Download the episode and read the show notes here
Michaela Light 0:02
Welcome back to the show everyone. I'm here with the famous Brad wood of command box lineage. But we're gonna be talking today about programming language speed, because Brad ran a very interesting set of speed tests on a public site, which we're going to look into. And I'm gonna get let the cat out of the bag. ColdFusion did really, really well in the speed comparisons to other languages. But we'll go into the details of that later. If you don't know Brad, not only did he create command box and he's like one of the ninjas autists solutions, but he lives in Kansas on the Kansas City in the Kansas side, not the Missouri side even though he grew up in Missouri, you kind of trade sides. I think
Brad Wood 0:48
I came to college here interstate.
Michaela Light 0:50
Ah, there you go. And he's been programming cold fusion for 20 years now. So you get the special award for that. I
Brad Wood 1:00
don't know what the it was yours or a plaque that comes with that somebody hands up plaque
Michaela Light 1:05
cold fusion dedication. So, yeah. And he contributes widely in both the ColdFusion community on his blog in Slack channel, the box chain team channel, the new What's the new channels is has this glorious
Brad Wood 1:24
community? And it's a discourse forum. This course not discord. Yeah. Discord as the chat discourse is like a forum software actually written in Ruby on Rails, which hurt me a little to you know, use that but it's honestly a really great software Lucy already used it has really good spam control. So sometimes you just need something that works.
Michaela Light 1:46
Yeah, why not? It not everything has to be written in ColdFusion. You know, I use Basecamp. And it's written I think, in Ruby on Rails. Yeah, it
Brad Wood 1:52
is. Since you mentioned it, the address for the community forum is community.org, a solutions.com. In case anyone wants to go have any, any conversations after listening to this,
Michaela Light 2:04
maybe you can add that into the show notes in an appropriate location. So people can find it on the Terra Tech site with the episode about the lingo. But today, we're going to be talking about comparing language performance between different programming languages and modern frameworks. And you wrote an excellent blog post about this, which I'll link in the show notes on your that community to audit solutions site, in fact. And then you mentioned it in the ColdFusion programmers Facebook group, and I was like, wow, ColdFusion is so speedy. It's impressive, beating out all these other languages, people yap about like Node and, you know, Python, and I can't think what else you had listed, but we'll talk about the details. We've got a beautiful graph on the show notes page. And we may flip into video for those watching on YouTube. But we will talk it through just like people do for baseball games on radio, if you've ever listened to those. So I think the first question I ask is, why should we compare different programming languages performance?
Brad Wood 3:13
Because people like stuff that's fast. I mean, it's it is a valuable, you know, data point to take into consideration. Not all languages scale, the same, not all languages have the same performance attributes. And you know, every language has some different things they bring to the table, that can make them be, you know, better fit for some projects, or worse fit for other projects. It's interesting, when you see a large wheel website, this changed their language in the past, you know, they convert from one language to another, and sometimes for performance reasons. One of the most, you know, probably famous examples of that was Twitter, Twitter was written originally is in their language, Ruby, as a Ruby on Rails application, you know, and they were able to scaffold out the site really quick and get it out to production. And then they suffered from a lot of performance issues. And Twitter today runs on the JVM. Now, I think it's a mix of maybe groovy and some native, no, Java, and everything's but it's still all runs on the JVM. And when they did that, they were able to reduce the number of servers they used, they were able to have faster performance times. And so you do see companies where performance matters will actually switch from one language to another, and they'll test and say, you know, which language scales better which language is faster? And to degrade the light? I think sometimes it's just, you know, bragging rights, as far as you know, be able to say our language is fast. But well, let's brag. Well, yeah, I
Michaela Light 4:45
think we should brag ColdFusion is fast.
Brad Wood 4:48
Yeah, it can definitely be fast. And I think one of the main reasons for that is because it's the JVM language and the JVM is known for scalability. It's known for being able to sustain you know, hydroflow applications running for days on end, consuming lots of memory. And you know, keeping that going. The threading capabilities of the JVM was one of the best things in my opinion about the JVM outside of just the massive ecosystem that as ColdFusion developers, we get to tap into being, you know, every Java library out there everything in the JDK. But yeah, I love the performance. I love the the threading and the concurrency of the JVM. And JVM languages in general do pretty good on this particular test that we're going to talk about today that I added cold fusion to. And of course, I think cold fusion gains a lot of benefit just from picking a JVM language, straight out of eight.
Michaela Light 5:39
It definitely does. And, you know, while the JVM itself may need a little tuning on occasion to get it, you know, fully working fast on server, once you've tuned it up and set that garbage collection going good. Got enough memory allocated to cold fusion can run like a cheetah with a well, I won't put a dirty analogy in there, because this podcast is G rated. But yes, family friendly. But I think there's an important point here, it's not just do the individual statements in the language or functions or whatever, run faster, obviously, it's important. It's important that it runs fast in a real world situation where it's accessing databases, and there are multiple users coming in. So what what kind of testing were you doing? Brad was just like, write 1000, load lines of CF set x equals one or did you?
Brad Wood 6:30
I was actually testing the comment tag, it's 1000 lines of open comment in comment. Yeah, that's really fast. Yeah, and that's, that's an excellent point. Because it's, I've done a lot of performance testing for clients over the years. And, you know, a lot of times that stuff kind of comes from an executive level, you know, management standpoint, they'll say, we're gonna do performance testing to make sure we can withstand a billion users, or whatever. But the problem is, nobody ever really knows how to do that. Right? You know, like, what, what is production load? What does that look like? How many, you know, users are really going to be active on your site at once? What are they really going to be doing? How many clicks? Are they really clicking per second know how many database queries are those second loading?
Michaela Light 7:12
Well, what what kind of uses do you have, and they phrase the white powder? Well, you know what, click, click, click, click, click. Most of the users I've done load testing for they like, you know, click and then 30 seconds will sit.
Brad Wood 7:24
Yeah, but think about it. When you load Facebook, how many AJAX calls do you think fire after that initial page loads that pull in all the little bits of data, right? Or Gmail, you get an AJAX call, actually, they use WebSockets a lot for some of those now, but you have AJAX calls out the wazoo, but load in all the little bits of the page. And so one user clicking something could actually generate 15 or 20 HTTP requests, technically. But yes, yeah. Is the point. Is that something that I've seen people struggle with, because, you know, it's fairly easy to say, Okay, here's our homepage, right. And we're going to take Jane meter, and we're going to, you know, slam it with 500 threads, right? Just hammering it as fast as they can, you know, white powder, right click, click, click, click. And that's, that's not really indicative of production load. And this particular test here, doesn't necessarily simulate users, but it does at least try to have some pages that are doing things with databases running some sort of logic, not just outputting Hello world, because you know, there's the overhead, just of what does it take for the application server, you know, to take in the incoming HTTP request parts out the best, parse out the bits of it, and return back an HTTP response. And there's everything that happens in the middle, which is, whatever your application code is,
Michaela Light 8:45
and a bunch of database calls, possibly some API calls as well. Yeah, exactly.
