Monday, April 18, 2011

Ruby: My Take on Pivotal Labs, Part I

Pivotal Labs is one of my favorite companies. I have a tremendous amount of respect for how they develop software. They put the "extreme" in extreme programming, and more importantly, they get stuff done. However, there are some things that Pivotal Labs tend to do that I disagree with.

I have such high regard for Pivotal Labs that I specifically try to find startups that started at Pivotal Labs when I'm looking for a job. Since these companies often make you do a three hour pair programming session on their code, I've seen the code of multiple companies that started at Pivotal Labs. Hence, although I don't know if Pivotal Labs has an official opinion on these topics, I've seen these things at enough companies that I feel it's worth commenting on.

First of all, many of the companies that I interviewed at didn't use database-level foreign key constraints and database constraints in general. I know that it's trendy in the Rails world to try to enforce your constraints at the application level. (I'll admit that in some cases involving sharding, you can't use foreign key constraints. However, very few Rails applications are built with sharding.) Unfortunately, the application is simply incapable of truly enforcing certain constraints such as uniqueness constraints and foreign key constraints. Only the database can apply these constraints because they interact with ACID and transactions.

Secondly, as far as I can tell, several of the companies I interviewed at are susceptible to mass assignment vulnerabilities because they don't properly lock things down with attr_accessible such that things are not accessible by default. Perhaps this problem is going away in Rails 3, I don't know. However, many of the companies I talked to didn't want me to explain to them why their code was vulnerable.

Thirdly, a lot of projects at Pivotal Labs tend to use view tests. I think that unit testing views is a total waste of time. Apparently, so does Sarah Mei at Pivotal Labs.

Rather than unit testing the model, view, and controller separately, I prefer to rely on Cucumber and Webrat more heavily. I still write some model tests using RSpec, but I never duplicate things that are already tested by Cucumber and Webrat. I explained my approach and my reasoning in another blog post. Unfortunately, not everyone agrees with me, and this is a hot topic right now.

Last of all, I've seen several Pivotal Labs code bases that use Rails 2.3.X, but haven't switched to using the rails_xss plugin. The rails_xss plugin can really help avoid XSS vulnerabilities. It allows you to remove most of the h() calls in your templates since it escapes things by default. I think this behavior is the norm in Rails 3, so this complaint will soon go away for new code bases.

There's an old saying that if two people agree on everything, than only one of them is doing all the thinking. Hence, it should come as no surprise that I disagree with a few things that I've seen in various Pivotal Labs projects. Hopefully no one at Pivotal Labs will think worse of me for pointing those things out.

No comments: