Tuesday, November 21. 2006
Web Framework Manifesto
Comments
Display comments as
(Linear | Threaded)
You might be also interested in two other web frameworks I'm aware of (although they aren't very mature yet):
1) Grails
(written in Groovy - scripting language for JVM)
2) Webbness
(written in Boo - basically Python for .NET with OOP done right + some nice features)
You also recently mentioned in a Scala newsgroup that you are amazed by Scala. I suggest you should also try to look at Nemerle which in my opinion is even better (esp. because it contains powerful metaprogramming features using type-safe macros).
1) Grails
(written in Groovy - scripting language for JVM)
2) Webbness
(written in Boo - basically Python for .NET with OOP done right + some nice features)
You also recently mentioned in a Scala newsgroup that you are amazed by Scala. I suggest you should also try to look at Nemerle which in my opinion is even better (esp. because it contains powerful metaprogramming features using type-safe macros).
I've tried Goovy. It's the worst of all possible worlds in that it's slow, there are lots of bugs, little documentation, and you get none of the features of scripting language that make scripting languages valuable (e.g., being able to define a class programatically and then access that class later in the script, or more specifically, Groovy scripts are not scripts, they are thinly veiled compilation units.)
Groovy missed the boat on so many levels and has never reached critical mass. I've been complimented for not dismissing things in my blog, but I'm dismissing Groovy because it fails to be in the same league as Ruby, Python, Perl, Java, C++, etc. It does nothing well, and many things poorly.
Groovy missed the boat on so many levels and has never reached critical mass. I've been complimented for not dismissing things in my blog, but I'm dismissing Groovy because it fails to be in the same league as Ruby, Python, Perl, Java, C++, etc. It does nothing well, and many things poorly.
Hmm, looks like no html links are allowed in comments.
So, here they are in plain text:
Grails - http://en.wikipedia.org/wiki/Grails_%28Framework%29
Groovy - http://groovy.codehaus.org/
Webbness - http://boo-lang.org/BooWebbness/ContentMetaData/Index.ashx?ContentMetaDataID=2d72f569-baff-451b-bad3-92b7758d4fde
Boo - http://boo.codehaus.org/
Nemerle - http://www.nemerle.org/
So, here they are in plain text:
Grails - http://en.wikipedia.org/wiki/Grails_%28Framework%29
Groovy - http://groovy.codehaus.org/
Webbness - http://boo-lang.org/BooWebbness/ContentMetaData/Index.ashx?ContentMetaDataID=2d72f569-baff-451b-bad3-92b7758d4fde
Boo - http://boo.codehaus.org/
Nemerle - http://www.nemerle.org/
David, I'd back up Andrey on recommending WebObjects. I went through a similar evaluation process a few years ago. I'd given up working for an organization that threw out Lotus Domino in place of Websphere & Struts. I evaluated Seaside and Rails and WebObjects, and concluded that of those three WO was the right way to go. Support for different RDBMS was very important for me, but so was performance and scalability. What's missing from Seaside, Ruby, and WO (but exists in spades in Domino) is easy admin, flexible fine-grained role-based security, and data/app replication (down to level of field-only replication).
I'd be interested to hear your thoughts on WO. Since you worked so much with NextStep and Java, and (I assume) you worked with Paul Lynch (you linked to plsys.co.uk in another thread), I'm guessing you are already quite familiar with WO and have ruled it out for some reason.
I'd be interested to hear your thoughts on WO. Since you worked so much with NextStep and Java, and (I assume) you worked with Paul Lynch (you linked to plsys.co.uk in another thread), I'm guessing you are already quite familiar with WO and have ruled it out for some reason.
After spending so many years drinking the Next coolaid that I resist any technology that comes out of Apple. One of my consulting projects involves a front end on OS X and a back end on the Web (we're using Rails.) The other team members keep trying to get me to work on the front end code, but doing anything in X-Code and Interface Builder brings back such strong memories that I just can't do it.
WO seems like a good choice from all the rumor and innuendo I've heard. Perhaps you could do a long posting about its strengths vs. Rails and include some code examples.
WO seems like a good choice from all the rumor and innuendo I've heard. Perhaps you could do a long posting about its strengths vs. Rails and include some code examples.
