@weepy
Mar 18 2016 16:02
this is pretty interesting too
Jean-Jacques Dubray
@jdubray
Mar 18 2016 18:03
Yeap, it points front and center why you want to use SAM (IMHO), that looks cool but will not scale well in terms of complexity
init   :: () => state
update :: (state, action) => state
view   :: (dispatch, state) => html
Jean-Jacques Dubray
@jdubray
Mar 18 2016 18:10
thinking that you can pass the entire state to the view and back is at best naive
weepy
@weepy
Mar 18 2016 18:19
It's possible that you're being naive in assuming that's what it means ?
Jean-Jacques Dubray
@jdubray
Mar 18 2016 18:54
it's possible, but listening in cycle.js discussions, that exactly what they seem to be talking about. Am I mistaken?
weepy
@weepy
Mar 18 2016 18:56
I don't know but it seems
... You write other tech off a bit too easily especially if you don't know it that well
Jean-Jacques Dubray
@jdubray
Mar 18 2016 18:58
I just have a couple of issues with Front-End architectures:
1) View coupled to the Model
2) A new coupling between actions and model, introduced by the concept of reducer ((state, action) => state)
When I spot these couplings, I tend to dismiss the corresponding approach
weepy
@weepy
Mar 18 2016 22:26
m