I'm not going to let go my argument with Dan Abramov on x 3 years ago where he held up rsc as an amazing feature and i told him over and over he was making a foot gun. tahdah!
I'm a nobody PHP dev. He's a brilliant developer. I can't understand why he couldn't see this coming.
For what it’s worth, I’ve just built an app for myself with RSC, and I’m still a huge fan of this way of building and structuring web software.
I agree I underestimated the likelihood of bugs like this in the protocol, though that’s different from most discussions I’ve had about RSC (where concerns were about user code). The protocol itself has a fairly limited surface area (the serializer and deserializer are a few kloc each), and that’s where all of the exploits so far have concentrated.
Vulnerabilities are frustrating, and this seems to be the first time the protocol is getting a very close look from the security community. I wish this was something the team had done proactively. We’ll probably hear more from the team after things stabilize a bit.
I'm not defending React and this feature, and I also don't use it, but when making a statement like that the odds are stacked in your favor. It's much more likely that something's a bad idea than a good idea, just as a baseball player will at best fail just 65-70% of the time at the plate. Saying for every little thing that it's a bad idea will make you right most of the time.
But sometimes, occasionally, a moonshot idea becomes a home run. That's why I dislike cynicism and grizzled veterans for whom nothing will ever work.
A tale as old as time: hubris. A successful system is destined to either stop growing or morph into a monstrosity by taking on too many responsibilities. It's hard to know when to stop.
React lost me when it stopped being a rendering library and became a "runtime" instead. What do you know, when a runtime starts collapsing rendering, data fetching, caching, authorization boundaries, server and client into a single abstraction, the blast radius of any mistake becomes enormous.
I never saw brilliance in his contributions. Specially as React keeps being duct-taped.
Making complex things complex is easy.
Vue on the other hand is just brilliant. No wonder it's creator, Evan You went on to also create Vite. A creation so superior that it couldn't be confined to Vue and React community adopted it.
There's no need to take down and diminish other's contributions, especially in open source where everybody's free to bring a better solution to the table.
Or just fork if the maintainers want to go their way. If your solution has its merits it will find its fans.
While everyone is free to fork and maintain React. It's by no means an easy task, specially if it's not their job like Dan's is.
Plus, industry tends to gravitate towards what is popular. Network effects an all. So if a massively popular tool is subpar, the complications of it aren't without impact.
And no one is immune to criticism. LLMs are criticised for their sycophancy but some humans are no different when it comes to gatekeeping criticism.
Not really, we just say the parents are more attuned to their child then the national government. I love the dystopian argument that without age laws parents would be out buying cigarettes and booze.
And if the government regulates your children join an after school program where they learn outdoor survival skills, exercise, and learn the popular political parties glee club.
There would be nothing new here?
The argument is that kids being online isn’t the governments business one way or the other.
The slippery slope argument is always secondary, but how often has government regulation not grown in size and scope? Combine that with how norms shift and the type of large scale identity infrastructure put in place to support this, can you honestly say this isn’t going to grow?
All of that also ignores the possibility (read inevitability) that a bad actor/authoritarian would exploit this access further without popular support.
And we already see what India is trying to do - force phone manufacturers to have an always on GPS feature where the government can track you and disable the phone’s feature where it notifies you if something is using your location.
Eval has been known to be super dangerous since before the internet grew up and went mainstream. It is so dangerous that to deploy stuff containing it should come with a large flashing warning whenever you run it.
Half of web map solutions rely on workers, which can't be easily loaded from 3rd party origins, so are loaded as blobs. loading worker from blob is effectively an eval.
No, their whole point is that what they are doing is the literal equivalent of calling eval. Whether that actually uses the word 'eval' or a function called 'eval' is besides the point.
I'm a nobody PHP dev. He's a brilliant developer. I can't understand why he couldn't see this coming.
reply