My Quick Take On Oxite

I’m really trying not to be negative with this post. The people behind Oxite are good folks and don’t deserve any hate.  They have made a mistake, though. A mistake I think needs to be corrected and requires some immediate action.

My advice, if anyone cares:

  • Oxite should be pulled immediately until the larger issues (including and especially the major security vulnerabilities) can be addressed satisfactorily.
  • Oxite should NOT be used as any sort of Best Practice or official guidance by Microsoft. The Oxite folks have been VERY open and clear that this is NOT anything official or supposed to be recommended guidance. Unfortunately, though, many WILL take it as that no matter how many disclaimers they have to click though.
  • If you are not familiar with ASP.NET MVC or MVC in general, you should avoid Oxite for the time being as there are several anti-patterns that may set you off on the wrong footing in the future.

I would prefer not to go into any specific problems Oxite may have.  From my days as a consultant, I know that this will be taken as gospel by many and used off-the-shelf with little modification to build many production web applications.  This could be a minor disaster for many companies and other organizations who may be the unwitting victim of its problems.  This may seem overly dramatic, but if you have not spent any significant time consulting in the .NET space and aren’t aware of things like PetShop or the various ASP.NET quick start applications then trust me, it could become that bad – and fast.

The folks who are involved with Oxite’s development are open to communication and are engaging the community and are working with everyone to try to balance the needs of everyone.  However, until its most major issues (including significant security vulnerabilities) can be addressed, I think it would be best to pull it or lock it down on CodePlex to prevent it being referenced by the community and any more confusion spread.

We all have an opportunity to improve the .NET space here and I think we should take this opportunity.  ASP.NET MVC will soon be released, and I’d hate for the first major impression of its usage from Microsoft be problematic.

Finally, I appreciate the efforts of the Oxite-involed folks and the sincere attempt at openness and contribution. This is a significant contribution and we are very thankful for this. As much as many members may be upset about Oxite, underneath, I think everyone is appreciative (though we/they may have a bad way of showing it) that this even happened in the first place. This is definitely a step in the right direction.  The next step, I think, is to crank up the quality a little more so we can all have our cake and eat it, too!

About Chad Myers

Chad Myers is the Director of Development for Dovetail Software, in Austin, TX, where he leads a premiere software team building complex enterprise software products. Chad is a .NET software developer specializing in enterprise software designs and architectures. He has over 12 years of software development experience and a proven track record of Agile, test-driven project leadership using both Microsoft and open source tools. He is a community leader who speaks at the Austin .NET User's Group, the ADNUG Code Camp, and participates in various development communities and open source projects.
This entry was posted in ASP.NET MVC, Oxite. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Paul

    Congrats on getting your point across without resorting to MS bashing, as some other blogs on the topic have done.


  • Great Post Chad. I am not very familiar with MVC and was going to look further at Oxite as a sample…I think now I will wait (because I’d rather spend the time elsewhere) until it improves or there is a better sample. I also really appreciate the tone of this post. I am just starting to follow blogs etc. that have more ALT.NET ideals and have been turned off in the past by the bashing that can happen. This tone is much more proactive and positive..this is the environment that needs to be cultivated to promote good software practices…THANKS!

  • Very well said. The Oxite contributors definitely deserve praise for their efforts, but the resulting project needs a little bit of work. Still, it’s good to see efforts at open source contribution from Microsoft.

  • This a great post and it is executed with a high level of professionalism. I really hope Microsoft listens to your advice. A few years ago, I would have taken this code as an example and perpetuated its bad habits. I know there are many developers today that will do the same. I hope you (and the community) can reach them first.

  • Eric


    I’d like to compare Oxite to your MVC example, but I seem to have lost the link to ChadMyers.Mvc.WebSampleApp?

  • +1

    Having been sent a link to “Check out Microsoft’s CMS system with” I promptly went to browse the source.

    I am currently in the process of developing an OSS CMS with, which will be released in chunks with blog post “how-to’s” articles.

