*
programming and human factors
by Jeff Atwood
*
The 1996 JavaWorld article Is JavaScript here to stay? is almost amusing in retrospect. John Lam recently observed that
JavaScript is the world's most ubiquitous computing runtime.
I think the answer is an emphatic yes.
JavaScript is currently undergoing a renaissance through AJAX. Sure, the AJAX-ified clones of Word and Excel are still pretty lame, but they're the first baby steps on the long road to rewriting every client application in the world in JavaScript. The line between client executable and web page gets blurrier every day.
The meteoric rise in popularity of Ruby has also renewed interest in dynamic languages. And JavaScript may be the most underappreciated dynamic language of all. Unfortunately, it's difficult to separate JavaScript from all its browser environment baggage and consider it purely as a language.
But these are both relatively recent developments. They're important milestones, but they're not the full story of JavaScript's success. Not by a long shot. I attribute most of JavaScript's enormous success to one long-standing menu item on every browser:
The view source menu is the ultimate form of open source. It's impossible to obfuscate or hide JavaScript running in a browser. The code that powers any AJAX application is right there in plain sight, for everyone to see, copy, and use. A complete set of JavaScript source code for the latest AJAX apps is never more than one HTTP download away. They're literally giving away the source code for their application to every user.
Some people might see that as a huge business risk. I say if your business model is that dependent on clever, obfuscated source code tricks, it isn't much of a business model.
I've read several complaints that .NET code is too easy to decompile. Nonsense. It should be even easier to decompile. The real stroke of genius in JavaScript wasn't closures, or XmlHttpRequest; it was forcing people to share their source code with the community. How do you think anyone found out about XmlHttpRequest in the first place? Through reading the documentation?
The entire JavaScript development community is predicated on instant, ubiquitous access to source code. This leads to what I call "Code Darwinism": good techniques are seen immediately and reproduce promiscuously. Bad techniques never reproduce and die out.
That's why I'm not afraid to bust out a copy of Reflector and perform a little ad-hoc "View Source". It's common practice to decompile binary .NET assemblies, for a whole host of entirely valid reasons:
Having the source code gives you the ability to fix your own problems-- or even someone else's problems. If you can see the source code, the binary is alive-- it can evolve.
And you can still license your software and make money, even if you're handing out the source code at the same time. According to DesaWare, one of the most compelling software sales pitches is the phrase "source code included":
Providing source code is the only answer -- it's a way to say to the customer that if worst comes to worst, they can be their own alternate source. Even Microsoft has demonstrated this by providing Windows Source to certain customers, like large governments, who have the leverage to demand it. And, yes, escrow services should be sufficient for this purpose, but for some reason most customers don't like that approach. Perhaps it's lack of confidence in the long-term viability of the escrow services themselves? Or perhaps lack of faith in their own institutional memory to recall that such escrow arrangements had been made.There are some nice side benefits of having source code available: the ability to learn from someone else's code, and the possibility of customizing components to suit specific needs, but those are smaller issues. Security is always a concern, but it is only applicable to software that has the potential to elevate the privilege of a user -- something that applies to a relatively small number of software components.
So what about the great closed source vs. open source debate? I'm never one to shy away from controversy, but that's for another time and place. What we did by releasing our software was not open source by any stretch of the imagination. Our source code is licensed to individual developers for their own use -- not for distribution. Does a true open source model make sense for the component world? I don't know. What I do know is that source code availability provides a level of peace of mind for some developers that probably cannot be matched any other way.
We should do away with the pretense of hiding code. Let's not only acknowledge that decompiling .NET code is trivial, let's embrace the power of "view source" by shipping source code along with our binaries.
Unfortunately 'Code Darwinism' worked operates on the same timscales as real Darwinism.
All too often, bad practices are seen, copied and made worse. Eventually, the projects based upon these practices will fail, but not before leaving a trail of destruction and frustration behind them.
Ultimately, people fall into one of 2 camps (and this applies in general behaviour too, not just software development)...
Those who use the bad behaviour of others as an excuse for behaving the same way themselves.
Those who see the good behaviour of others as a example to follow.
The difference is very subtle, but it's an important one.
I do agree, though, that being able to examine other people's code is one of the best tools for self improvement.
Bob Armour on August 18, 2006 2:46 AM"I think in 2 years we will be awash in a lot of bad AJAXified apps."
10 years so far and we're still saddled with many applications written in C++ with buffer overflow flaws.
Don't blame the saw, blame the carpenter.
Scott on August 18, 2006 2:57 AMJon: excellent stuff. Beefing up the language (E4X) is definitely a step in the right direction. Thanks for the light.
Sorry Scott, I have good and bad tools in my garage, and the bad tools just make things hard to do.
