Project Page: Kickstarter:

Question from @niwinz in the #C03RZGPG1 channel - @luke have you considered funcool/catacumba as alternative to pedestal?

niwinz 2016-04-16T16:41:44.000008Z

Here a link for the context:

glenjamin 2016-04-16T17:12:33.000019Z

Whatever you do for HTML generation, please escape content by default :simple_smile:

luke 2016-04-16T17:12:46.000020Z

@niwinz @surreal.analysis I am not familiar with those, but I’ll definitely check them out - I certainly want to build on the best thing out there.

luke 2016-04-16T17:13:08.000021Z

And it’s likely you’ll be able to swap out the implementation simply by using a different module anyway.

luke 2016-04-16T17:13:58.000022Z

@glenjamin: don’t worry, Arachne apps will be secure by default. I plan to get a professional security audit of the default setup at some point later on when things stabilize.

glenjamin 2016-04-16T17:14:16.000023Z

just wanted to mention that early, major footgun in hiccup :simple_smile:

niwinz 2016-04-16T17:16:01.000024Z

@luke nice, the pluggable backend is nice, but catacumba is pretty high level, is not a "ring" impl. It a complete toolkit "a la pedestal" that I think it has simplier approach and better documentation

luke 2016-04-16T17:17:20.000025Z

I’m going to be replacing the “programmer interface" layer of Pedestal with something easier and more usable, anyway - part of how Arachne abstracts all the facts about an application (routes, migrations, resources, dependency-injected components, etc) into a central configuration.

luke 2016-04-16T17:17:47.000026Z

I’ll definitely look at Catacumba though - at the very least for inspiration and ideas of how to make a nice UI, whether or not I use it as (one possible) backend.

luke 2016-04-16T17:17:57.000027Z

by UI I mean programmer UI

niwinz 2016-04-16T17:18:15.000028Z

😉 nice

glenjamin 2016-04-16T17:18:46.000029Z

other security things I can think of that I believe are hard to retrofit would be: if there are any secret strings (eg. for signed cookies) ensure lein templates etc generate unique values if you have models with a merge(new-data) type interface, make it easy to whitelist attrs if you have models, ideally make it easy to have a 1-many relationship with resources (edit-profile vs admin-user for eg)

sveri 2016-04-16T17:38:33.000035Z

Really a nice approach. Totally appreciate that. If you are looking for inspiration, I put together this template: based on luminus and there are some things I consider fundamental for developing web stuff like authorization and authentication, captcha support, email support, complete reloadability during development and some more. I think if you want to succeed across the clojure world you will have to deliver that and much more.

sveri 2016-04-16T17:39:22.000037Z

Considering that when RoR was coming out only few people gave a thing about Ruby and it surely is not much better today. It could be the same for a clojure web framework if we can show the advantages of the JVM.

trylobot 2016-04-16T18:26:51.000042Z

Hey @luke love that you're endeavoring to make web development (aka distributed systems engineering!) easier. I'd love to contribute materially with pull requests whene'er y'all ready to set it loose

luke 2016-04-16T21:57:01.000057Z

Thanks! It’s coming along well - expect a public code drop in the next few weeks