undefined | Better HN

0 pointsdpau6y ago0 comments

was just about to comment along these lines! i never understood those eschewing frameworks... in the above example a PHP framework like Laravel is in constant development by lots of people, with security updates and refinements pushed out on a regular basis. even if u are an uber-developer, in what situation is rolling your own ever the right choice? is your project that different from everyone else's?

0 comments

10 comments · 5 top-level

syn0byte6y ago· 3 in thread

Why don't you drive an 18 wheeler to work every day? They are used by millions of professional people every day who's job it is to drive! Why would you be different from all those people that you think you need to use a little car instead?

The answer is obvious in both cases; You don't need it and it would be wasteful. If I don't have a huge database with constant read/write calls, If I don't have to try to manage multiple end users submitting content, if I don't need super async real-time snappy UIs to compete with the latest android app fad or session tracking of tens of thousands of users, why would I need laravel?

If nobody rolled their own specifically for what they needed, we would still be writing ASM/APL/Raw hex.

dpauOP6y ago

i'm sorry but i'm really not convinced by this argument. there are many frameworks available in various languages/platforms, some created specifically to be light and fast (in the PHP example above, lumen is a possible choice). my other argument would be- why are you spending so much time on plumbing when you could be concentrating on the parts of your application that make it special?

NeoBasilisk6y ago

Most people are making CRUD apps that aren't all that special.

least6y ago

This analogy sort of falls apart in the details. Rolling your own is more akin to building your own vehicle. You might have all the right parts to have a functioning vehicle but you probably don't have the experience of a team of engineers and designers of a commercial vehicle.

In most cases you can buy a modestly sized vehicle from a manufacturer that still has a team of people ensuring the performance, utility, and safety of the vehicle.

orf6y ago· 2 in thread

I remember seeing this one post on HN from some PHP consultancy that had open sourced some kind of PHP web app that was "engineered from the start to be secure".

I took a look at the code on GitHub and it was absolutely horrible. They basically built their own mini-framework, poorly, with mixed concerns and poor, ad-hoc and inconsistent validation everywhere. Terrible.

I left an issue on GitHub with my findings and got into an argument with the author in the HN submission about how it's disingenous to say something is engineered from the ground up to be secure, if you're eschewing all the man hours that have gone into something like Larvel. I think his reasoning boiled down to "Larvel has CVE's so it's not secure".

Some people are just like that I guess.

Edit: found it - "How We Engineered CMS Airship to Be Simply Secure" https://news.ycombinator.com/item?id=13905055

wolco6y ago

Messy code is not insecure code and clean looking code is not secure code by default.

It could be a signal of sloppyness or writing it in vim.

orf6y ago

I totally agree. My point was:

> This is not engineering a project to be "simply secure", in the sense that it is definitely not simple and probably not secure!

Messy, duplicated code that re-invents the wheel hides security bugs.

Saying "Windows has security issues, so I'm going to write my own operating system for my software" doesn't mean you can't knock it out of the park and make the most secure operating system ever... but I wouldn't exactly bet on that being the case.

itronitron6y ago

I think the main problem with the current Javascript UI frameworks is that they introduce an 'abstract middleman'that distances developers from what is actually happening in the browser. I expect there are many web developers unfamiliar enough with MVC that they are drawn to the Javascript frameworks even though MVC isn't a particularly difficult concept.

asdf216y ago

But there are tons of laravel sites, so there is a substantial profit motive to look for vulnerabilities in them.

It's like, outdated Wordpress sites get hacked all the time, but if I just threw together my own shitty blog in PHP and MySQL there's almost no chance it would, as no one (generally) is going to take the time to figure out hacks for just one site (especially for SMB).

nfgu6y ago

Someone isn't necessarily "rolling their own stack from scratch" just because they eschew a framework.

You can always import libraries into your project for the critical stuff, instead of using the whole framework.

Even Laravel itself imports third-party libraries such as Symfony, which you can use in your project without importing Laravel.

j / k navigate · click thread line to collapse