November 12, 2005
I’ve been having a recurring conversation with folks over the last 6 months or so and I’m getting a little tired of it. The conversation goes something like this:
person: Why doesn’t fedoraproject.org implement k-rad whiz-bang feature. All you have to do is install MyWebApp and a series of dependencies. Then it just works!
me: What language is MyWebApp written in? How long has it been in development and what is its security history?
person: It’s in php. It’s been under active devel for a few months now and I’ve not seen any security issues with it yet.
me: yet, right. Is its authors focused on security or are they focused on features. Do they have anyone auditing it? What do you think the likelihood is that they will stick around in 4 months?
person: But it works great and has all the features we need. If you don’t implement then you’re limiting the fedora communities ability communicate/interact/dominate the world
me: yes but if I do implement it and when it gets compromised I’ll be limiting their ability to communicate when the box is down for a post-mortem. Additionally, we won’t be able to bring that app back up and we’ll lose that app from functionality until the problem is found and corrected. Do you want to be the person to do security maintenance on this app b/c I don’t have the time.
person: well, no, I don’t have the time either.
me: then it sounds like we do not have the time to implement this feature, at all, if no one is going to be watching and maintaining it.
My problem with php is best summed up by a quote from Elliot Lee:
“The upside of PHP is that it lets non-programmers create complex applications. The downside of PHP is that it lets non-programmers create complex applications.”
Moreover it makes some of our programmers have to take time out to work on web application auditing and maintenance in a language that is not used in the distribution for anything else.
So, if we were programming in python for web applications we’d get the advantage of at least continuing the focus on the same language that we’re using for other applications and utilities in fedora.
A little list:
fedora people: python
fedora wiki: python
fedora accounts system: python
build system: python
packaging system: C (rpm) and python (yum and friends)
installer: c and python
Anyone else see a trend here?
We’re using C for static typed code and python (in the large part) for dynamic typed code. Let’s keep that focus and keep our sanity. If we focus our efforts on the same languages we gain the ability to share libraries and modules, increase code reuse and increase connectivity b/t the apps we work on.
With that in mind I’d like to make a request out to the python web programmers in the fedora-verse. We need some people who are willing to work on web applications either in zope or turbogears. Let’s see some options and ways to progress. We have a lot of python programmers who can help audit the code and contribute sections as we build up our module-base.
If you are willing to help and want to participate please join fedora-websites-list and help me argue against dispersing our codebase into 8 trillion separate languages.