I opened a random file(HippyBridge.h[0]) and it looks very similar to React Native's RCTBridge.h[1] which leads me to believe Hippy is either a fork of React Native or heavily "inspired" by it. A lot of the comments and symbols match React Native's 1-to-1.
EDIT: I've read through more of the source and compared it to React Native. Like Jarred mentioned[2] it probably started out as a fork of React Native.
In the bottom of their license file they have a MIT license[0]. But they only mention someone named Evan You
> Hippy-Vue and Hippy-Vue-Router is using the part of codes write by Evan You with MIT license.<MIT license>
My best guess is that Evan is this person [1][2]. So that still doesn't seem to fit the proper MIT license agreements if you're right, and it looks like you are.
Evan is the author or Vue.js which they also seem to have borrowed code from. A lot of the core code seems to be React Native with `s/RCT/Hippy/g` applied.
Looks like they haven't put up much documentation yet - hard to say what this is really.
How do you work with different platforms? How does the performance compare to React Native? Can we see examples? What APIs exist to access native functionalities? How complete is the Flex implementation?
- They expose wrappers for native recycling list views[0]. React Native does this in JavaScript through VirtualizedList, however some have experienced performance issues with it[1]
- They wrote their own flexbox layout library[2] (likely based on Yoga)
- It works with both Vue[3] and React
- Hippy supports web as a build target out of the box[4] (react-native-web is a 3rd party library)
- Touch events work on the `<View />` component directly, instead of needing to wrap `<View />`'s in the `<Touchable />` components[5]
- It uses a closed-source fork of libv8 on Android called X5[6].
The API & coding style is quite similar to React Native, but the implementation seems different. I'm guessing this started as an internal fork of React Native and turned into a large refactor, but that's just a guess
Chinese (and japanese) use 4 digit separated factors, so it's easy to make these kind of mistakes.
eg 100 ten-thousands not 1000 x 1000s. Even after living there awhile, converting big currency numbers is a pain.
Corporations have been using open source to exert technological dominance and push standards that favour their agenda for some time. It's proving so effective to have direct control on software and standards that more and more companies are engaging into this activity.
Certain tools come with telemetry that is used to track the users. On top of this, by making open source these corporations are seen as good for the community by naive engineers.
You can find here on HN articles that talk about how Google is using Chrome to bend the web to its will, how Visual Studio Code tracks its users and how Facebook uses its Android SDK to track smartphones. JetBrains declared they made Kotlin with the intent of gaining an edge on competition for Java IDEs (no spying intent declared or reported, but I want to highlight that even for a $300 million company technological domain is proving effective).
Tencent is merely doing what other corporations have been doing for decades.
Tencent is one of the companies responsible for China’s dystopian sesame credit scheme, for one. I would not want to contribute to any of their projects.
Sesame Credit is operated by Ant Financial, a subsidiary of Alibaba. They're a competitor to whatever credit scoring Tencent does for their forays into micro-lending.
Bringing in the Tencent credit scoring for micro-lending is muddying the issue. Possibly I’m guessing an intentional move on their part to limit the damage from their association with Sesame Credit.
As I understand it Tencent has worked closely with the Chinese government to enable its social media properties like WeChat to feed data into Sesame Credit on a massive scale. This is a project that they support and enable, and I believe in the early days they were also one of the companies that helped to develop it, regardless of who currently operates it on paper.
Why speculate on whether it is spyware? Read the source and verify it for yourself. If there is spyware I would appreciate a link to the relevant lines.
How do you read the source of a closed source library? I mean sure reverse engineering is possible but it’s a bit flippant to suggest that everyone has time to do this. Even if it did not have closed source libraries, it’s a bit much to assume everyone affected can understand the source.
We already know that tencent engages in bad stuff on behalf of the Chinese government (Sesame Credit as a concrete example) so they shouldn’t be presumed innocent right out of the box.
What’s wrong with existing cross platform frameworks? You have to wonder what their agenda is for creating this.
I believe that when it started out they were also working on it, but I’ll admit to not having a source at the moment. Would not be surprised if all evidence of their involvement has been wiped from the internet though.
In the meantime I’m
pretty sure they fully cooperate with the Chinese government in supplying data to the Sesame Credit system through their social media properties like WeChat. Something that more ethical competitors like WhatsApp have refused to do.
> Do you think that only forks of projects can have security issues?