BTW, I like your comment mechanism - this is just about the best I've seen on any blog (I plan to take a look at Serendipity). Also, BTW, I used Mesa on OS/2 
I wasn't in I.T. when NeXT was around, but I read your blog entry on your dealings with AppleCare so I understand your hesitancy with regard to anything to do with Apple. BTW, last year after integrating WO more tightly with XCode, Apple turned around this year and basically said WO development in XCode was being deprecated! A lot of the really top notch WO developers have been eschewing XCode for Eclipse for some years, if that is of any interest.
I'm really caught up in a very different project now, but here are a few links that might interest you:
http://rentzsch.com/webobjects/introTo5
http://rentzsch.com/webobjects/wo5in15
http://en.wikibooks.org/wiki/Programming:WebObjects/Alternative_Technologies/Ruby_on_Rails
I still don't think WO is the perfect web development environment - for example, there is no security framework like there is in Domino. But WO was an important influence on Avi Bryant whilst developing Seaside. I heard recently he is trying to move Seaside away from using continuations - I'm not sure what is going on with that.
Incidentally, I too would be interested to hear your thoughts on Erlang and Erlyweb. There is guy re-building Lotus Domino using Erlang as a back-end:
http://couchdb.com/CouchDB/CouchDBWeb.nsf/Home?OpenForm
I wasn't in I.T. when NeXT was around, but I read your blog entry on your dealings with AppleCare so I understand your hesitancy with regard to anything to do with Apple. BTW, last year after integrating WO more tightly with XCode, Apple turned around this year and basically said WO development in XCode was being deprecated! A lot of the really top notch WO developers have been eschewing XCode for Eclipse for some years, if that is of any interest.
I'm really caught up in a very different project now, but here are a few links that might interest you:
http://rentzsch.com/webobjects/introTo5
http://rentzsch.com/webobjects/wo5in15
http://en.wikibooks.org/wiki/Programming:WebObjects/Alternative_Technologies/Ruby_on_Rails
I still don't think WO is the perfect web development environment - for example, there is no security framework like there is in Domino. But WO was an important influence on Avi Bryant whilst developing Seaside. I heard recently he is trying to move Seaside away from using continuations - I'm not sure what is going on with that.
Incidentally, I too would be interested to hear your thoughts on Erlang and Erlyweb. There is guy re-building Lotus Domino using Erlang as a back-end:
http://couchdb.com/CouchDB/CouchDBWeb.nsf/Home?OpenForm
You might also want to check out WebObjects. Think of it like Rails in that it has an MVC architecture and most things are right by default. But it also has a template/component architecture on the view side, a better object-relational framework in the Enterprise Objects Framework, it's built in Java (now - it started in Objective-C), and it's about a decade old now.
I really enjoyed your recent framework posts, David. I've started getting interested in Erlang, too, especially since web apps can be deployed with the high performance Yaws web server, which is just another Erlang process. I'd be very interested to hear more of your thoughts on Erlang and ErlyWeb.
David.
This is a fantastic ERD (Engineering Requirement Document) defining the perfect web framework. The one thing I long for reading this: a matrix with each of your requirements and each of the web frameworks evaluated against them. I'm tempted to say it should be Wiki style so that other people can add frameworks and do evaluations, but unfortunately that may lead to religous battles.
This is a fantastic ERD (Engineering Requirement Document) defining the perfect web framework. The one thing I long for reading this: a matrix with each of your requirements and each of the web frameworks evaluated against them. I'm tempted to say it should be Wiki style so that other people can add frameworks and do evaluations, but unfortunately that may lead to religous battles.
Good idea, Matthew. I put up a quick wiki at http://rashgash.stikipad.com/webstack/, and I'm hoping we can get something started. Feel free to help building it.
You forgot Catalyst (http://catalystframework.org) - (also the 2006 advent calendar shows some rather neat stuff: http://catalystframework.org/calendar). Take Rails / Jifty and add in all flexibility you were complaining that these were lacking. Brewing in some of the more evil Catalyst devs' minds is the notion that Jifty could reasonably easily be re-implemented on top of Catalyst so that you get the best of both worlds. It's also open source (under the same terms as perl so it's both BSD and GPL compatible more or less).
To be honest I think this is a sufficiently glaring ommission that you should do an update of this article evaluating catalyst. Whatcha think?
To be honest I think this is a sufficiently glaring ommission that you should do an update of this article evaluating catalyst. Whatcha think?
I think you're absolutely right!
I'll look at Catalyst.
Thanks and Happy New Year!
I'll look at Catalyst.
Thanks and Happy New Year!
Here are a couple more.
It must be cross platform.
It must be documented with copious example.
It must be stable.
It must be scalable and easily distributable amongst many servers.