Brad Wood 8:51
So the the, the tests that I added called Fusion two are made by a company called Tech and power. And I've never really heard of tech and power outside of this, and they were in for a long time. And these benchmarks are kind of something that I think some of the guys did, once on the side, and they first did it back in like 2012, or something maybe longer ago, I don't know, it's been quite a while. First time ever heard of this website. Luis sent it to me and said, Hey, Brad, we need to get coldbox added to this, we can see how it performs with the other languages. And at the time, their testing framework was in sanely complicated and they ran it out on EC two, he had to have multiple VMs all running and I spent several hours on it. And I actually gave up on it. This was back in like 2011 2012. And I was like, Screw it, like, I'm gonna take me like 1000 hours just to figure out how they're testing framework works. And I came back to it about two years ago, maybe three years ago. I don't know it's been a while, and I looked at it again. And they had done several more iterations of this public test because they did this test with a handful of languages in front In work, everybody said, Well, that's cool, but what about my language or my framework. And so they made it all open source. And people could go just contribute, you know, node and go and Python and rust and Java and Scala, any language they wanted, the community was free to add support for that. And so things really blown up over the years. And they have dislike dozens and dozens and dozens of combinations of languages and frameworks and platforms, and oh, rims and databases, and all this stuff. And so when I looked at it a few years ago, they revamped the entire thing to all run on top of Docker, and you could basically Yamas hop to Docker. I know, yeah, you could fire it up with one little Docker command, that would just spin off all of these containers, all of the installation for each language was now containerized. So it was way more encapsulated, it was way easier to just add in a language because this whole Docker image you drop in, they start up a Docker image exposed imports, they hit it with some traffic, they capture the data to shut down the Docker image, move on to the next one. And of course, oh, no,
Michaela Light 11:00
you don't have to run over the load testing infrastructure and timing and graphing and all that all you do is write provide a cut some code for ColdFusion, with Lucy, or whatever.
Brad Wood 11:12
So they created a testing framework where you can send a pull request, you know, to their Git repo to add in the language of your choice, and you provide a JSON file. And what they've done is they've created like 10, lines, 1234567, they've created seven different tests specs, which they've kind of fully documented. And it starts out simple, right? They have one, this is plain text, and you have to write a page in your language that outputs you know, some sort of plain piece of text. And that's kind of as simple as that goes. And they have one this JSON serialization. So you have to use the built in JSON, you know, functionality of your language or libraries that put something in JSON, then it starts to get into some more interesting ones, where there's a database they provide, and you can choose MySQL, or Postgres, and there's a single query test where you have to, you know, select one record randomly out of a database, you know, serialize, the output to the page. And then there's multiple queries where you select multiple things in the page and output them, there's a data updates, one, which is kind of one of my more favorite ones, because it does a bunch of slex, it does a bunch of updates on the database, all inside of one request, they also have one that you can use a caching library to cache data. And there's one called fortunes, which they have like a, you know, like the fortune cookie fortune, they have a table that, you know, you select out those new, you have to store them, and you have to serialize them and output them. So they're trying to simulate some, you know, quote, unquote, real type of things that a web page would do, but actually include some database includes some, you know, some SQL. And so all the languages that are supported in this test, someone's gone through and written implementations in insert language here for each of those tests, and they have all the specifications. And sometimes you have to return a specific HTTP header or a specific JSON. And if your test doesn't do that, the framework will will fail and say, No, this test isn't working correctly. So that you know, they have some bumper lanes to kind of help there. So I was able to basically add in cold fusion, as well as well, there's really there's sort of four variations. There's Adobe ColdFusion, right, all by itself. For each of these tests, there's Lucy server ColdFusion, all by itself for each of these tests, and those share the same code. No, I didn't write different code for leucine and cold fusion.
Michaela Light 13:42
Well, then 99% The same man. I mean, yeah,
Brad Wood 13:45
I mean, potentially, I could have, but there was really nothing that either of the servers offered that would have optimized any of these per se. And I thought it would be nice just to have, you know, an even playing field for there. And then I also created cold box versions of VT, which again, is the same code base, but it's
Michaela Light 14:02
called Box Brad was listening to us. No idea. Cold box
Brad Wood 14:06
is an MVC web framework for writing web apps with cold fusion, and it runs on both Lucy and Adobe. And it's made by Ortis, which is the company I worked for, and it combines a whole bunch of really useful built in stuff, URL, you know, ses routing, caching, logging, dependency injection, and things like that. And then it has a whole collection of libraries on our forge box website that you can add drop in functionality you want bcrypt we've got that you want century writer LaunchDarkly SDKs. We've got that you want, you know, libraries to do whatever the heck you can imagine. We have all those and they all plug into coal box and you can you know, build up an app you want.
Michaela Light 14:51
So we're so really that's analogous when when people use Ruby on Rails. Rails is the equivalent to coal box it may not have The same features or be as clever as cold books. But it's a framework that you're running on top of the Ruby language. And coldbox is a framework you're running on top called Fusion. And just as in the PHP world, people run love love around, or Laravel on top of pi Laravel
Brad Wood 15:15
would be the most equivalent framework in PHP, definitely. But we faced a lot of ideas and coolbox awful Laravel.
Michaela Light 15:23
So when you when you do the testing, you're actually when you get down to the front, you know, the language framework comparison, you're actually going to compare those heavy, you know, I guess heavyweight isn't quite the right term, though, that does sound like a boxing term, right? Heavyweight framework versus the Featherweight framework. Right, and so we're gonna do some fair comparisons of of languages and frameworks, because no one writes raw language code in 2022. Well, some people do. Unions have a but you know, most programmers use some kind of framework.
Brad Wood 15:57
Exactly. So you know, the, at the end of the day, the cold fusion requests are doing most of the same thing. But in the whole box version, the request is being routed through cold box and executing, you know, a cold box event, and then rendering a view which, you know, controls the output, which, you know, in theory is a bit more indicative of a, you know, a proper ColdFusion application built with a framework. So when
Michaela Light 16:20
I, when you said you put a raw Lucy server or raw, you know, Adobe ColdFusion server, and I assume you're using the latest versions, 5.3 or 2021, for Adobe, that is correct. Now, both of those servers let you do I guess they call it deployment or package management, where you if you're not using the PDF generation module in Adobe ColdFusion, you don't have to load it up in a server where you kind of trimming down those services to their minimal point or were they the the one gigabyte install that comes with Adobe, and I forget how big the one is for Lucy, he
Brad Wood 16:57
never snapped one gigabyte with Adobe. It no longer is. Let's hold on. Hold on, hold on. So let me back up. I'm using Docker, which is the sort of lowest common denominator that this tool uses. And the Docker images I'm using are the order solutions. Sorry, I'm opening up the repo for this while I'm talking is order solutions command box based Docker images. Okay, so the command box images run the CF engines that Ortus maintains on forge box. And the CF engines for Adobe ColdFusion are based on Adobe's war deployment file, which you can download from their website and Adobe's Ward downloads inherently just because that's the way they made them. Don't come with any modules installed.
Michaela Light 17:53
So it's pretty minimal. Maybe 100. Meg's or something? No,
Brad Wood 17:56
no, it's 300 Meg's the Adobe 2021 war is surrendered mags. Well surround them but yeah, and Lucy's smaller, though the irony is once Lucy unpacks and downloads all the stupid OSGi bundles on the disk, it takes up about 300. Meg's before it's done. But yeah, so the 2021 engines start with nothing. And I think I only added in any, any Adobe modules that actually need it, but I'm actually trying to think if I even needed any, I'm looking to see Oh, yes, yes, I needed the PostgreSQL module. And my also installed the Feed module, but only because the cold box framework has a CFP tag somewhere in its source code. And the framework literally won't compile unless you have the Feed module installed, which is kind of lame, but it is what it is. So
Michaela Light 18:47
let me ask you a question here from a performance, obviously, until you finish answering I'm sorry. And I'm stacking up the questions. I hope you have threading in your brain you know,
Brad Wood 19:00
maybe I'm double checking to see the Lucy server that I'm starting. So I'm trying to find it I don't think I did any customized versions on it. Hold on. Wait for it. Okay, here we go. Lucy 538 Yeah, so I'm not using Lucy light. I just used regular Lucy
Michaela Light 19:24
on that. Now. What's Lucy light?
