Is JavaScript an impediment to security?

daedalus

#1

It’s a bit intriguing to me that IOHK chose to use Electron to implement Daedalus, does anyone knows the motives for this decision?

Aside of the disproportionate amount of resources that Electron-based applications uses, I’m a bit worried about using Node for a cryptocurrency wallet, even if it’s just for the front-end: building Daedalus requires to download 1282 modules from npm (left-pad fiasco anyone?). I wonder then how could anybody perform some trustworthy software audit with such a huge number of indirect dependencies; it seems completely unapproachable… An attacker may only need to compromise one of them to gain access to ones wallet. This is also concerning because npm is already being targeted by malware authors, and obviously the black hat community have a lot of interest in cryptos.

I am not trying to start a flame war here but: is Haskell that bad for GUIs? I have to confess that I never tried to use Haskell for graphical applications but I know that there are at least GTK bindings. Otherwise good ol’ C++ could do it :slight_smile: or maybe Rust if you wanted something newer and better. But JavaScript? Why?


#2

It’s not bad for guis anymore than C++ is bad for FP… You could do it by following the principles but Haskell and its ilk are just so much better tools/suited for FP as C/C++ for systems programming or games development. Outside of Minecraft which has Atari 2600 level graphics/performance so it was doable in Java, most AAA titles are done in C++.

Javascript buys you, if you believe it, cross platform compatibility, kinda like Java’s WORA paradigm… Whether that’s true in reality, I’ll let the reader figure it out :slight_smile:. If you hit Cardano’s github repo, you’ll notice also usage of something called Purescript… Which my guess is that it is some FP language that translates to Javascript akin to what the big G did with GWT (Java->JS). That’s probably another reason why they grok Javascript… Could be some of the Haskell dudes felt more comfortable coding parts of Daedelus in Purescript yet wanted that cross platform effect.

Could you do gui in haskell? Sure, but good luck finding people to contribute and maintain it. The fastest/most solvent approach is to wrap an already tried & true, proven toolkit like Qt, GTK+, wxWidgets, etc w/Haskell bindings and get going that way.


#3

Some years ago I actually played a little bit with FRP and Elm, and I liked it a lot, but transpiling into JS was never really my thing (for pragmatical reasons). I don’t know though how ugly is to use a widget toolkit created for a procedural or object-oriented language in a purely functional language like Haskell.

I know PureScript because it’s kinda popular in the FP meetings here where I live, and it seems pretty cool. As far as I know it’s only being used for some interface between cardano-sl and daedalus (it used to be call daedalus-bridge iirc).

Most cryptocurrencies are using some fork of bitcoind and bitcoin-qt (both C++). which have been battle-proven for about a decade now, and the dependency tree is small and well known (boost, zeromq, libevent, etc).


#4

I have found that Snyk is useful for finding and fixing npm module vulnerabilities:


#5

Cool, I was not aware of Synk. It seems to be a tool that explores the dependency tree of some project searching for modules that have disclosed vulnerabilities for certain versions of them. It looks useful but it really doesn’t helps you with the issue of trusting more than a thousand different modules where many of them were most likely not envisioned for a mission critical system like a cryptocurrency.


#6

Having started with Rust last year, I would have really liked some usage of this language within the Cardano project. I also believe that daedalus could have been a good place for that.

Elm has good ideas, but the project lead seems a little bit too opinionated and undemocratic. The ecosystem also does not really to be there.