Huh? I'm replying to someone inquiring why someone else didn't review a fork. Aka, the GP was focused on the Fork aspect of Hippy, and the Parent asked about React, as if React was a fork.
I think you misunderstood the comment chain. I was not even talking about security issues or how that affects forking. I was merely replying to another discussion about forking, and how React is viewed in that "forking light".
The top-level comment in the chain is "Anyone done a security audit on this yet?" I was interpreting the forking discussion as an aspect of the security discussion.
We don't need to get into international politics to answer this question. Security audits are good ideas on any open source project you want to put into production. They are a good idea even if you wrote the code yourself, to make sure you didn't leave vulnerabilities in your code by accident. Securing an app, and preventing data breaches, is simply good practice as professional software engineers.
It's a good idea, but increasingly impractical. Npm-based development is just such a fractal of dependencies; it'd take me a year to review everything that goes into a typical SPA, and by the time I was done 90% of the packages would have been updated significantly.
I just hope the various cryptominers that get shoehorned in to umpteenth child dependencies fight against each other...
I'm confused. I would think more modular work is easier to review, plus modules allow deduplication. Is a module with 500,000 LoC in dependencies really that much harder to audit than a project that includes the same code internally?
I think the issue is each module tends to include far more code than just what the project needed.
If everything was like the NPM meme where you install a package to check if something is true, then your LOC for that module with be quite limited.
However a single dependency is often big itself, and the 50 dependencies it has are also quite big. The LOC in the dep-dep is not the same as if it was written by hand in the dep.
So if you wrote your dep by hand you may use, say, 500,000 LOC - but with the tree of dependencies not being a 1:1 to what you use, you have to audit more like 2Mil LOC. Perhaps an audit could be aided by some sort of tree-shaking scenario, where all non-used code is removed, leaving you with the real 500,000 LOC that needs review.. Would be interesting.
I've been having this same problem with Rust lately. Frankly, I think it's true for any package platform you use.
>I've been having this same problem with Rust lately. Frankly, I think it's true for any package platform you use.
Right, people act like node_modules is extremely special. They open the folder and say "Look at all of the files, what a mess!" as if other languages don't have this. Just in most other languages it's more hidden from you.
A project that has 500kloc probably doesn't have anywhere the churn on most of that code that actively developed dependencies have. Most of that mass of first-party code is static and doesn't change much, if ever.
To be fair, so is the US (NSA) , but people rarely suggest that packages from the US should be monitored extra closely for some reason.
Of course every package used in any code that contains sensitive data should be audited along with its dependant, but I see no reason to be more afraid of this particular package than anything people happily install from npm.
There's a good reason for that: US does not really need to put backdoors in software to spy. They have the largest tech companies under their legislation and can already force them to disclose information on users. Most companies won't argue and hand over things silently.
They have international agreements with a number of countries for surveillance.
This means that unless an app is completely hosted, in all parts from source code to production, in a privacy-friendly country, on servers provided by a privacy-friendly company and the app is made by a company in similar conditions, the US and EU have all they need.
While there have been some serious breaches of trust, US companies have a track record of fighting governments openly in court to avoid sharing data with them.
Chinese companies absolutely do not have this track record. Chinese companies are essentially an extension of the heavy hand of the Chinese Communist Party.
Two main reasons: better track record in the specific domain of forced modifications for intelligence collection, and US-based projects already have the same level of risk. I would assume that for sensitive Chinese projects US software is considered risky.
Snowden was not talking about forced state inference in companies like with e.g. Huawei or Alibaba or many other, even small Chinese companies. While it happens, it certainly does not happen that much (while it's normal occurence in China) and if the companies are forced to something, it's most of the time through a court.
Disconcerting and suspicious to see so many Chinese codebases being advertized here. I feel that there is some nation state activity behind it. There is a ban on Chinese work products in sensitive industries (aerospace/defense, military, and government), and other industries should follow suit if they care about security.
Please do not copy/paste comments on HN. That strictly lowers the signal/noise ratio.
Also, your comment breaks the site guideline against insinuating astroturfing, shillage, etc., without evidence. I replied to you about that here: https://news.ycombinator.com/item?id=21879877. Please don't do it again.
EDIT: I've read through more of the source and compared it to React Native. Like Jarred mentioned[2] it probably started out as a fork of React Native.
0: https://github.com/Tencent/Hippy/blob/master/ios/sdk/base/Hi...
1: https://github.com/facebook/react-native/blob/master/React/B...
2: https://news.ycombinator.com/item?id=21877857