IT MUST BE FINISHED!
It must be cross platform.
It must be documented with copious example.
It must be stable.
It must be scalable and easily distributable amongst many servers.
IT MUST BE FINISHED!
What about Catalyst?
http://www.catalystframework.org/
Gavin.
http://www.catalystframework.org/
Gavin.
I'd like to say thanks for a nice reading!
I've created my own web framework and it's not perfect either. Thing is, I've used some other web framework (Wee) which was closer to the way Seaside works. Also, I tried to create my own web framework based on some of the ideas of components that they have, but in the end, I decided to revert back to simple page oriented layout, because it was easier to update the layout, which could be done by anyone with some design skills. hehe.
I don't think a web framework that does everything in the list can be created when one wants to scale horizontally, as used in the eBay architecture for instance:
http://www.addsimplicity.com/downloads/eBaySDForum2006-11-29.pdf
That said, I do some of the items in your list already, even though things can improve even more. The possibilities are too many.
I've created my own web framework and it's not perfect either. Thing is, I've used some other web framework (Wee) which was closer to the way Seaside works. Also, I tried to create my own web framework based on some of the ideas of components that they have, but in the end, I decided to revert back to simple page oriented layout, because it was easier to update the layout, which could be done by anyone with some design skills. hehe.
I don't think a web framework that does everything in the list can be created when one wants to scale horizontally, as used in the eBay architecture for instance:
http://www.addsimplicity.com/downloads/eBaySDForum2006-11-29.pdf
That said, I do some of the items in your list already, even though things can improve even more. The possibilities are too many.
I can't believe noone has mention what I think is the web framework that supports more of the stuff listed than any other... Uncommon Web.
Uncommon Web is a web framework written in Common LIsp, below is a small list of some of it's features, many of which fit pefectly with what is desired in this manifesto:
Linear Page Flow Logic
UnCommon Web provides developers with the illusion that web pages are nothing more than function calls. This characteristic allows developers to write the page flow control logic as if it was a "regular" sequence of function calls. Developers can now ignore all of the accidental complexities introduced by the stateless HTTP protocol, the browser's "back" button and window cloning and concentrate on creating complex web applications.
Component Oriented UI
Components are CLOS objects which are used for representing both the "look and feel" of an application and the presentation logic. This component oriented system allows both the graphical elements and the presentation logic to be easily reused and adapted.
UnCommon Web provides a library of standard components which applications can tailor to their specific needs. This library includes, among others: a tabbed pane widget, a generic login form, a "select from options" component and a range view component.
Adaptability
The core request->eval->response loop is written in terms of a well defined protocal based on generic functions. Extending or modifying the core can be accomplished by simply redefining generic functions and defining classes. Modifications to the UI generation or i18n sub-systems can be made with the same ease.
Dynamic HTML Generation
UnCommon Web provides a programmer friendly HTML generation library which uses intuitive HTMLish macros and compiles to efficent text generation code. UnCommon Web also provides a designer friendly HTML templating system.
Both of these HTML generations systems are available in an independent library yaclml.
Portable
UnCommon Web has been ported to various Common Lisp implementations: OpenMCL, CMUCL and SBCL, CLISP and Allegro.
UnCommon Web is able to use multiple HTTP server backends: Apache + mod_lisp, aserve (and portableaserve), or araneida. UnCommon Web also contains a small pure lisp http server.
Normal Web App Fare
UnCommon Web, like most web frameworks, also provides: transparent session management (url rewriting or cookie based); logging (via the arnesi library); interactive error handling based restarts and, for non interactive sessions and production environments, web based inspectable backtraces and customizable "user friendly" 501 error pages.
I hope someone gives it a shot.
--Gabe
Uncommon Web is a web framework written in Common LIsp, below is a small list of some of it's features, many of which fit pefectly with what is desired in this manifesto:
Linear Page Flow Logic
UnCommon Web provides developers with the illusion that web pages are nothing more than function calls. This characteristic allows developers to write the page flow control logic as if it was a "regular" sequence of function calls. Developers can now ignore all of the accidental complexities introduced by the stateless HTTP protocol, the browser's "back" button and window cloning and concentrate on creating complex web applications.
Component Oriented UI
Components are CLOS objects which are used for representing both the "look and feel" of an application and the presentation logic. This component oriented system allows both the graphical elements and the presentation logic to be easily reused and adapted.
UnCommon Web provides a library of standard components which applications can tailor to their specific needs. This library includes, among others: a tabbed pane widget, a generic login form, a "select from options" component and a range view component.