Steve on August 18, 2006 5:41 AM.NET's transparency is the very reason companies that write and sell software are not adopting it en masse. The truth is that software companies need to protect their IP. If they can't do that, they won't stay in business. Your Desaware example is an exeption to the rule - they provide components to developers. I don't think Microsoft or Adobe will be licensing any of their source code anytime soon.
In fact, Microsoft's biggest .NET app to-date (Small Business Accounting 2006) is obfuscated.
Jeff M on August 18, 2006 6:24 AMOne of the strengths of Smalltalk systems comes from the fact that all source code is delivered with the system. This holds true for both commercial systems (like VisualWorks and Dolphin Smalltalk) and open source systems (like Squeak).
Smalltalk and its IDE are written in Smalltalk itself, and there is really no difference in the access you have to view and modify your own code and someone else’s code. No extra source files to be hunted for, and no settings in the IDE to change.
Runar Jordahl on August 18, 2006 7:55 AMI agree that the open source model has a place in the software world. However, it isn't something that can be applied realistically across the board for every software category.
I work for a small ISV, and we create stand alone as well as web based applications. It never fails that as soon as we create a unique product that starts selling well, someone will re-create our product and start selling it on their site. Some time ago, we rolled out a VB based application that was quite popular. Within a month of roll-out, we noticed that someone had taken our app, modified the string-table (changing such things as the app title, copyright, etc.) to brand the app as their own.
People that usually are evangelizers of a blanket open source software model often aren't dependent on their software sales for a living, and/or aren't familiar with the fact that there is a large portion of the Internet that will stop at nothing to make a buck - even if it means stealing from someone to do it.
For these reasons alone, we haven't migrated to .NET yet, and have spent more time on web based development where our code is securely stored on our servers - away from prying eyes. If someone wants to duplicate our functionality, let THEM figure it out - I don't need to "donate" my time telling them how I did it so they can go make a buck on it. That code represents my livelihood.
Brad Brening on August 18, 2006 8:32 AMJavaScript can be obfuscated very well indeed thanks to it's dynamic nature. You can nest eval's and proceed through several layers of decoding from hex, base-64 or your own confusing mess.
If you think .NET code is difficult to decompile perhaps you should grab a copy of .NET Reflector.
[)amien
Damien Guard on August 18, 2006 9:36 AMThank you for pointing this out to people! Javascript is a wonderful language, and while doing web development this summer, have acquired a sense of "home" when I'm in Javascript that just doesn't happen in the server-side ASPPHP. It's so nice to be able to "create a function there on the fly, not even bothering to name it, just picking it up by its ears and tossing it into a function." ( http://www.joelonsoftware.com/items/2006/08/01.html )
Javascript is seriously underappreciated, and I wish more work would be put into browsers to make it more useful (and crash-free; I'm looking at all browsers, not just IE6!)
jacob on August 18, 2006 9:49 AM"I work for a small ISV, and we create stand alone as well as web based applications. It never fails that as soon as we create a unique product that starts selling well, someone will re-create our product and start selling it on their site. Some time ago, we rolled out a VB based application that was quite popular. Within a month of roll-out, we noticed that someone had taken our app, modified the string-table (changing such things as the app title, copyright, etc.) to brand the app as their own."
If you are being ripped off that easily, then your apps are too simple to really be hard to duplicate via traditional methods *and* you are not availing yourself to the legal system. Something so blatant is a slam dunk to get squashed.
Not making enough to pursue them in the courts? Then I wonder how it could possibly be sustaining your livelihood to a degree you care.
We provide source upon request to our customers. A few even tried to make a copy our service, but the reality is that our product is complex enough that they flame out in the attempt. Then get a nice letter and a bit later we get a nice check for their troubles. Simple really: provide something of true value and protect it via the laws that were put in place to do so.
Wesley Shephard on August 18, 2006 10:00 AMDamien is right about JavaScript obfuscation. A company called Stunnix sells a product that does it ( http://www.stunnix.com/prod/jo/overview.shtml ).
John on August 18, 2006 10:02 AMInteresting enough, one of Paul Grahams startups Snipshot (formerly pixoh) were very surprised to find that a competitor had coped "massive chunks" of the javascript powering SnipShot (an online image editor).
The author says he was "naive about obfuscation", ironically enough it was the quality and modularity of the javascript code that made it soo easy for the competitors to steal and use.
The details are here.
http://hartshorne.ca/2006/06/27/this_looks_familiar/
Factor is a well-thought-out language with 'view source' built-in. Most of the language is written in Factor except for a small C runtime, and since source code is saved, you can access the source code and documentation at any time. Languages like Factor, Smalltalk, and Self have to be the future of computation due to the stupid syntactical messes of languages like Javascript.
advocate on August 18, 2006 10:43 AMJust because it's ubiquitous and open does not make it good. JS is not a great language. I think in 2 years we will be awash in a lot of bad AJAXified apps.
Steve on August 18, 2006 10:44 AMHi,
please not again this discussion.
Opensource can work for apps that need loads of service afterwards - that means things, where the source alone is next to worthless like complex OS'ses.
However, for "simple" products that dont warrant a support contract, giving the source is a shot in the own foot imho...
Best regards
Tam Hanna
The entire JavaScript development community is predicated on instant, ubiquitous access to source code.
This leads to what I call "Code Darwinism": good techniques are seen immediately and reproduce promiscuously.
Bad techniques never reproduce and die out.
This would be nice if it worked. Unfortunately it doesn't, for two reasons:
* "Javascript Kits" websites are common on the web, and they all suck, without exception. The scripts are crappy, hacky, ugly, and they're fed to users who don't want to learn JS anyway (which ranges from designers who don't program at all to Java or C++ or even PHP "programmers" who consider that the lowly javascript is too few of a language for them to waste time learning it)
* Good scripts are more often than not in separate JS file (instead of being in the HTML page or *shudder* inline in the elements), their visualization therefore requires a bit more work than just View Source (unless you're using Chris Pederick's wonderful Web Developer Toobar that is)
* And good scripts often use fairly advanced JS techniques (DOM manipulation, functional concepts, ...) requiring a fairly good understanding of the basic JS concepts.
I personally want people to see my code. If someone out there can teach me how to write better, more efficient code, as far as I'm concerned, the more power to me.
If someone sees my code and learns from it, the more power to them.
-www.thesol.com
Hank on August 22, 2006 8:33 AMUnfortunately, I think that there's some JS obfuscation software - ant it's doing its job pretty well (taking a script, assigning random names to all identifiers, encrypting that source code into function that creates this code from seemingly random characters - caesar's crypt and some xoring involved - just into a variable and then executes it)... Bye bye OS.
Keff on August 24, 2006 4:02 AMcheck out google's java to javascript compiler, no way to read that
ts on September 4, 2006 6:03 AMAll is not goodness and flowers--you're forgetting about malicious intent.
IP needs to be protected, plain and simple.
It's easy eough to obfuscate code without obfuscating it, anyway:
1. No comments or design
2. If you're in a niche enough area (e.g. simulations of complex systems - I'm talking from experience), without the domain knowledge (or, at times, even with domain knowledge), you can see what the code does...but still not understand what it does!
I think Javascript is a great language. It's often been misused due to the "view source" thing Jeff's talking about, but it's pretty amazing how much people have been able to build with it.
The problem with AJAX Javascript isn't the language, it's:
(1) Using AJAX where it doesn't belong
(2) Poorly written custom javascript code instead of code which runs on well-tested, cross-browser libraries
(3) Most importantly - slow standards implementation by a certain very popular browser. Javascript wasn't built with AJAX in mind, but the E4X Javascript extension was, and it was published in 2004. Guess which of the major browsers hasn't implemented it, and has no plans to?
More about E4X here: http://weblogs.asp.net/jgalloway/archive/2005/11/06/429666.aspx
Jon Galloway on February 6, 2010 9:52 PM@Jon: It's funny how several years in, this post still draws attention. Great subjects for discussion never really die !
I have to agree with Points #2 and #3 emphatically, but have to go beyond #1, and say that this the area where the most trouble and source of debris on the net is found. The concept of "the long road to rewriting every client application in the world in JavaScript." is absolutely preposterous. Perhaps it's some web wingnut's wet dream ( no offense implied onto that popular typeface, really. ), but put some common sense into it. Sure we've got ChromeOS knocking on our door, but the concept that even IT won't have natively installed applications on the target netbooks is also ludicrious. There always will be native "hard" clients. There will always be the need for "hard" clients.
For anyone who thinks that every desktop or desktop oriented application needs to be web-ified, ask yourself a question. Why, if anything and everything MUST ( or to not be so harsh, should ) be web-based, did everyone bash the darling of mobility that is the iPhone when Apple put off having a native applications sdk for over a year ? Why did they almost immediately start to take out the nails for Palm's final coffin, when they said they wouldn't have a native development kit.
Even Google is ushering out an NDK with ( Oooooooo...evil C++, Eewwwww ). Whenever someone speaks in absolutes in this way, about ANY subject, it opens up scrutiny of the rest of the logic behind their argument. "Javascript" ( I know, total misnomer, what can you do ? ) isn't the savior of programming. No language is.
Marcelo Lopez on March 12, 2010 8:28 AMawesome article thanks planning jobs
Planningjobs on August 29, 2010 12:52 PMThank you for your most informative article. We need more posts like this on the net.
irishpoetry on September 3, 2010 11:59 AMThe comments to this entry are closed.
| Content (c) 2012 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email