HN Distilled

Essential insights from Hacker News discussions

SQLite's Use of Tcl (2017)

Original Article

Hacker News Discussion

This discussion revolves around the use of Tcl/Tk in software development, particularly in relation to the SQLite database and the Fossil version control system. Key themes include the perceived age or outdatedness of Tcl compared to modern languages, its strengths in specific use cases like embedding and scripting, and concerns about security, testing, and developer practices.

Tcl's Perceived Age and "Old Person" Association

Several users associate Tcl with older development practices or "old people," contrasting it with the preferences of more contemporary developers.

  • "kevin_thibedeau: Vibe coders don't do test coverage. That's for old people."
  • "kjs3: I don't get the Tcl hate. I use it all the time on Cisco gear, and it's incredibly useful...But then I'm old and still use perl for small stuff, so probably not reading the room...."

Tcl's Strengths and Use Case Value

Despite the "old" perception, many users defend Tcl, highlighting its utility and value in specific contexts, especially for embedding and scripting.

  • "kjs3: I don't get the Tcl hate...Sure, if you try and turn it into a 10k+ LOC solution, life is going to suck. But in it's use case envelope, so much value."
  • "lanstin: TCL is the best way to embed programmability into C or C++ code; Oousterhout’s writings on modularity and composability explain why this is so useful to those that lack the experience of winning with it."

Tcl for Testing and Scripting

The discussion touches on Tcl's capabilities for creating testing suites and custom scripting tools.

  • "nurettin: Shame, adding tests, or at least some experiments would actually improve vibe coding by several factors. But perhaps it depends on what you are coding."
  • "doublerabbit: I would add note that TCL has a very comprehensive testing suite which makes it very easy to add test units. https://wiki.tcl-lang.org/page/tcltest"
  • "captn3m0: > To help the team stay in touch, a custom chatroom has been created using a Tcl/Tk script. The same script works as both client and server. The chatroom is private and uses a proprietary protocol, so that developers are free to discuss sensitive matters without fear of eavesdropping. The chatroom is implemented as just over 1000 lines of Tk code, and is thus accessible and easy to customize. Curious if anyone has more details on this. Does it have encryption?"
  • "therein: With a lot of the code that may be stashed away into libraries, it doesn't seem all that remarkable. I think the higher level logic and control flow for E2EE group chat could be condensed to 1000 lines with the proper abstraction. Tcl probably helped with that abstraction so credit where it is due."

SQLite's Design Philosophy and Heritage

The use of Tcl within SQLite's development and tooling is discussed, with some users questioning the choices while others defend them based on SQLite's long-standing goals.

  • "mdaniel: The bottom half of that "talk" just reeks of NIH, and look, I appreciate if you're the author of SQLite you get damn near unlimited leeway to do whatever you want despite what some rando on the Internet says, but ... I sure am glad I don't work under those conditions"
  • "nurettin: Do you mean the part where they use a tcl script to extract comments and function signatures into documentation as opposed to using something like doxygen?"
  • "0cf8612b2e1e: Better alternatives in the year 2000? SQLites raison d’etre is to be stable and safe. Rewriting a working solution is anathema to that goal."
  • "wizzwizz4: SQLite predates most of the things you'd use instead. Given that in any case they'd be the ones left maintaining the wheels, long after everyone else has abandoned them, it makes sense for them to use their own wheels."
  • "Animats: > SQLite supports this syntax. But because of its TCL heritage, SQLite also allows the parameter to take the form of a TCL variable. Hence: SELECT passwd, photo FROM user WHERE uid=$uid. Did they put "eval" in SQL parameter processing? Is there an SQL injection attack vulnerability there?"

Security and SQL Injection Concerns with Tcl/SQLite Integration

A significant portion of the conversation focuses on the security implications of how Tcl variables are handled within SQLite queries, specifically concerning SQL injection. The SQLite contributor clarifies the mechanism.

  • "Animats: Did they put "eval" in SQL parameter processing? Is there an SQL injection attack vulnerability there?"
  • "SQLite: > Is there an SQL injection attack vulnerability there? No, at least not if you put the SQL inside of {...}, which IIRC the documentation strongly recommends."
  • "SQLite: The $uid is passed down into SQLite. It is a single token recognized by the SQL parser itself. It does not get expanded by TCL. The $uid token serves the same roll as a "?" or ":abc" token would in some other SQL implementations. It is a placeholder for a value. The tclsqlite3.c interface first parses the SQL, then asks for the names of all of the placeholder tokens. Then it binds the values in TCL variables of the same name to those placeholders."
  • "SQLite: Indeed, this whole mechanism is specifically designed to make it easy to write SQL-injection-free code. As long as you put your SQL inside of {...}, you are completely safe from SQL injections. If your TCL script includes SQL text inside of "...", then TCL will do the expansion and SQL injection is possible. But as long as the SQL text is inside of {...}, SQL injection is not possible."
  • "sgbeal: > I suppose the encryption is only at the TLS layer? Correct unless the fossil repository in question uses SQLite's SEE (encryption) extension (which fossil can, but relatively few repositories use that, AFAIK)."

Fossil and its Development Tools (including chat)

The discussion brings up Fossil, the distributed version control system developed by the author of SQLite, and its integrated features, such as a custom chatroom implemented in Tcl/Tk.

  • "v9v: Fossil comes with a chatroom feature (https://fossil-scm.org/home/doc/trunk/www/chat.md). Could that be what they're referring to?"
  • "Retr0id: E2EE group chat in 1000 lines would be rather impressive"
  • "SQLite: The paper is from 2017. Fossil got chat support in 2021 and the developers now use Fossil-chat. https://fossil-scm.org/home/doc/trunk/www/chat.md. Fossil chat has the advantages that (1) it is fully encrypted and (2) it works from any web-browser, including on mobile phones."
  • "Retr0id: > On the server-side, message text is stored exactly as entered by the users I suppose the encryption is only at the TLS layer?"
  • "valorzard: Does fossil have something similar to Git-LFS? I'd like to store binary assets like PNGs and music files and such"

Software Engineering and Business Rationale

Underlying some of the technical debates are discussions about business decisions, developer autonomy, and the management of technical debt or legacy systems.

  • "mdaniel: ... I sure am glad I don't work under those conditions"
  • "kjs3: I sure am glad I don't work under those conditions. I think we're all glad you don't work on things that require long term stability."
  • "0cf8612b2e1e: Better alternatives in the year 2000? SQLites raison d’etre is to be stable and safe. Rewriting a working solution is anathema to that goal."
  • "wizzwizz4: SQLite predates most of the things you'd use instead. Given that in any case they'd be the ones left maintaining the wheels, long after everyone else has abandoned them, it makes sense for them to use their own wheels."