I would like to know if it was considered to abandon Jython and instead use the GraalVM. It has native Python support for version 3.x and it uses JIT to compile it to bytecode. Since the Jython development basically halted wouldn’t this be a more usable alternative?
Thank you.
I understand the appeal of Python 3.x. as an extension mechanism, but switching to GraalVM isn’t just a small change.
First of all, it ties every deployment to a specific JVM implementation and to a compilation model that doesn’t always play well with frameworks like Spring, especially around class loading and dependency injection.
Even if this problem is solved, not all python modules work well in the GraalVM, particularly if they use C extensions like many scientific libraries.
Additionally, experience showed that embedded language extension points are much harder to secure, because a poorly written script (since it’s in a Turing-Complete Language) can run forever or escape the sandbox and impair the entire deployment or worse even exfiltrate data.
Testing, versioning, maintenance and deployment also become much harder unless we accept the arguably “risky” and unergonomic model of admins directly typing scripts in the admin ui and testing them manually.
The V3 interceptor API is a much better model but even that comes with certain risks and one should always ask themselves if it’s worth to write an internal extension or rather rely on public APIs for external integrations.
If internal extension that are user editable ever become a necessary features, only guaranteed terminating expression languages should be considered, such as Dhall or CEL, but these come at the price of limited expressivity since by design they don’t let the users express all possible programs.
Thank you very much for the answer, those are very strong points.
In that case I would like to ask what is currently the direction openBIS is moving towards. Are you planning on making the Jython extensions obsolete and recommend only Java server extensions? And what about the scripts that are used for field validation? What would be the recommendation for new deployments in terms of data processing and upload to openBIS? Should the new afs server be preferred over the dss?