Brad Wood 19:27
Lucy light is basically Lucy with this no extensions installed. And some people like to do that if for what you said earlier if you want to only deploy the modules you need and we have both Lucy and Lucy light on forge box of all versions. So if you were to start a server and command box or with our Docker images, and you use the slug Lucy hyphen light, then your version of Lucy wouldn't have any of the JDBC drivers that wouldn't have PDF support or M support. All those extensions would be missing. And then you could add in the environment variables to install back in the the bits you needed. The reason I didn't worry too much about installing or uninstalling those is because the, the individual request times don't really matter as far as what extensions are installed. So Lucy can process serialized JSON request, if that's all it does, and the exact same speed and performance regardless of how many extensions it has installed, they make
Michaela Light 20:29
sure you're answering the question I haven't asked yet. Going into a Monty Python sketch here where you answer here for an occupation three questions ahead of time. I guess from a performance point of view in a real world app the size of that image for Adobe ColdFusion. Lucie matters, if you're orchestrating containers and asked to load up a container and close it down again, then it matters. But if you've got a tiny bit, chugging away, you're saying it really doesn't matter if you load up all the stuff.
Brad Wood 20:59
Yeah, once once it started over than a bit of memory overhead. There's really no difference in performance I've been able to find from whoever knows,
Michaela Light 21:07
a bit of memory overhead. I remember when I was a boy that 300 Meg's of memory was quite a lot. paper bags when we coded in the street? Reference? Yes.
Brad Wood 21:24
Yes, I've seen that one. Yes, but like luxury,
Michaela Light 21:28
luxury, we, we had to code in machine code using hex numbers,
Brad Wood 21:34
or follow luck. father beat us two hours a day woke up at five worked in the coal mines. People who haven't seen the coal mines, Brad, people who haven't seen the sky, they're gonna wonder what on earth we're talking. I'll put a link into it for that, who were the uneducated swine?
Michaela Light 21:50
Yes, who didn't see Monty Python when they were growing on the reruns.
Brad Wood 21:55
But he made a great you made a quick point earlier, which is the size of the image. And that can make a difference on the speed of deployment. However, Docker caches images locally, and for a lot of people that their image is already going to be three to 500. Meg's having to be six to 700, Meg's probably isn't that big of a difference. I've had clients who favored larger images over having more flexibility at runtime. And they were like, You know what, we don't care. 900 meg image? Sure, why not? As long as we can configure it all crazy at runtime and have all these options, we don't care if it's a few extra 100. Meg's it's all inside of our network. So that does exist image size is a thing. Some people care about it more than others.
Michaela Light 22:42
Excellent. Well, that was that was a pause where all the question requests had been fulfilled, and the sun was just taking a break. So you compared some, you know, modern languages, modern frameworks, using this testing speed, open source framework, test, empower. anyone, if anyone listening, you can see all the code Brad work wrote for this the rate, we'll put the repo in the show notes, the link to that. So you can see what these programs were doing. But they seem moderately real world.
Brad Wood 23:19
All right. Well, actually, yeah, we never never even got done with what we're really talking about what you're describing how the testing works. Um, we got in close. So I know some multifaceted conversation, we had gotten close, right? There's an entire framework, it was written in Python, they were talking about changing, I don't know if they have yet. But the framework spins up each of these language combinations as a Docker container, right? And then they they warm it up by hitting it with some request for a few seconds. So all the caches are full, and you know, stuff is compiled, right? It's like a
Michaela Light 23:50
real world web app, right? Real world web apps don't and, you know, wake up cold without having a cup of coffee, they like they've been running for hours, if not days, right? And then.
Brad Wood 24:02
So then they hit it with like, you know, I forget the numbers off the top of my head, but let's say like 25 concurrent requests, and they do them for, you know, 10 seconds, and they hit it with like 50, concurrent, you know, requests for 10 seconds, and then 100. And they eventually worked their way up to like 500. And wow, 12, or some lean like number in the hundreds of concurrent requests, kind of just trying to push it push it incrementally as hard as possible. And they measure the average time that it takes the server to respond to requests, they measure the requests per second throughput, because depending on how slow your server is, the test can be over quickly, or the test could take a while if it all gets queued up and backed up. And then it goes really main things how many? Yeah, how many total requests got put through how many requests per second that was and what the average response time was, overall the request and, and this is on those seven tests that I talked about with various database updates today. Database selects. And so the, the framework that they they built to basically support this stuff is really interesting because it basically runs nonstop. Like, like 24 hours a day, I'm trying to see if I can find it real quick. There we go, we're gonna make sure to get this
Michaela Light 25:20
mic and sing their framework is running in other Docker containers that control the Docker containers, it's testing,
Brad Wood 25:27
I think they have this stuff out on EC two, maybe, but honestly, I'm not entirely sure what hardware power is this, but basically, they have the tech empower people they have here. They had the servers that, you know, their company manages that basically runs 24 hours a day. And it takes almost 130 hours to run through all the tests once one that's, that's every language, every combination of database, every framework, you know, all of them together. So 24. And when they
Michaela Light 26:08
completed those testing everything in 100 study as they go back to the beginning and run
Brad Wood 26:13
them Yeah, and then they do it again. So if you send a pull request to add a new language or add a difference, it literally could take five days before you see what that looks like. Because it literally takes a whole week for them to run these dis hundreds of combinations all been spun up in Hamburg with traffic and spun down Island. And so these just run constantly, right day and night. And there's a dashboard, I'll put this link in the show notes if it's not there. And it shows the nightly run. So right right now I can look. And I can see the current run has been going for 69 hours, and they tested 409 Out of the 740 frameworks that they tested. I said dozens earlier, I should have said hundreds. You know, there's a bunch of them that dislike failed straight up, like fell on their face, you know, fortynine towel, just, you know, completely failed me when
Michaela Light 27:05
they ran ramp up the amount of traffic. Some of these languages just die.
Brad Wood 27:10
Yeah, yeah, some of the some of the tests we'll see it we'll see does not complete, it basically means the server just crashed, right? Oh, good. Well, it's up to them to fix, right. And they basically rely on the community to come in, you know, the node community helps manage the node test, the Java community helps manage the Java test. And all the versions have to be locked in. So if I want to update this to run against Lucy 539, which I should probably do, I can go submit a pull request, and I can update the Docker file,
Michaela Light 27:36
they'll merge. What about Lucy six?
Brad Wood 27:39
Well, I have to release that first. It's in beta has been in beta for a while. So you can view all of these, like nightly runs, once they're done inside of all their visualizations. And then what they do is every year or so they say, Okay, we're gonna have an official round, right? Like, this is going to be the big one, we're gonna run everything. And it's going to be the official, you know, 2022, round or whatever. And they they've done this 21 times so far. So they have had 21 official rounds, even though there's there's nightly builds all the time. And the last one was, oh, actually, have I seen this one? Last one, ran 21 shows it was in last month, on the 19th. Wow, last time I looked at it,
Michaela Light 28:26
the reason they run it run these tests continually is because languages are always having updates or tweaks, or
Brad Wood 28:32
yeah, they have, they have pull requests all day long with people updating versions of this updating versions of that, you know, submitting performance tweaks. And so you can you can look at the you know, the previous kind of complete run, or you can pick a random nightly run and and see what it looks like. And so they collect all this data like oodles and oodles of data, because I mean, there's even more tests, and I realized 740 different frameworks. And the word framework is a little ambiguous there. They use framework to kind of, you know, mean, very specific combinations of Java with this Java library with this database with this, you know, that whole thing is like, one, you know, iteration of the framework for them. And so their website has this really nice kind of visualization tool, where you can go in, you can select the test, like the multiple queries test, right, which is the test that runs multiple queries, and outputs the data. And then they sort these just dozens and dozens of frameworks.