    I nearly wet myself, not in a good way, when looking at the code – fat controllers and all – and tried to get an understanding of WTF Microsoft were doing releasing this as a this is how MVC should be written.

    I am relieved to hear that it is not an official Microsoft product, but deeply concerned with what damages it could do to people starting off with MVC on the .net platform.

    I will grok the code again tonight and try and get some posts together on why MVC should NOT be implemented in the way Oxite has been produced – if for nothing else than to give the Oxite developers a point of reference when re writing their software.


  • @Eric:

    I’m working on it as we speak. Also, if you’d like to pay me a salary while I do it, then it’d be a better comparison, also.

    Besides, I’ve done talks and given demos on “Opinionated ASP.NET MVC” before. Have you seen them?

    How’s about contributing to the discussion instead of throwing stones?

  • Why not list some specific issues and anti-patterns? I think that would help others learn a lot more than just saying “this is bad, don’t even look at it”. For instance, Rob Conery’s post points out six specific issues – do you agree with them? Are there other, perhaps more important issues?

  • Steve Sheldon

    The fact that Oxite code base is open source allows many to view it, and provide feedback.

    The key is, if that feedback is taken and used to make it better, then we all benefit.

  • @Jon:

    I considered doing so, but I thought that it might be inappropriate in public and that I should work with the Oxite team. What are your thoughts? Would it be good and a positive thing, or would it just look like a big indictment or something negative?

    I saw Rob Connery’s post and I think he covers the issues well. All the problems I have with Oxite can fit comfortably within his 6 topics-of-concern.

    Do you think I should do a breakdown? I feel that his post covers the larger issues and provide a good framework from which to move forward to resolve Oxite’s issues. I’m afraid anything I add to this will only be harmful.

    Maybe if I do it positively and constructively as a “Problem: Foo. Solution: Bar” type thing it would be help vs. harm?

    Thanks for the feedback, I’m interested to hear your responses!

  • @Steve: Yep, I agree. It’s great they’ve done this publicly and that we all have a chance to make things better.

    In the Old Way, this would’ve been done behind the scenes and then just released without much opportunity for feedback.

    Oxite represents a big (positive) shift forward for Microsoft in how it relates to developers.

  • Chad, I really appreciate the feedback, and as you’ve probably heard from Erik Porter’s various tweets and replies, we are definitely working on it. We are taking some of the general feedback, but are always looking for additional specific comments as well like Jon suggested above.

    I would like to point out that the XSS vulnerability you mention was in an earlier drop of the code and a fix was checked in shortly there after… more of an FYI that anything else.

  • I second Jon on this one.

    A lot of people are damning Oxite without actually taking the opportunity to explain what is wrong, and how it should be changed.

    The mistakes in Oxite are likely to be repeated by other developers (regardless of whether they have seen Oxite or not). This is an excellent opportunity for a public peer review, that can help steer people to best practices.

    Having Oxite alpha+peer review+Oxite Refactored would help the community even more, than Oxite having been great from the start.

  • @Andrew

    I totally agree. Having that “before and after” picture could be a huge learning tool for devs trying to learn MVC. Hopefully someone will take the time to highlight the major areas of change once Oxite has been refactored.

  • Jarrel Cobb

    One thing that struck me as kind of odd is that it seems as if they are using the LINQ-To-SQL generated classes as their domain model by extending them with interfaces and partial classes. All of the methods in the various repositories return instances of those LINQ-To-SQL classes.

    Am I wrong in thinking that this is bad practice for a LINQ-To-SQL powered DAL? It seems to be a major violation of the Seperation of Concerns. Mixing persistence concerns with the domain.

  • @Jarrel

    Not necessarily, it could be an accepted violation. Active Record couples database structure with the model, so you could say RoR is a ginormous SoC violation. The trick is to know when you need Domain Model versus Active Record.

  • Jarrel,

    Mixing persistence concerns specifically with domain logic – and more precisely – with entity logic, would be a SoC problem.

  • Hi Chad
    I think it would add a lot to the discussion to give specific problems, with a clear description of how they can be solved.