Adaptability
The core request->eval->response loop is written in terms of a well defined protocal based on generic functions. Extending or modifying the core can be accomplished by simply redefining generic functions and defining classes. Modifications to the UI generation or i18n sub-systems can be made with the same ease.
Dynamic HTML Generation
UnCommon Web provides a programmer friendly HTML generation library which uses intuitive HTMLish macros and compiles to efficent text generation code. UnCommon Web also provides a designer friendly HTML templating system.
Both of these HTML generations systems are available in an independent library yaclml.
Portable
UnCommon Web has been ported to various Common Lisp implementations: OpenMCL, CMUCL and SBCL, CLISP and Allegro.
UnCommon Web is able to use multiple HTTP server backends: Apache + mod_lisp, aserve (and portableaserve), or araneida. UnCommon Web also contains a small pure lisp http server.
Normal Web App Fare
UnCommon Web, like most web frameworks, also provides: transparent session management (url rewriting or cookie based); logging (via the arnesi library); interactive error handling based restarts and, for non interactive sessions and production environments, web based inspectable backtraces and customizable "user friendly" 501 error pages.
I hope someone gives it a shot.
--Gabe
I would vote for causion in using the continuation abstraction in web development as it leaks a lot (
http://perlalchemy.blogspot.com/2006/11/continuations-for-web-development-and.html)
http://perlalchemy.blogspot.com/2006/11/continuations-for-web-development-and.html)
I'd be curious to hear how you think Wicket matches up against your criteria. We're getting a lot of very positive reactions from some pretty smart people.
Jonathan,
I've been looking at a number of frameworks as I'm building SwS. Wicket is well regarded by some of my corporate Java friends (well regarded is actually an understatement.)
I will spend some time learning Wicket as you seem to have addressed a whole lot of issues very well with it.
Thanks,
David
I've been looking at a number of frameworks as I'm building SwS. Wicket is well regarded by some of my corporate Java friends (well regarded is actually an understatement.)
I will spend some time learning Wicket as you seem to have addressed a whole lot of issues very well with it.
Thanks,
David
I don't quite understand why you put this requirement:
"Code should be impervious to a replay attack. That means that fields in forms should have random names that change for each request."
How you think it's compatible with a "testable" requirement? Esp. from an integration testing viewpoint, when I (developer) run automates tests using browser automation?
"Code should be impervious to a replay attack. That means that fields in forms should have random names that change for each request."
How you think it's compatible with a "testable" requirement? Esp. from an integration testing viewpoint, when I (developer) run automates tests using browser automation?
It does seem like a disconnect. Here's how it can work:
- For non-browser-based testing (if you haven't already checked out how Rails' tests work, it's worth a try), one can "map" the test request into the mangled name as part of the pseudo GET/POST.
- For browser-based testing (e.g., LoadRunner) the code can have a special "insecure" mode that will keep the parameter names consistent across tries.
Thanks for reading and participating.
- For non-browser-based testing (if you haven't already checked out how Rails' tests work, it's worth a try), one can "map" the test request into the mangled name as part of the pseudo GET/POST.
- For browser-based testing (e.g., LoadRunner) the code can have a special "insecure" mode that will keep the parameter names consistent across tries.
Thanks for reading and participating.
If code has "insecure" mode, and it runs in "secure" mode, I'm not testing what actual user gets. So, how can I be sure that "secure" mode works correctly?
Perhaps I'm not getting the nature of the security attack here?
Perhaps I'm not getting the nature of the security attack here?
If the program logic is divorced from HTML, the choice of parameter names becomes less important.
If the program has a construct that looks like TextFieldMap(field_name, field,...) which in Scala with Sails yields a mapping between the parameter and a function that looks like {field := value} and a form element that looks like input value="moo" type="text" name="000002_inp_F12ZpiRaNXwKGfa_$" (sorry, can't put tags in the comment, so that should look like an input tag)
The 'F12ZpiRaNXwKGfa' part of that is a random number and thus has to be changed each time that the form is submitted (it works fine for the browser which is stateless except for cookies, but poses a difficult problem for attackers who want to replay a series of forms.)
If we want LoadRunner to be able to identify the form element and test different values (or the same values), we need a way to tell the program (SwS in this case) that it should not vary the name of the field for each rendering. This could be done by replacing the random number with the name of the field or some other marker when the code is running in 'insecure' or 'test' mode.
