Friend or Foe?

This week was VSLive Chicago. Pretty good turnout with lots of late registrations, which is encouraging for the industry.

I had dinner with Rocky Lhotka and Billy Hollis on Sunday night. Billy and I had a workshop on Monday on upgrading VB, Rocky's was on ASP.NET.

As you'd imagine, we talked mostly about developer stuff. And we agreed on almost everything, except for the design basis for putting application-related code into the database. As you probably know, this capability is one of the highly touted features of "Yukon", the next major version of Microsoft SQL Server. In particular, this seems to fly in the face of the loosely-coupled architecture long expoused by Microsoft's Pat Helland (who actually works on the SQL team) who's "Autonomous Computing" (a.k.a. "Emissaries and Fiefdoms") model has been well publicized by Microsoft (including this Webcast).

Clearly, putting code into the database layer implies a high degree of trust. And the loosely-coupled model is all about a high degree of cohesion within an "fiefdom", but a low level of trust between them. This plays well with a service-oriented architecture and Web services, which after all are just passing data around. Remoting, on the other hand, passes objects and reference around and obviously requires a higher degree of trust. In fact, Microsoft added a FilterLevel property to Remoting in version 1.1 to at least partially address this issue.

So, passing data around - which is inherently safe - also means that, in a suspicious world, you have to do data validation at every service interface. As Rocky pointed out, this is a repetitive pain in the butt and is not something that enhances the performance of your application. So, ideally, you'd use Remoting within your application for performance and conveniece, but something like Web services for going outside your "fiefdom". The trick, of course, is to draw those trust boundaries appropriately. And developers moving from a traditional DNA architecture (if there really is such a thing) are used to tighly-coupled designs. Unfortunately, Remoting is likely to be too complex for the average "application" developer (OK, I guess I'm talk about"Mort" here) while Web services are going to rob performance and - realistically - required extra validation code. Clearly, application developers have some difficult choices to make.