Avalon part 2

Chris Anderson from the Avalon team replied to some of my points that I made last week

First, let me stress again that I think that the guys over at the Avalon team are doing some fantastic work and probably have had to make some hard decisions and have a lot on their plate.

Cris, As I said in my previous post, if Avalon really takes off, we might look into bringing that API to Mono as well.

My concerns stem from the fact that we do not want to waste our time with dead-end APIs as we are vastly under-resourced, so we must choose carefully. With that in mind, and keeping in mind my bias.

I agree that solving the low-tech attacks effectively with software is probably a research subject. And I appreciate that you guys are putting a lot effort on the security infrastructure for WinFX, Avalon and .NET but it still falls short: it will not resist the low-tech attack today.

Bruce Schneier has a good introduction to attack trees. The core is that in any system that is to be secured an attacker only needs to choose the weakest link. In this case, Avalon's ClickOnce just seems like a disaster waiting to happen. Imagine Outlook viruses gone wild.

Solving this is extremely simple, the answer is well known: do not allow ClickOnce-like technologies.

My guess is that the problem is that this goes against the fundamental reason for the existence of Avalon.

Joel's latest piece has some good points on the role of software in societies. It seem that engineering organizations are too much in contact with the technical details of how to make things happen, without looking at where and how the software is going to be consumed.

Certain things in the Gnome world have been hard explicitly to avoid problems of this nature (the never-shipped and luckily-defunct executable-mime-type handler is one example).


Anyways, my problem is that it seems that Avalon is trying to do too much too soon. It seems to be following the over-designed footsteps of Java's Swing: it avoids the over model-view-controller-itis, but it introduces its own pains and has the elements of a second system

The surface area is just of gargantuan proportions, sure, if you are dealing with a `Button' you will be fine. But hey, it was relatively simple to build buttons with Motif and Swing too.

You are right that it is unfair to comment on a product that is not even beta, but if you guys are shipping in 2006, I do not see a lot of room to maneuver there. I can only hope I am wrong.

Tk and XView are nice examples toolkits that hide the complexity from the user each on their own ways. These toolkits encapsulated the complexity and exposed only the basics to the user: they provided fairly high-level building blocks and the rest was tucked-in behind the scenes. On the other side, we have things like Avalon where the implementation details transpire at every level: not only is the developer going to use the high-level building blocks, but he will be exposed and will face the internals.

Am not arguing that it is necessarily bad, but it is easier to expose as little as possible and add features on an as-needed-basis than it is to come up with a large framework and maintain every implementation decision made today.

By exposing as little as possible you have a choice when it comes to architecting the internals, and most importantly to re-architect the internals in the future if you must. A clean separate between the exposed API and its implementation. But Avalon does not have this luxury: the API is the implementation and the API transpires very much of the implementation (mind you, this is very convenient for people interested in re-implementing it, while tying their hands to an existing design).

I read with interest the various justifications for not following the standards just when Avalon was coming out, I wont argue about the merits of the CSS one, but the case for not using SVG is particularly poor: `not using pascal casing', `not using full english words'?

It can only make sense in a world of only-Microsoft technologies, but even there, you are shooting yourself in the foot: collaboration with others might be initially difficult, but it has always paid off in nature.

Collaboration of Microsoft with competitors tends to be difficult. Maybe there are ways we can improve this.

As for missing features, there are ways of driving the standards forward. For example the whatwg group is finally moving the web forward again.

In any case, thanks for listening Chris, and lets hope that you guys can improve Avalon, but in the meantime some folks are considering the options, Joel has two good articles: API war and his call to arms to improve the Web with some followups. Update: Fixed a few typos.

Mono Updates

Sebastien has posted an update on CAS.

Our XQuery implementation was born on August 20. Atsushi has posted an update on System.XML 2. You can also see his prototype to call CIL from XQuery.

Debating trip to Redmond

Due to some other commitments it seems unwise to attend the TG2/TG3 ECMA meetings in Redmon on the week of the 20th.

Am wondering if I should fly in on Sunday to attend the Tuesday meeting. If there are people from Microsoft interested in meeting on Sunday for dinner and Monday (nothing formal, just chilling out and debating software things). That might make for two useful days: one ECMA and one of chilling out.

Thoughts? miguel at novell dot com is the address.

Have to make a decision on the next 48 hours.

Another Molly Ivins Gem

Molly Ivins can write very well.

Greg Palast on Choice Point

Greg Palast on Choice Point and the DNA database of every citizen:

These guys are in the Fear Industry. Secret danger lurks everywhere. Al Qaeda's just the tip of the iceberg. What about the pizza delivery boy? ChoicePoint hunted through a sampling of them and announced that 25 percent had only recently come out of prison. "What pizza do you like?" asks CEO Smith. "At what price? Are you willing to take the risk?..."

Oh my god! Good thing I get my Pizza from the frozen section at the minimart. I feel safer now.

From Planet Gnome

Some great animations.

Posted on 09 Sep 2004 by Miguel de Icaza
This is a personal web page. Things said here do not represent the position of my employer.