While you are correct that this causes the code to take a different code path in the library, it is not taking a different code path in the application. It should also make no difference to the browser. The library simply generates a different field name, one that doesn't vary. If this code path fails, it will fail for many conditions and fail early in the development cycle. There is no change to the user code or any code path that the user code follows and thus will test the user code in the same way that a "secure" mode will test.
If the program has a construct that looks like TextFieldMap(field_name, field,...) which in Scala with Sails yields a mapping between the parameter and a function that looks like {field := value} and a form element that looks like input value="moo" type="text" name="000002_inp_F12ZpiRaNXwKGfa_$" (sorry, can't put tags in the comment, so that should look like an input tag)
The 'F12ZpiRaNXwKGfa' part of that is a random number and thus has to be changed each time that the form is submitted (it works fine for the browser which is stateless except for cookies, but poses a difficult problem for attackers who want to replay a series of forms.)
If we want LoadRunner to be able to identify the form element and test different values (or the same values), we need a way to tell the program (SwS in this case) that it should not vary the name of the field for each rendering. This could be done by replacing the random number with the name of the field or some other marker when the code is running in 'insecure' or 'test' mode.
While you are correct that this causes the code to take a different code path in the library, it is not taking a different code path in the application. It should also make no difference to the browser. The library simply generates a different field name, one that doesn't vary. If this code path fails, it will fail for many conditions and fail early in the development cycle. There is no change to the user code or any code path that the user code follows and thus will test the user code in the same way that a "secure" mode will test.
I understand how it should work from a technical viewpoint.
Perhaps, hidden in the library, it should be quite straightforward.
But I still don't understand what the problem this indended to solve?
Perhaps, hidden in the library, it should be quite straightforward.
But I still don't understand what the problem this indended to solve?
The problem is replay attacks.
Using various means (sniffing packets at the network level, having malware on the local machine that records post SSL decoded browser traffic, etc.) an attacker can record the activities of a user on a particular site. The attacker can then "replay" the session or part of the session to gain access to a resource (e.g., record the login to your bank account or your paypal account, etc.) and then "complete" a transaction manually, except that the transaction moves some resources (e.g., money) into the attacker's account.
Hindering the ability to do replay attacks mean that an attacker will spend time on an easier to crack system than the protected system.
Replay attacks (http://en.wikipedia.org/wiki/Replay_attack) are real.
Using various means (sniffing packets at the network level, having malware on the local machine that records post SSL decoded browser traffic, etc.) an attacker can record the activities of a user on a particular site. The attacker can then "replay" the session or part of the session to gain access to a resource (e.g., record the login to your bank account or your paypal account, etc.) and then "complete" a transaction manually, except that the transaction moves some resources (e.g., money) into the attacker's account.
Hindering the ability to do replay attacks mean that an attacker will spend time on an easier to crack system than the protected system.
Replay attacks (http://en.wikipedia.org/wiki/Replay_attack) are real.
While solving replay attacks sounds like a good thing you must remember that if I can write automated web based tests for an application then I can write a malicious script that can run a fake session. Sure, it would be a little harder to grab the right fields for the attack, but regardless of how you name the fields internally there must be a human readable name on the page associated with that input field so that the user knows what to type in there. There is also likely an order for the fields on the page that needs to stay the same to avoid confusing all of your users and it is trivial to then fill in values based on the ordering of fields.
Having random field names seems to make an application more secure, but it fails to accomplish much, especially when compared to an easier to implement and easier to test solution such as including a nonce with each page and only allowing each form to be posted once by keeping track of which nonces were used.
If you want to prevent automated bots from sending money from your bank you can put one of those lovely captcha tests that is used to filter out machines from humans and not cause more trouble for your QA department.
Having random field names seems to make an application more secure, but it fails to accomplish much, especially when compared to an easier to implement and easier to test solution such as including a nonce with each page and only allowing each form to be posted once by keeping track of which nonces were used.
If you want to prevent automated bots from sending money from your bank you can put one of those lovely captcha tests that is used to filter out machines from humans and not cause more trouble for your QA department.
Security is not an absolute. It's all a series of marking it harder to do something bad to you relative to (1) the value of doing something bad and (2) the cost of doing something bad to someone else.
Replay attacks are easy if you're only changing the cookie. However, once you start making it a requirement that the attacker load a page, parse the content and do substitution, the attack becomes harder. It means that a simple replay becomes a programming project.
Once the attackers have caught up with that, start re-ordering fields and then putting them back in the right order using JavaScript. That'll require that the attackers implement a JavaScript engine and run the JavaScript code for each page loaded.