Michaela Light 29:33
Maybe for those watching on video we could British Air A are the result you because although there's lots of frameworks, you can pick out the ones you're interested in comparing Right?
Brad Wood 29:46
Exactly right. So there's a filter panel where you can go in and you can start to narrow down only show me frameworks using Java, Oracle Fusion or PHP or Scala because the interesting, but also a little annoying thing about this is that people have like crawled out of the woodwork with little tiny micro frameworks written in like assembly or something that you've never heard of, and that literally nobody has ever built an application with. Just because
Michaela Light 30:16
some of these here we're looking at in this list. Yeah, I'll make the font bigger for those who have eyesight that needs to be aided.
Brad Wood 30:23
Most of Yeah, most of the frameworks on here are like super obscure micro frameworks, which are really interesting. But they're
Michaela Light 30:32
looking at these frameworks here. And you're the one you did I see CFML, Lucy Civ Mal, Adobe. coldbox, Lucy coldbox. Adobe, having great schools, but what are these other ones up here that J. S?
Brad Wood 30:45
I have no clue. Go, go go. Never heard
Michaela Light 30:47
of them. Now further down? No, I've heard of an MT. Ringgo. JS version of that. Where are those?
Brad Wood 30:57
I don't know those? I don't I don't know what you're on. I don't know what page you're I don't know how you go.
Michaela Light 31:01
I just went to your article. I went I went that
Brad Wood 31:06
deep linking works on their site? I don't know if that link still loads, but it's supposed to on there. Well,
Michaela Light 31:11
maybe it doesn't. Maybe it doesn't. But here was the the image you had before. And the big arrows pointing to ColdFusion coming in? Yes. So place after the Go language. And to be fair, go is not a framework, right? It's just a really fast language.
Brad Wood 31:27
Yeah, go there really aren't in there aren't a lot, a lot of frameworks for go because I tried to Google what the most common frameworks were on some of these languages. And the Go language doesn't really seem to have a lot of frameworks, at least not from what I found. But yeah, so what, what I did in the screenshot is Yeah, because a little funky when you go to zoom in, doesn't it? You could probably right click and open image in a new tab, and you'll be able to zoom in on that a little bit easier.
Michaela Light 31:53
Let me try you see that modern technology, grandpa.
Brad Wood 31:57
So what I what I did with this particular screenshot is I went through the like literally hundreds of random, interesting, super fast, super lightweight micro frameworks. And I picked out some of the actual kind of competitors in the CFML space that people would actually write web apps with, right? So we have go we have COVID CFML, we have no Jas we have Grails nobody really writes a lot of stuff in pure groovy. Grails is pretty common. We have some Kotlin stuff. We have rails, we have Laravel, the bottom, which is PHP framework, Django, which is Python. And this particular screenshot, if you scroll back up, is I think the there was at the top. Okay, which, which? Which tests that I say this was probably one of the multiple database updates or something, I'm guessing.
Michaela Light 32:54
Yeah, you said it was database stuff, right? It did say that. But you can see the what the bare bones go, which the makers of go say don't use the frameworks, we don't want to have slow tests, exaggerating. So I think I don't think that's really a fair comparison. But or maybe it is, I don't know, maybe there's something to learn there. But Lucy CFML really good
Brad Wood 33:21
data updates was the test that screenshot was from an old cast that selects records out of the database, it updates the data and updates the data back into the database that was this test. So what I found was that cold fusion in general, was a bit slower when it came to the pure dislike, hello, world test, write that had almost no code executing had no database calls. Some of the other languages, to be honest, had a little bit lower overhead, just in the pure, here's a request, here's the response kind of output, where cold fusion really started to shine was and you get into a test that start doing more realistic stuff, like selecting more database records. And of course, cold fusion is built on a lot of solid technology regarding the all the JDBC drivers, the JDBC connection pooling, you know, some of these languages are probably reopening, you know, database connections every time or we're not, you know, pulling as efficiently. So the more work database specifically that cold fusion did, the better that it performed a comparison. And so I mentioned that in the blog post. Sure, you can say, well, ColdFusion doesn't look quite as fast if you go with one of the Hello World tests, and you'd be correct. But also nobody writes a website that says hello world. So realistically,
Michaela Light 34:41
if I was writing just a Hello World website, I think I would not have a language or a framework in the way it will be a pure HTML server and Cloudflare on the front end to serve up the images in HTML and CSS. Marino.
Brad Wood 34:56
Exactly. So I mean, there's ColdFusion has a Bit more overhead, there's more stuff going on with each request. But ColdFusion is also made out of the box to be incredibly helpful at writing web applications, a lot of things ColdFusion does the other languages don't do. But it makes it easier and faster and more enjoyable to program and ColdFusion. So there's these kind of cleared
Michaela Light 35:19
up where we'll talk about other selection factors. People pick a programming language later. But I do want to say as well as hats off to Lucy for its bit, it's about I can't quite do the math here. But I think it's about 18% Faster than Adobe ColdFusion. In real world tests,
Brad Wood 35:38
yeah. And that's pretty consistent. Lucy zeusie, a bit faster than Adobe. And let me also add in a quick little caveat, I wasn't rooting for either language here, right? I did a ton of performance tuning. When I submitted these languages. And I individually performance tuned, Lucy and Adobe, I have, you know, trusted caches enabled, every single type of caching is enabled, everything's precompiled, I've tweaked the maximum number of requests that can be processed, I tweaked them command box settings on the know, the queues to allow Well, that was right.
Michaela Light 36:12
That's a fair real world comparison. Because on a real world enterprise production server, people usually do tune the ColdFusion server in the JVM, and they have enough memory there. And they don't do stupid things like one gig of memory, or
Brad Wood 36:29
the main reason I want to say that it's gonna don't want somebody to think oh, well, that's only because Adobe has some default settings that, you know, if you would have tweaked it would have been faster. Trust me, I spent, I mean, anyone's Welcome to try to make it faster. I'm totally cool with that. But I spent hours individually testing each of them, and looking for any bottlenecks I can find and eliminating them. In fact, my tests produced a handful of tickets for both Adobe and Lucy of performance bugs that I found, right? Because it turns out when you're hammering a server with 1000s of requests a second guess guess what both Lucy and Adobe did even with trusted cash every single bloody requests they say, Hey, user an application dot CFC and the hard drive older is great. Right. Next request, hey, is there still an application that CFC on the hard drive every frequent request file exist filings this file exists? Right? Even the trustee you turn that off? No, you can now trust it can control it. It would have
Michaela Light 37:25
turned that off.
Brad Wood 37:26
Never Existed. And Lucy checks for both outpatient at CFC NF patient SCFM. It doesn't find the first one. But okay,
Michaela Light 37:33
let me meet with trusted caches, regular CF. M files with regular CFCs. It doesn't look on the disk, right? It's compiled it to J to Java bytecode. And if it exists in memory, it runs it. There's no going to the disk and re compiling bullshit going on. Yes. Now the whole point of trusty ash, right?
Brad Wood 37:57
Yes. So here's the here's the good thing. I put on a ticket. I yelled at Misha, he fixed me next, he fixed it in the next version of Lucy. So guess what, Lucy doesn't do that anymore. And his reasoning made sense. He said, Well, trusted cash is only a compilation concern. So it's only when we go to compile a file that we can skip the check. But the application that CFC check is just another completely random thing that ColdFusion also doesn't ever request. And in his mind, it was completely separate from any kind of trusted cast feature, right? But I was like, Well, that's nice and all but I don't care, you need to stop checking for the stupid thing, right? Because it turns out, you know, file system checks, can turn into huge bottlenecks that add incredible loads. So anyway, I surface all sorts of little dinky things, I found that Adobe ColdFusion has a servlet path cache is built in. But it's disabled by default on war installations, which is really dumb. So I yelled at them on their ticket tracker, right was like, why are you doing this? I also went and built my own servlet, path caching and a command box because of that. So it could work on both engines, but I tuned them as much as I could, I would, you know, hit them with load, I would find the bottlenecks. I would try to make it as fast as possible. So the graph you're showing, that is that is something that's as tuned as I can possibly, you know, get it. I wanted to make that clear. So loosely tests b2b
Michaela Light 39:15
fair to the other languages. I'm sure all the people who submitted language and framework things for go and Grails and Ruby on Rails did the exact same thing they tuned Absolutely, absolutely. Yeah. You know, there's Wait, nobody's talking about you know, old Ford Courteeners racing each other. Yeah, these are for Formula One race cars.
Brad Wood 39:35
Yeah, I, I guarantee you,
Michaela Light 39:38
a large enterprise system would be
Brad Wood 39:41
agreed totally. Yeah, I can tell you for certain all the other languages on this website had been meticulously tuned by the people who care about those languages to make sure they're the best possible representation. Right. So I made sure I did that with ColdFusion. And so as a general Rule. Just to finish up the original thought Lucy was a little faster than Adobe ColdFusion in general. And as kind of an obvious thing, Rod loose here, ColdFusion was always a little bit faster than coldbox coldbox is going to add some nominal amount of overhead. Now I think it's a very small amount of overhead and cold box is still very fast and still performs very well. I would love to see people add some other languages like CF wheels or framework one just to see how they compare to cold boxes. I don't think they would be you know, any better than that.
Michaela Light 40:31
Let some let me just go back to that image. i That was great. If anyone listening as a CF wheels or framework, one fan, please help Brad out help the CF community out by it's not a lot of work. Brad's done the heavy lifting here. He's made the changes. Yeah, you can just need to switch out the framework.
Brad Wood 40:51
Exactly, you can go to the GitHub repository, and you can see all the ColdFusion code that I wrote that runs you can see my Docker files, which are very simple. You can see my CF config json files all pretty straightforward, right? And you can easily make your own you know, folder that's a CF Wheels version or framework, one version or insert your famer, you know, favorite framework here. Version, well,
Michaela Light 41:13
homegrown is another favorite. But we want to test that fuse box will be the other big one, kind of in the grave.
Brad Wood 41:23
Yeah, it's not that hard once you can get the feel for it. And you can run these tests locally, and you don't have to run the whole crazy suite. Right? It doesn't take me a full week to test this at home, because they have a command line where I can say run this test. And it takes like 30 seconds, right? All right, you know, so
Michaela Light 41:39
I reshard the graph, because I want to make an important point to make, which is here you can see here's the raw Lucy code running, and it says 54% of I guess this 100% up here,
Brad Wood 41:51
it's kind of like a sliding scale 100% It's just the fastest language out of that
Michaela Light 41:56
group. It's an arbitrary number. But it shows relative speeds. But coldbox Lucy is not that shabby. It's it's running about 18% slower. 40 44% we round that. So the point I'm trying to make here, Brad, is that some people accused coldbox of being heavy bloated. And it doesn't add a lot of overhead, you know?
Brad Wood 42:20
Yeah, I mean, the per request. Overhead out of it. Yeah, is still very low on the framework. There's nothing heavy about the performance of
Michaela Light 42:28
now, if you want to talk about some really flabby heavy frameworks just go down to Django. I don't want to insult Django, but maybe a little less of the ice cream and white bread in the diet game.
Brad Wood 42:40
I was surprised how bad jangle was, um, but yeah, I mean, so.
Michaela Light 42:46
And from a programming point of view and a usability point of view. It's a great framework, it lets you do lots of cool stuff. Easy to use, you know, popular. Yeah, I mean, so maybe a little flabby,
Brad Wood 42:58
you can write a coldbox application, right, which is an MVC framework in Lucia, Adobe. And in this particular test, which involves a page with database selects and updates, it's faster than No, Jas, which another is not a framework. And it's, I just
Michaela Light 43:14
want to for the people who don't have video, I just want to tell them codebox Lucy is more than four times faster than Django in a real world test. Yeah, and larvell is twice as fast. And for Rails, it's nearly twice as fast. I mean, it's, it's not just a few whatever clicks faster, it's,
Brad Wood 43:33
yeah, in in several days, go versions are kind of right here in the mix with ColdFusion. And the reason the Go shows up multiple times, is because these are different minor variations, go with nginx go with Apache go with MySQL go with PostgreSQL, I tried to filter it as possible to just get one version, but they had so many variations to go. That's why they show up several times. I mean, the Go versions are kind of intermingled here with the ColdFusion versions. So you could reasonably say depending on what combination of deployment you're doing with go, you could write something and Lucy. That's roughly as fast as something you know, written in Go for this particular test. There's a lot of
Michaela Light 44:15
snow but no, Jas is slower than than either Adobe ColdFusion. Yeah,
Brad Wood 44:20
from from what I've seen node seems to suffer a lot when you get into database heavy applications, just from what I've kind of empirically gathered, looking through all these tests over the years I've messed with it is once you get into doing a bunch of database stuff, cold fusion, and I think it's really because of the whole JDBC the whole pooling layer, it really seems to start to shine and some of these other languages really slow down. And that's always
Michaela Light 44:43
that's always been true in my experience cold fusion. I don't know how many versions back we go, but at least in the 4.5 days, it was good at scaling. I don't know if you were around them, but we ran a conference called CF scale in 2001. I think it was and cuz that was kind of
Brad Wood 45:01
right before I got into cold fusion. Okay, I use cold fusion 4.5 right around 2001 2002. But I was a college kids still in my college dorm and I didn't know anything about conferences or anything at that point,
Michaela Light 45:16
right? Well, the point I want to make is in real world application cold fusion scales really well. It's reliable, it can run for days, you know,
Brad Wood 45:27
yeah, the more real world these tests get, in my opinion, the better the cold fusion variations, whether it's cold box or not performed. And I mean, when you just look at the raw data, and you see like 100, tiny micro frameworks that all perform better than cold fusion, that might seem a little disheartening. But if you start filtering down to actual real legitimate contenders that people would actually pick up to write a web app in, you start to say, wow, like for realistic test. ColdFusion is really beaten a lot of things and badly. I mean, Django, like we said, it's surprising how it's like four times slower than a cold box application. And I mean, that's huge. How many, how many CEOs out there that think it's a super safe bet to write something? Wow, Django,
Michaela Light 46:12
you know, I mean, that's kind of segues us into how the people pick their programming language. Because whether you like it or not, people don't always use hard data, when they're picking a programming language sometimes. Is it fashionable? Did the CEOs wife at a cocktail party or husband to be on upset assists? You know, did they hear that Django is hot and you should be using it? You know, and unfortunately,
Brad Wood 46:38
they probably saw an ad in one of the little CIO magazines they put through
Michaela Light 46:42
Oh, could be now I am curious. I didn't see any Java frameworks there are doing Java frameworks not exist separate.
