Jeez, HN needs a better system for nested replies. Anyway.

You seem to think it can be patched up by turning it into something else. Great, we agree that it doesn't work as is, then.

Well, yeah, of course. The whole discussion started off as a debate about whether and how they could go about implementing security after the beta launch.

It's pretty well understood by all parties (and admitted by the founders themselves) that security isn't something Firebase is currently equipped to handle...

---

Sorry, I have no idea what you are shadow-boxing at, any more.

I've gone above and beyond in terms of explicit clarity to un-derail this conversation. Which part of my solution are you confused about? (I don't think I was too technical, but I can explain in more detail if necessary.)

I suspect that whatever the final solution is, it is going to be just as complicated as what we have now.

Do you mean that my system would be too complicated for developers? (The operation seems pretty straightforward to me.) Or are you just implying that you think they'll go in a different direction which involves a lot more developer labour?

You have been saying it should be mostly possible. I am sceptical.

In that case, do you see a specific hole in my design, or are you just unclear in general about how it would be used?

Yes. The discussion was over whether proper security is something it could ever be equipped to handle in an all or mostly-client world. The founders have been saying it is (and pointing to Office as an example). You have been saying it should be mostly possible. I am sceptical.

Read their front page. "No servers, no server side code". Of course there are actually servers involved, but they're inaccessible by the developer.

That's the whole point of this post: how much access will devs have to the servers, and how? Until those questions are answered, explicitly explicitly, doubts hang over the whole idea.

You seem to think it can be patched up by turning it into something else. Great, we agree that it doesn't work as is, then.

So you're saying that all server-side data that all apps using Firebase want to store should be stored centrally on Firebase owned servers. i.e since trusted user/pw hashes must be stored on a server to be matched against and the only server we have is the one that Firebase provides, all apps using Firebase will store these hashes on central servers owned by Firebase.. That sounds like a really bad idea.