Ask HN: In light of Rails security is now a good time to learn Django?

6 points by padseeker ↗ HN
I'm a little concerned after reading Patrick McKenzie's article. It seems like it isn't that simple to flick a switch and turn off the most vulnerable parts of rails (i.e. stuff related to YAML).

Maybe Django/Python has similar issues but it is not as popular as Rails. Should I be concerned and perhaps consider moving to another framework?

10 comments

[ 2.8 ms ] story [ 22.4 ms ] thread
Django also has security flaws that will be discovered with time. All frameworks do. Instead of getting scared by it, you should be pro-active in learning Rails security in order to build more secure Rails apps (and improve the framework itself). I still trust Rails.
Every framework has security holes. I have seen and used a lot of frameworks and Django is the best framework for me. Second nice framework is Apache Wicket, but it's stateful.
The replies are true, but to your question, yes. Right now would be a good time provided you were on square footing with both.
I've never used python, so it would be starting from scratch. I love a lot of things about rails but deployment is not one of them. Is it easier to deploy Django?
If you want a good start to Django follow this guy's setup. The virtual env made managing my libraries a lot easier.

http://www.jeffknupp.com/blog/2012/02/09/starting-a-django-p...

Rails the framework I think is better than Django. I just found conceptually it had more of what I wanted already in there. However coming from a Java/Perl background, Python was easier for me to grasp and read over Ruby. And timing wise, I wouldn't deploy or upgrade a Rails app until I felt comfortable with the security issues being addressed. Hell, I wouldn't want to surf the internet with an app running on my computer today.

Or you could update your Rails version so the problem is gone?

if you want to learn Django, do it, but the Rails World is certainly not in ruins or shattered because of this, "move frameworks" because of this doesn't make a much sense... you could as well have said "in light of Django Unchained popularity is now a good time to learn Django?"

There is a very logical reason why I asked the question and mentioned Django, not all of which was spelled out in my post;

1. I want to use a widely supported framework, and Django seems to be the most likely candidate. There are a lot of things I like about Rails, but perhaps the best thing about it is there are so many gems/plugins that make extending an application very easy.

2. I have already updated my app so it is running the latest (and patched) version of Rails. The problem is in the article by Patrick Mackenzie (see here - http://www.kalzumeus.com/2013/01/31/what-the-rails-security-...) it seemed to indicate there are a lot more gotchas in Rails that will emerge as time goes by which is very concerning.

The couple of things I don't like about Rails is deployment and too much magic. In light of the security issue if there are that many potential issues with YAML then I wanted to know if Django was measurably more secure as well as easier to deploy, and if it had less magic. Perhaps I should have spelled those things out.

One more thing - I found your comment about Django Unchained comment rather snarky and a little insulting. It's as if the the security problems in Rails (2 of them found in the past month and more to come apparently) gives me a chance to change my framework as if it were like a fasion trend. There are a lot of moving parts in rails and I don't understand all of it, I've never read the source code. I've already invested quite a bit in learning Rails but now I am at a cross roads, do I go full monty and learn all the ins and outs of Ruby, or do I consider looking elsewhere.

Your post definitely has a condescending tone and I did not appreciate it. Please think about why you are posting before you add to a thread.

You're right, sorry, I've been in a terribly bitter mood lately and I'm not proud of this comment

I hadn't read this post yet, it sure is alarming but I trust the ruby/rails community in the sense that it was always pretty fast to adopt, reject and take action on things and that it will keep this relative efficiency, specially against problems like these so at least this is something we can trust, I guess.

As for Django, go for it... it's just that this problems look really ugly in hindsight... 3 months ago it probably was, for most people, that Rails had most of good security stuff built right in, it can happen in another framework, in linux, or ubuntu next, that sort of thing...

The solution to understanding the Rails magic is to learn the ins and outs of Ruby. You will find out that it's just Ruby programming and it's not magic at all.