Brad Wood 46:52
I think the no, there's several Java frameworks. I think the fact that I Okay, so I included Kotlin, which is a JVM language. I included Grails which is a framework for groovy, which is also a JVM language. Okay. I think it may have been a just an omission that I didn't include Java, though. I, I'm trying to remember if there were any
Michaela Light 47:17
people listening are curious can just go to that site, they can do their own filtering and pull in whatever framework and language, though, the snow day company is considering comparing ColdFusion.
Brad Wood 47:28
I did add a comment on the article, somebody asked about Java Spring Boot. And I had totally forgotten about that it would have included it had I thought about it. Yeah, you're right, the links, these links, old links are not pulling up. Oh, darn, they're deep linking, that doesn't work.
Michaela Light 47:45
Brad Wood 47:52
there. That wasn't quite dominant thought and then we're gonna write Java Spring Boot, since I mentioned it, um, yes, showed up right around the same as where raw Lucy CFML was. Okay. So that was where the comparison was. I if I recall, Java is a, I don't think there were really a lot of instances where people did this and Rod, just pure Java, because Java is a low enough level language, nobody would write a web app just in Java. But that doesn't really make sense. Most people doing Java are using something like Spring Boot, or some sort of framework that at least puts them on par with the kind of functionality confusion offers out of the box, because Java itself has has zero mechanisms for dealing with incoming HTTP requests and responses, which is why you don't really see java in the list, because anybody touching Java is doing it through a Java a JVM language or a framework like Spring Boot. Okay, well, so that's kind of the overall answer to why isn't java in the list by itself?
Michaela Light 48:54
Okay, well, tell me when you get your response code 200 Fear answers, so I know to send you another request
Brad Wood 48:59
elf Enta fie.
Michaela Light 49:04
Two elephants in the room one, we've discussed the Java elephant, which you definitely compare what about.net? A lot of people used it on that. I think they're misguided, you know, but, you know, good luck to them. I think they're misguided because it takes so much more time to write the equivalent dotnet app. And it's real headache. You know, it's more lines of code, more third party libraries to do the same stuff you do in ColdFusion. But I'm curious, does it perform?
Brad Wood 49:32
Well, no, I don't know. Um, dotnet doesn't show up as a language on this. It shows up as a platform. And my understanding of dotnet is dotnet is more of a framework. And you do like, you know, C sharp dotnet or Visual Basic dotnet and
Michaela Light 49:50
Brad Wood 49:52
I'm not really that familiar with what people are doing with dotnet.
Michaela Light 49:57
And what I'm doing the same kind of app development people doing cold fusion taking longer.
Brad Wood 50:05
I don't I don't I'm not familiar with the names of the frameworks that are common, like, at least with like Ruby, or Java, or you know, a lot of those languages, I recognize, like the most common frameworks and stuff. I didn't include any of the dotnet stuff, just because honestly, I wasn't sure which ones really represented an accurate kind of representation of what's common out there with dotnet. But like you said a minute ago, you know, you can go to the site, click on the little filters, what's it called? It's called Show filters panel is a purple button. And you can filter in these. Yeah, you can click it unclick these links until your heart's content, and you can try to add in some of the dotnet things you want to see. I just I don't think looking at it, I wasn't really sure which ones were representative of dotnet. So I just didn't include them. But
Michaela Light 50:59
why couldn't elucidate us.
Brad Wood 51:04
All my curious Yeah, I
Michaela Light 51:08
yeah, I'm curious too. And I'm, I'm scanning that font of programming wisdom Quora. And interestingly enough, all these dotnet experts who are answering this question, you know, what's the best C sharp framework don't seem to have an answer. I have a lot to say how dotnet dotnet, and C sharp is wonderful. I just added
Brad Wood 51:36
like C sharp to the list. And, like 1000 new rows just showed up? Oh, my God, really? One, maybe not that many. But there's like a ton of options in here. Now that that all activated? And I would have to go through and figure out which of these are really I'm gonna gonna guess
Michaela Light 51:58
maybe one of our listeners, you know, has a you know, they have a Dr. Jekyll and Mr. Hyde type personality where, you know, Dr. Jekyll programs in cold fusion and Mr. Hyde does.net In the evenings. Or vice versa. You know, let's not be too mean to ah.net listeners
Brad Wood 52:16
versus vice. No, I'm actually really curious. We're the dotnet stuff falls in there. Like I said, I think I started to look at it and thought, Geez, I don't know what any of these are not as familiar with it. And so I just didn't include them.
Michaela Light 52:28
We can crowdsource an answer to that. What's a good dot c sharp or visual? Basic? Whatever they call it, it's not Visual Basic, sharp.
Brad Wood 52:37
They haven't written VB, VB dotnet, right.
Michaela Light 52:39
VB dotnet. That's right. I actually tried to program in that a long time ago, we used to do visual basic programming before ColdFusion even existed. Yeah, I didn't, I think I'm allergic to dotnet if not allergic to the whole of Bill Gates land. But there you go. You know, some companies embrace Microsoft, and everything that is made by the Microsoft gods is blessed and golden.
Brad Wood 53:09
Nobody's ever been fired for buying Microsoft. You know what this
Michaela Light 53:13
is right? by IBM hardware by Microsoft software by Oracle software. Never a career ending move, though. It might be a technical disaster. Possibly. So let's see the other thing. Let's just talk a little bit about you know, performance is an important thing. And it's great that ColdFusion does good on it. And like you said, a lot of developers do whatever compare the size, the speed of their language, get excited about it. But if you're a CIO picking a language sensible criteria might include is there. I think this is the number one reason for bringing language not the language itself. shock horror, it's do you have a modern eat development ecosystem surrounding the language? Do you have a great IDE? Do you have great tools like all those cold box and command box and white box? And I've lost count of how many boxes there are? And
Brad Wood 54:11
Michaela Light 54:13
Brad Wood 54:44
Michaela Light 54:46
Brad Wood 55:37
I mean, I think that's a huge one. And I think that gets overlooked a lot. Yeah, you know, is you that it's one thing to say, you know, my language can, you know, process eleventy billion requests per second, it's never a thing to say, you know, how, how quickly can you build that login screen your boss needs from you, without getting hung up on On compiling and strict typing? And, you know, pedantry language, and I think ColdFusion does a great job of, of getting out of the way there, which is definitely worth worth pointing out.
Michaela Light 56:08
and ease of learning. You know, my experience, you take someone who's good at programming in several other languages explained to them ColdFusion, within a week or two, they're productive. Confusion, you try to do that with Java, in talking about six months of heavy learning curve lifting.
Brad Wood 56:27
Yeah, it's a, it's definitely fair to note, one of the things that a lot of people I do think take into account is the community, how active it is. Both as far as the support community, and just you know, how active the, you know, the package repositories are or you know, our libraries being updated and being written. Yeah. And sometimes that can be a little bit more difficult for ColdFusion, since it's a smaller community, but there is a lot of stuff going oh,
Michaela Light 56:56
is it I wonder how much is smaller community and how much of it is like to put it in particle physics terms dark matter, as long as they're not seeing they're hiding off in Slack? And you can't google into Slack? See people frantically discussion ColdFusion whereas.net. They're all offense, you know, Stack Exchange.