I was VPE and CTO at Cenzic (http://www.cenzic.com) We built tools that allowed QA groups to craft attacks on web sites. It turns out that the tools that simply did replay attacks were useless against anything but the most simple web sites. Cenzic's version 1 tools couldn't reliably replay login sequences for many web sites. This was not due to the lack of smart in the team that built the tools, but the stateful complexities of real-world web sites.
Our version 2 product was actually built using IE to load, render, and inject each page. We were able to successfully replay significantly more complex sites, but at a huge performance cost (running everything through IE took a lot of time.)
Cenzic's version 3 product (done after I left) was built on Firefox (having source is always better.) According to people who were beta testers, it faired worse than the IE implementation because it was unable to render IE-specific JavaScript (this was before Firefox had enough market penetration to justify sites supporting it.)
So, yes, you're right, in theory, anything that a human can do, a machine can do, too (except maybe deciphering captchas.) However, in practice, randomizing field names (in production, but not in QA) will raise the attack bar high enough that an attacker will likely look at a competitor's site as a target first.
Replay attacks are easy if you're only changing the cookie. However, once you start making it a requirement that the attacker load a page, parse the content and do substitution, the attack becomes harder. It means that a simple replay becomes a programming project.
Once the attackers have caught up with that, start re-ordering fields and then putting them back in the right order using JavaScript. That'll require that the attackers implement a JavaScript engine and run the JavaScript code for each page loaded.
I was VPE and CTO at Cenzic (http://www.cenzic.com) We built tools that allowed QA groups to craft attacks on web sites. It turns out that the tools that simply did replay attacks were useless against anything but the most simple web sites. Cenzic's version 1 tools couldn't reliably replay login sequences for many web sites. This was not due to the lack of smart in the team that built the tools, but the stateful complexities of real-world web sites.
Our version 2 product was actually built using IE to load, render, and inject each page. We were able to successfully replay significantly more complex sites, but at a huge performance cost (running everything through IE took a lot of time.)
Cenzic's version 3 product (done after I left) was built on Firefox (having source is always better.) According to people who were beta testers, it faired worse than the IE implementation because it was unable to render IE-specific JavaScript (this was before Firefox had enough market penetration to justify sites supporting it.)
So, yes, you're right, in theory, anything that a human can do, a machine can do, too (except maybe deciphering captchas.) However, in practice, randomizing field names (in production, but not in QA) will raise the attack bar high enough that an attacker will likely look at a competitor's site as a target first.
For those who hate programming and database designing, you should take a look at Nenest (http://www.nenest.com). Without any script programming and database designing, you are able to build up rich functional web database applications. You are also able import existing databases and host them online on the fly.
I agree with most of your critique. I have tried to address some/most of them in
http://mdp.cti.depaul.edu/examples
http://mdp.cti.depaul.edu/examples
"Sessions should be tied to a browser window/tab, not to a browser session." - I completely share this requirement for the web development frameworks. It's tends to be inconvenient if one tries to check the data exchange and needs to log in every time. At the same time this convenience on the step of development can be crucial for data security for on-line project.
I suppose that all the feedbacks to the future developers of the frameworks should be accumulated and spread on the web!
I suppose that all the feedbacks to the future developers of the frameworks should be accumulated and spread on the web!
One framework to rule them all: web2py
Why? In 3 words:
- Complete
- Consistent
- Concise
I looked at many of the frameworks you mention in your blog. Most were rejected because they weren't python based. The final cut came down to Django and ROR (though ROR already had 2 strikes against it because it wasn't python).
Then I had the good fortune to discover web2py at the last minute. Within weeks I had 2 production-ready apps completed and I was absolutely hooked. web2py is the best out there. On top of that, it's fun to use.
Why? In 3 words:
- Complete
- Consistent
- Concise
I looked at many of the frameworks you mention in your blog. Most were rejected because they weren't python based. The final cut came down to Django and ROR (though ROR already had 2 strikes against it because it wasn't python).
Then I had the good fortune to discover web2py at the last minute. Within weeks I had 2 production-ready apps completed and I was absolutely hooked. web2py is the best out there. On top of that, it's fun to use.
David Pollak
Calendar
|
July '10 | |||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
David Pollak has been writing some great summaries of the top web frameworks. The great thing about his blog is that he doesn’t dismiss frameworks out of hand or blindly hype them. He recognizes that they all have their strengths and weaknesses a...
Tracked: Nov 23, 18:26