Is Google Gears a Disaster Waiting to Happen?

My blog has moved. You can view this post at the following address: http://www.osherove.com/blog/2007/6/4/is-google-gears-a-disaster-waiting-to-happen.html
Published Monday, June 04, 2007 9:50 AM by RoyOsherove
Filed under:

Comments

Monday, June 04, 2007 10:12 AM by ScottW

# re: Is Google Gears a Disaster Waiting to Happen?

I doubt it. On your first point, it depends on the application. For some applications, this javascript level already exists or is appealing. I could even see this being very useful for siliverlight applications which will call back to the server via ajax anyway. On the second point, not at all. You should never trust user data, regardless of when, where, how it was submitted. Whether you sync via a local SQL Lite db or just allow postbacks, data is data and you need to be careful.
Monday, June 04, 2007 10:29 AM by commenter

# re: Is Google Gears a Disaster Waiting to Happen?

"How secure can your web app really be if all data access is open for anyone with "view source"?" Security Through Obscurity is generally regarded as a bad thing.
Monday, June 04, 2007 10:45 AM by Khuzema

# re: Is Google Gears a Disaster Waiting to Happen?

I think you have Google phobia, You will not use Google reader now you doubt about Google gears without developing anything using it.
Monday, June 04, 2007 10:51 AM by RoyOsherove

# re: Is Google Gears a Disaster Waiting to Happen?

Khuzema : Phobia?

I use Gmail as my email solution, Google Desktop as my offline search, I google apps for domains, and I use Feedburner, which was just bought by Google. I also use Picasa (owned by Google), GoogleMaps, I have Google Earth installed and probably a couple more google stuff somewhere.

Is asking a question about something you're not sure about a phobia? Or rational thinking?

Monday, June 04, 2007 12:08 PM by Casey

# re: Is Google Gears a Disaster Waiting to Happen?

I suspect that Google is going down the road that MS was doomed to go down... Gears doesn;t seem like a great idea to me, for the reasons listed and more. Silverlight on the other hand, certainly does seem the way to be going. Smart client apps, delivered entirely in your browser, with offline data storage? Can't see any advantage really, just have a real smart client app. Web browsers are hugely limited, cumbersome, and frankly hard work to make them play nice. Why use a web browser if you don't absolutely have to?
Monday, June 04, 2007 12:18 PM by MikeY

# re: Is Google Gears a Disaster Waiting to Happen?

I don't think the data access issue you mentioned is a problem. My hunch is that the developers of Gears intended it (mainly) to be used as local store for client-side user data, such as preferences/options, local data caches, etc. - not sensitive information (why would you do this in an app where the source code is partially visible??). As for the maintenance issue with Javascript, I'm not sure I follow how it's differenct from any other language - it's still code in the end, and there will always be folks (like me) who enjoy working on the JS land.
Monday, June 04, 2007 12:26 PM by Aaron Fischer

# re: Is Google Gears a Disaster Waiting to Happen?

I agree, its not something that i find very useful. Even though its from "Google"(and they can do no wrong) I greet Gears with a healthy dose of skepticism. Just as i would if Microsoft or Sun put it out on the market.
Monday, June 04, 2007 12:41 PM by Ali

# re: Is Google Gears a Disaster Waiting to Happen?

@commenter ...and exposing your data access logic for someone to try SQL injection attacks is even more bad.
Monday, June 04, 2007 12:41 PM by OD

# re: Is Google Gears a Disaster Waiting to Happen?

I've been thinking similar thoughts. It's just a matter of time until JavaScript is the end-to-end programming language of choice in some environments. Imagine TDD domain-driven design where the domain model and tests are all JavaScript, the data access layer is a JavaScript ORM against SQL Lite, SQL Server, etc., and the same ORM runs on the client's browser as well as on the server using Microsoft's new DLR. Some would argue that it brings web development up to the same productivity level that you get with XAML/C# in the WPF/Silverlight world. One language for markup, one language for code. It's not a world I want to see, but you know it's very attractive to many web developers who hate having to context-switch to the back-end set of technologies to make their pretty GUI work do something useful.
Monday, June 04, 2007 12:43 PM by Scott

# re: Is Google Gears a Disaster Waiting to Happen?

A couple of thoughts. "You'll now have complex application logic and persistence logic in full JavaScript syntax. Feels like we're lookin at a big maintenance nightmare" I think that depends on the developer and the Javascript he/she writes. Look at the MS Ajax client libraries. Not a maintenance nightmare. Dojo and Prototype are the same way. Javascript development techniques continue to improve and more and more people use the language for more than just form validation. "How secure can your web app really be if all data access is open for anyone with "view source"?" If I give you a SQL statement with an empty database. What have I really given you? There is a security overview that might reassure you some. Google Gears uses the "same origin policy" that Javascript does. http://code.google.com/apis/gears/security.html
Monday, June 04, 2007 12:59 PM by Corey Porter

# re: Is Google Gears a Disaster Waiting to Happen?

What's the problem with having application logic in JavaScript? Is it something about the differences between runtime implementations (which I could buy) or something about the language itself (which I'd be interested in hearing an argument for)? Or something else entirely....
Monday, June 04, 2007 5:53 PM by Arnon Rotem-Gal-Oz

# re: Is Google Gears a Disaster Waiting to Happen?

JavaScript is quite ubiquitous on web-browser and It is true that maintaining a large application in notepad doesn't sound nice - but JavaScript IDEs are starting to emerge (see http://www.jetbrains.com/idea/features/javascript_editor.html) for instance - these are the reSharper guys..) so I think the future will not be that bad Also as I wrote in my blog (http://www.ddj.com/blog/architectblog/archives/2007/05/more_on_smart_c.html) everybody is moving to blur the lines between desktop and webtop applications and actually Google is behind Adobe and even Sun (JavaFX) and Microsoft(Silverlight) were a little faster Arnon
Monday, June 04, 2007 11:21 PM by JD on EP

# Local databases, security

Local databases, security: Roy Osherove raises a good question about Google Gears: "How secure can your web app really be if all data access is open for anyone with 'view source'?" (Background: Google Gears was announced last week: a 700K cross-browser

Wednesday, June 06, 2007 9:37 AM by commenter

# re: Is Google Gears a Disaster Waiting to Happen?

My point was that all web applications expose their data access facilities directly or indirectly - and hoping that people wont exploit that through making the interface more obscure is not good enough.
Thursday, June 07, 2007 4:22 AM by sternr

# re: Is Google Gears a Disaster Waiting to Happen?

Not only I don't agree with you, but I think you fail to see the far end of Gears which is not necessarily web, but RIA's...
Thursday, June 14, 2007 10:31 PM by magixman

# re: Is Google Gears a Disaster Waiting to Happen?

It may be. Not because of writing complex applications in Javascript. Properly structured JS is as good as anything else. Not because anyone can see your application. Some of the most secure software in the world are open source. The potential risk is with any new "sandbox" where you have to provide a secure way for applications to store their stuff and not be able to grab anyone elses stuff or worse stuff on yoru PC. Can it be done? Sure it can. Will there be holes that are exploited? It is a pretty good bet there will be and hopefully they will be patched quickly. I would much prefer if Google Gears were open source so that many "eyes" could look at it and make sure it is secure. Having said that I think we will all look back on this moment as the beginning of the next generation of the web where really complex applications can enjoy the security and portability of being browser based. I am soooooo excited about this.