Brad Wood 57:17
It's both, I mean, the community is smaller. And then on top of that, there's a large portion of the community that that doesn't interact online, and doesn't doesn't contribute to open source. I mean, I would do
Michaela Light 57:31
I would your cold fusion community needs you to paraphrase term to be a little bit more public, you know, and to posts on social media about the cool stuff you're doing or post on the autists community site, which is Google searchable. I want to give you how it's off for that. It's not like the slack where people can't, you know, see what you've typed in all goes away after two or three months anyway, which is kind of ridiculous, but
Brad Wood 57:56
the worst part of it,
Michaela Light 58:00
and then also manufacture support, you know, the Adobe is not going to go away. They've got a commitment to ColdFusion for about 10 years for the next two versions plus, you know, rate us regular, what do they call it long term, long term support, long, long term support, and I don't think the Lucia Association in Switzerland is going away. I don't think Switzerland the country is going away. So
Brad Wood 58:23
So here's an interesting quick little side by side. I would I would guess, right now, I don't really have any good data to back this up. But I would guess the Kotlin development community is probably roughly a similar size to the ColdFusion community. I know they've been growing a lot. So they may be bigger now. But it's a relatively newer language. It's a JVM based language. It's being pushed by by JetBrains. Guys. And if you their most popular framework is Katy LR, I don't know how you're supposed to pronounce it. In fact, I think that's one of the ones I included on there. If you look at their job, I pronounced that casa. Okay. If you look at their GitHub repo, they have 10,000 plus stars on the repo. They have 150 forks, and 178 people watching it. If we look at Coal box, which has been around since 2006, coal boxes, you know, has farted more than Koecher has lived, right. And it's the most popular cold fusion framework according to your state of the union survey. 250 stars compared to 10,000 plus 168, forks compared to 150 forks, and 33 people watching it compared to 178. So the other language, you know, communities, even though they may be even the ones that are similar size, have far more people who are really active out there doing open source doing contributing, being a part of the community, and that's one of the things I'm gonna show On Kornfeld used to talk about this all the time, and he wasn't wrong is even the people that were in the ColdFusion community, it's already smaller. But even within that smaller group, you have a much smaller subset of people really being active and doing things. And just looking at kind of some basic metrics of who goes and stars repos, you have just
Michaela Light 1:00:19
what does it mean to star a repo, if anyone listening wants to star coldbox? What would so
Brad Wood 1:00:24
if you go to GitHub, and you search for the coal box platform, right which Bowman's hyphen platform is name of the repo. When you when you load up the y'all just share my screen real quick for any of the any of the YouTube viewers. So here's, here's the cool box repo, I'm just on the homepage, right here, and there's a star button right here in the upper right hand corner, you click on that it's kind of a same as like, you know, thumbs up in a video on YouTube, or, you know, following a content creator. And you can also watch it that sends you emails that, hey, someone's opened a pull request. And of course, if you've made pull requests back to the framework, you'll probably have a fork of it as well. And the stars just kind of help. They help ColdFusion look alive and interested in GitHub. A lot of you know, people use metrics such as you know, how many 1000 people have starred repos in, you know, this given language to kind of judge a barometer of how active that languages. And you know, here, when we look at this, this column framework, we can see, you know, it's 10,000 stars compared to 250. That's, that's a ridiculous amount, you know, and the forks, I'm guessing that the 150 forks is probably a direct reflection of how many pull requests this framework probably gets, right? I mean, if I go to a pull request, and how do I just get a count of how many pull requests total 515 closed pull requests for the specific repository for coldbox? Right? If we go in and we say, how many pull request has this Caitlyn framework?
Michaela Light 1:02:02
Is there a difference between a pull request and a fork in what you're saying?
Brad Wood 1:02:07
a pull request uses a fork. So if you wanted to submit a bug fix to coldbox, you would, first I have an entire talk about this that I've given to the if objective, and I believe, Summit, wow, I don't even give it a dev Nexus, actually, this, here's the big Java conference. Oh, we're changing tabs, like crazy here. Um, so you, you take the repository that you don't own, which would be like cold box, you create a fork of it, which is like a copy of it that you own, you make your change inside of that fork, right, usually on a branch, then you create a pull request, which is your repository, asking the upstream coolbox repository to please pull in this code change I've made, and then the owner of the upstream repository, which would be like Luis looks at it and says, Oh, I really liked that, I'll go ahead and I'll pull that change from your fork over to the main repository. And that's what how code sharing works in Git.
Michaela Light 1:03:02
So it doesn't doesn't mean there are 700 versions of that framework. It's having 100 People have made different versions, and some, most of them probably got merged back.
Brad Wood 1:03:13
We're making assumptions. It's possible. There's some people out there that said, You know what this link this framework needs, I'm going to create my own version of it, that's just for me, that goes a different direction as possible, there's probably a couple people have done it, chances are, the vast majority of these forks were created for the express purpose created a pull request. And you can see this, this particular kind of random Kotlin framework has 1661 closed pull request, which honestly isn't as many as I expected it to be, that's only three times more than coldbox. But again, this is a framework has only existed for a couple of years, maybe three years, three or four years, right?
Michaela Light 1:03:49
I mean, I have to say, I think there needs to be an initiative in the ColdFusion world to encourage more open source participation.
Brad Wood 1:03:57
Well, we have done initiatives, one of the initiatives I did a couple of times years ago was create your first pull request, it wasn't my idea, I stole it from somebody else. But I went through and I created a bunch of basic, easy tickets for coal box, and then command box. And it was simple things like we need to update the link in this README file, right? Or we need to add a comment or, you know, really basic stuff. And then I put them out there. And I said, these are these are only for people who have never done a pull request before. I wrote an entire blog post guide on how to manage JIRA tickets. I wrote a guide on how to create a pull request. And then I advertised them for people to come and create their own pull request. And I mean, I got several people that did it. And that was quite a few years ago when I did that. I did it a few times. I'm the only thing that I wish I could get more people to, to contribute to it, but I can guarantee you 99 We can do that I'm sure well 99.9 1% of the ColdFusion developers probably never even knew I do that, that I did it right? Even though it was on Twitter, it was on Facebook, it was on every social media channel that existed at that. codice. I'm sure I blogged it. Was
Michaela Light 1:05:13
it on your blog? Probably. But maybe we'll link the blog in if we can find it into the
Brad Wood 1:05:19
I mean, this is what this is what frustrates me, I'm not trying to I'm not trying to bring the hammer down on particular people in general. But I mean, there was a question on the on the ColdFusion programmers group this morning, right? And somebody's asking about how do people go about migrating SQL databases? Right. Um, and when I when I commented on it, there was a handful of people who had already replied, and nobody said anything about command box migrations, a module, which has been around literally for years, is follows the industry standard of database versioning of migration scripts, up and down fully featured, based on I didn't really know about that brat. Yes. See? How you dark matter. Matter. It's, uh,
Michaela Light 1:06:13
my name may be light, but I am dark matter.
Brad Wood 1:06:15
They're not the versions. This has been. I think
Michaela Light 1:06:19
to be fair to some people, you know, autists found do integral, Adobe, Lucy, all the other ones. I'm not thinking to name the so many new things coming out in ColdFusion. Land, it's hard to keep up with everything. I suggest people that go to an event happening in Houston, Texas, called into the box or event happening in Las Vegas called CF Summit, because you're gonna learn so much, well, half the battle here. But that put that example you gave the guy didn't even know the solution existed, if he'd known me was in had existed, he or she might have checked it out.
