[Cocoa]

I must be missing something here, is this a new framework or API or something.

I'm confused to say the least.

[Kyek]

It's a full application framework -- which intrinsically has an API. Just watch the screencast

[Cocoa]

Seems very interesting but the website is awful... not just design wise.

[Renegade]

This is pretty ridiculous. Is everything automated? I'm pretty skeptical. Did I pick it up correctly or is Meteor building queries based on your templates? I think that might be a little too much magic for me but I like how it's optional and I especially love how you can bundle your project so you're not entirely tied down. They know how we think.

I can see what you mean by the vulnerabilities via the client-side database interaction. I really don't know how they'll be able to secure that unless some sort of backend code is implemented. All in all, this is something to look forward to when it does finally kick-ass.

Also, it really shows how much crap we have to go through to get apps out there. Deploying an app requires a serious amount of effort, time and preparation, not to mention money.

[dida]

Cool.

[Nand]

What kind of witchery is this?!

Memes aside, this is pretty damn cool.
I don't have the faintest idea how they do it, so I'm confused as to what it really is.

Really want to dig into this...

[callumacrae]

Kyek, on 11 April 2012 - 10:19 AM, said:

[*]The license is GPL. Meaning, if you want to use this for something closed-source, you're probably going to have to pay money for a commercial license. That's kinda crappy. I'd rather they profit off of their PaaS than lock down the actual library itself.

I haven't used GPL3 so I could be wrong, but since when has that been how GPL works?

[Renegade]

After taking a deeper look into the examples, I can't really warm to this. There just seems to be too much going on.

The source on http://wordplay.meteor.com/:

<!DOCTYPE html> 
<html> 
<head> 
  <link rel="stylesheet" href="/1c58da6d0bc1e1e7b29bf5db7cf1dd089637c5e5.css"> 
 
 
 
  <title>Word play!</title> 
 
 
  <script type="text/javascript" src="/f508fd5298a0add8b255958345dae52197472b6c.js"></script> 
 
</head> 
<body> 
 
</body> 
</html> 

No content whatsoever, all added dynamically seemingly. Also, I opened two windows and added two players. I then opened console and did

Players.remove({})

(empties the collection) and both players exited. I really don't see how this could've been released with that amount of vulnerability. I suppose you could overwrite those functions that access the database but they're created after your code is executed.

[Cyril]

I'm with Renegade on this. Databases have security, authentication for a reason... Being able to open up a console and changing stuff as a client totally defeats the purpose of that.
Even if they're implementing that, the whole idea of even being able to access a DB like that is, IMO, bonkers. Which in turn, makes me think this whole thing is an insecure useless pile of excrement. I'll stay with sockets, thank you very much.

[Kyek]

Whoa, all the hate ;-).

I'm actually a huge supporter of building the application entirely through Javascript. Here's why: There's a feature in your web browser, right now, to "pin" a tab. This encourages you to keep open tabs on a long-term basis; something that many people were doing anyway with things like GMail, Trello, and other webapps that update in real time. So if you're the author of one of those applications, you're faced with a problem: A significant percentage of your userbase is never reloading your page. So how do you push updates? Well, there are pretty much three ways to do this:

• Reload the page every X hours as long as there's no activity for the past Y minutes. But maybe the user was looking at the site, just not interacting with it, and you've interrupted them. Maybe they had text entered into a form element and you just erased it. You should never assume you should control when your page is reloaded. So, bad solution.
  
• Make the page aware of an update flag. Whenever you update the app, you either stop your users from performing any major actions, or just pop up a big notice that says "Please reload the page to see our new version!". In any case, you're interrupting the user and causing an annoyance, no matter how minor. Bad solution.
  
• Realize that your web app is just that: An application. Not some distinction between static and dynamic content; an application that is interacting with a server, where anything can be created or destroyed dynamically. This gives the server full control over the content of the users' pages, and allows for seamless updates without any level of annoyance or even an awareness that an update is happening. While this requires some extra planning on the part of the programmer (or, not so much if you're using Meteor), this is the best solution for the end user. And that's the most important person.

What I think most web devs, and me included, are guilty of in a field moving as fast as ours is getting too comfortable with one way to do things, and trying to hold on to that. The best web apps are dynamic now, and if you look at trends in what popular web apps are doing, it's only moving more rapidly to a dynamic interface. So, you can either plant yourself in the ground and say that web applications should have a static component and anything that challenges that is too much, or you can consider that this move might be inevitable to support concepts like long-running applications and fully dynamic UX. So on that front, I think Meteor is absolutely huge.

I *do* agree with the database security stuff, but read back up to my first post -- this isn't 1.0, it's still a toy, and there's an 'auth' branch of their repo that's addressing this concern. So in the nearer future, we'll have higher security on this. For now, we can still dive in and learn about it . I have to disagree with this line, though:

Cyril, on 11 April 2012 - 04:19 PM, said:

Databases have security, authentication for a reason...

Many databases (in fact, nearly all NoSQL databases) either have no authentication layer, or have it off by default. The idea is that if you can access it through the network, you have permission to use it. Riak, Cassandra, MongoDB, Couch, Membase, Redis, the list goes on and on and on. More and more, the responsibility of authentication is being left to the application, not the database. Which is why it makes so much sense that the auth branch is being developed for Meteor, rather than Meteor doing something like enabling Mongo's simplistic auth layer and trying to proxy to that. I think it's a pretty good approach, and I'm excited to see what they do with it.

Also worth note is that you don't HAVE to expose your DB to the client with Meteor -- that was just part of their example. You can have model-like functions that enforce permissions instead, right now, without waiting for the auth branch.

[ianonavy]

O_o still, the idea that any client could just type

Colors = new Meteor.Collection("colors");
Colors.remove({});

and wipe the whole table from their browser's JS console is a bit frightening.

Once the auth branch is done, I'll be so excited to start playing around with this.

[Kyek]

callumacrae, on 11 April 2012 - 03:38 PM, said:

I haven't used GPL3 so I could be wrong, but since when has that been how GPL works?

Sorry, I missed this one in my reply -- GPL requires that derivative works provide their source code, non-obfuscated. As a result, most software businesses can't use GPL code within their stack (since they'd be giving their product away for free), and instead have to purchase a commercial license. It's a great way to force for-profit orgs to pay for your product, but it's a really risky move because, being open source, nothing stops someone from creating a similar framework (or adapting some of Meteor's features into an existing framework) and releasing it under a permissive license. There's a really good article arguing that it's a near-certainty that this will happen.

ianonavy, on 12 April 2012 - 11:36 AM, said:

O_o still, the idea that any client could just type

Colors = new Meteor.Collection("colors");
Colors.remove({});

and wipe the whole table from their browser's JS console is a bit frightening.

Once the auth branch is done, I'll be so excited to start playing around with this.

Kyek, on 12 April 2012 - 08:21 AM, said:

Also worth note is that you don't HAVE to expose your DB to the client with Meteor -- that was just part of their example. You can have model-like functions that enforce permissions instead, right now, without waiting for the auth branch.

[gibbonweb]

Am I the only one besides Renegade who doesn't like that empty body tag? In that respect, Meteor behaves even worse than those good old Flash-based sites everybody likes to hate because of... well, their lack of semantics and accessibility.
And those obvious security flaws 'by design'... wtf?

[SapporoGuy]

Drool!
Makes me want to stop using php :-(

Ok, so here I am invested in php but from a user download standpoint what do you all think? Let's say I want to make a forum, offer it as BSD or MIT. Do you think if it were feature comparable to say fluxBB would people actually download a nodejs app compared to a php one?