Brad Wood 1:06:54
And none of the people commenting on the post knew either. It's like, it's like it did exist. Right. So the command box migrations module, which is a command line, pure command line based database versioning tool has been around since 2017. It's been around five years, right? And the service layer that it uses the power itself, which is called CF migrations has been around just as long. Well, you know, tools like enterprise class database migration command line tools the ColdFusion community has had access to for five years, hey, when people say how on earth do I manage my database migrations? You know, nobody's heard of it. And you're like, oh, how else do we talk about it? We've talked about our conferences, we talked about on our blogs, we talked about the podcast. And it's always the you know, the trick of CF cos? Yeah, I'm sure it's shown in CF casts. I mean, we use this for our own projects, we use it for content box, DMS, we use it internally. But there's so much I don't know,
Michaela Light 1:07:57
right now in this moment, but I know there is a solution to that issue. And it's something important for the community because and this is true of all programming languages. It's like an exponential growth of tools and techniques and methods, things you could do and if you don't even know it exists, you know, it's what we're there's that quote, you know, it's the things you don't know that you don't know that I'm going to catch you in the but the the unknown unknowns, the aren't thank you the unknown unknowns, I won't mention that Secretary of Defense who said that because he was a bit of an idiot in other regards, but in that one regard, he was very clever, actually very clever guy and did a lot of clever things. But he did put the United States into a war that maybe in retrospect wasn't such a smart move. I won't go any deeper into that rabbit hole, because it probably might upset people listening or not. Let's wrap up this session. I put a few other reasons people might pick ColdFusion or other languages, app reliability, scalability, security.
Brad Wood 1:09:04
You know, I'm glad I'm glad you said security because I'd like just to briefly talk about it. One of the one of the big issues ColdFusion has is an image issue in the greater programming world, right? I mean, imagine it's hard enough for me to get people that are already coefficient programmers to know they have tools available, like command bucks migrations, I imagine how hard it is for people who don't even program in ColdFusion that have you know, any clue what's going on in our community. One of the big things I see people say on Twitter all the time about ColdFusion is oh my goodness, it's so insecure, who would use that right? just full of insecurities. And that's something I blogged about several times because if you go to a website like cee cee, the details that tracks all the CV it guys, yes, yeah,
Michaela Light 1:09:50
I wrote a blog post about it. We extracted the data guess which language is the most secure?
Brad Wood 1:09:56
Probably close to cold fusion.
Michaela Light 1:09:59
It was confusion, confusion was the most secure. I think maybe it was one of the language that was more secure, but depends on Nan's php. They're all down the bottom they have.
Brad Wood 1:10:10
CHP and Java are by far the worst. They have, like 50 CVE is a year that come out? Um, yeah, I've done a three part series blog posts are all updated every few years on this, and I'll graph out how many security exploits come out for ColdFusion every month every year, compared some, you know, well, there are some but it's not nearly a month.
Michaela Light 1:10:34
No, maybe once every year or two. Yeah, it's like, zero day that we had one zero day in the last three years. I want to say, well, and
Brad Wood 1:10:45
that's another thing Adobe's piecer team really loves to take the they love to take really like minor things and make them like 10 point 10 out of 10 critical and you're like what, come on people there's actually a CVE
Michaela Light 1:10:59
well, they have a secure a ColdFusion security saw working at Adobe, her job is just to like highlight security. Yeah, but and also they haven't choose
Brad Wood 1:11:09
how piecer tags, categorizes their exploits, though. He cert goes off and does her own thing. And nobody in the ColdFusion team has a darn thing to say about it. And they've marked stuff that literally did not even have an exploitable vector as a 10.0 critical and they miss tagged it as remote code execute. Okay, well, I know reality was an sss.
Michaela Light 1:11:29
The next time I get to talk to the security folks at Adobe, I will encourage them to be a bit more calm.
Brad Wood 1:11:35
They're not at CF Summit, so you'll probably never get to talk to him. I've emailed over
Michaela Light 1:11:39
there in Bangalore Roo. If you go to see if so many brands in Bangalore team. No, no. I've met the security. So the security
Brad Wood 1:11:50
czar doesn't categorize exploits for confusion, the P cert Now I understand. I know I know. You've had some terrible miscommunications that have really pissed me off because they they've shot themselves in the foot so many times by Miss categorizing exploits misunderstanding what the expletive was making the severity felt worse than it needed to be. Alright,
Michaela Light 1:12:13
let's see if we can convince them to be a bit more calm. It's like their Star Trek. And every incident, you know, is a red alert instead of the yellow alert or
Brad Wood 1:12:21
I'm sharing my screen again real quick. Who's had more phones? I've had about three blog posts on this and I think you've done something similar. Is that okay
Michaela Light 1:12:30
for children to hear phones? Sure, normally.
Brad Wood 1:12:35
So this, this is a graph of exploits now come out per year, for each of these technologies. If you look at the raw counts. PHP 460 a year that's like one a day, right? Yeah, Java 639 exploits Ruby on Rails 73, dotnet, 98 just Tomcat, which is even a language 101. And then CF Oh, I said per year, these, these are not prettier. These are totals. Apologies. Same same. Yeah. ColdFusion. Since 2006 74, right, and then average per year, ColdFusion, average seven per year, whereas PHP and Java average 40 to 50. So it's like one a week.
Michaela Light 1:13:14
Amazing. Oh, zero day exploits, some of them, you know,
Brad Wood 1:13:18
very few ways. zero day exploits very few. But when someone says to me,
Michaela Light 1:13:23
and the why that's us why that's important. Because if you apply hot fixes regularly, you won't get any of those exploits. Well, and
Brad Wood 1:13:31
most of the zero days in ColdFusion, didn't matter if your server had followed the lockdown guide, almost all ColdFusion zero days have all been public, public ColdFusion Administrator that had some sort of, you know, SSS or RCE, right. And if you had locked down your administrator in the first place, you wouldn't have even been vulnerable. But when people say to me, how could you use ColdFusion? It's so insecure. And they probably use something like PHP or Tomcat or dotnet. I miss kind of laugh at them. I'm like, other than like, the bad press, please. Like who were you actually getting, you know, some database argument about ColdFusion actually not being insecure. But, you know, when when ColdFusion was so when PHP has a vulnerability, your WordPress has a vulnerability, like 100,000 Random WordPress sites get hacked, and nobody cares. Right? When ColdFusion as a vulnerability gets who gets hacked, like government places, banking places, you know, financial institutions, enterprise places using these technologies. And so you see more high profile articles, it feels like more big of a deal. And Adobe's piecer team helped sell it by advertising the crap out of it. And everybody's like, Oh, my gosh, another ColdFusion vulnerability, even though maybe it's only the you know, the second one that year. But anyway, that's all a sidetrack on the security topic. But yeah, security is important when choosing a language. And I argue that ColdFusion is very secure.
Michaela Light 1:14:54
Very secure. We've We've run out of time, Brian, I'm so sorry. But if people want to find you online, What are the best ways to do that?
Brad Wood 1:15:01
Um Say the word ColdFusion on Twitter How To Find me know you can you can find me on my on my blog you can I'm on the Lotus revolution.com Yeah coders, sorry, the Lucy discourse Forum. I'm on there the Ortus community discourse forum on there among CFML slack I'm in the box team slack. On Twitter. I'm on all the ColdFusion Facebook groups that I've know of. So anywhere, even LinkedIn but you have to tag me and I'll check it regularly. So anywhere people are discussing ColdFusion you can usually find me lurking and shouting from behind the you know, parapet, here's command box. So
Michaela Light 1:15:42
excellent. And they can also find you in person at the end of the box conference, CF Summit,
Brad Wood 1:15:47
and I will be I will be at CF summit Adobe CF Summit, they accepted one of my talks on rabbit MQ. So I'll be at both of those conferences. I'll enter the box one as well. So
Michaela Light 1:15:58
I've been well thanks so much for doing the speed comparison and talking to us about how cold fusion is really high performance and the best choice for programming language this year. In my view, I'm only slightly biased.
Unknown Speaker 1:16:10
Michaela Light 1:16:13
And look forward to seeing your talk out into the box.
Brad Wood 1:16:17
Awesome. Sounds like a plan. Thanks for having me on.
Transcribed by https://otter.ai