Ask HN: In light of Rails security is now a good time to learn Django?
I'm a little concerned after reading Patrick McKenzie's article. It seems like it isn't that simple to flick a switch and turn off the most vulnerable parts of rails (i.e. stuff related to YAML).
Maybe Django/Python has similar issues but it is not as popular as Rails. Should I be concerned and perhaps consider moving to another framework?
10 comments
[ 2.8 ms ] story [ 22.4 ms ] threadhttp://www.jeffknupp.com/blog/2012/02/09/starting-a-django-p...
Rails the framework I think is better than Django. I just found conceptually it had more of what I wanted already in there. However coming from a Java/Perl background, Python was easier for me to grasp and read over Ruby. And timing wise, I wouldn't deploy or upgrade a Rails app until I felt comfortable with the security issues being addressed. Hell, I wouldn't want to surf the internet with an app running on my computer today.
if you want to learn Django, do it, but the Rails World is certainly not in ruins or shattered because of this, "move frameworks" because of this doesn't make a much sense... you could as well have said "in light of Django Unchained popularity is now a good time to learn Django?"
1. I want to use a widely supported framework, and Django seems to be the most likely candidate. There are a lot of things I like about Rails, but perhaps the best thing about it is there are so many gems/plugins that make extending an application very easy.
2. I have already updated my app so it is running the latest (and patched) version of Rails. The problem is in the article by Patrick Mackenzie (see here - http://www.kalzumeus.com/2013/01/31/what-the-rails-security-...) it seemed to indicate there are a lot more gotchas in Rails that will emerge as time goes by which is very concerning.
The couple of things I don't like about Rails is deployment and too much magic. In light of the security issue if there are that many potential issues with YAML then I wanted to know if Django was measurably more secure as well as easier to deploy, and if it had less magic. Perhaps I should have spelled those things out.
One more thing - I found your comment about Django Unchained comment rather snarky and a little insulting. It's as if the the security problems in Rails (2 of them found in the past month and more to come apparently) gives me a chance to change my framework as if it were like a fasion trend. There are a lot of moving parts in rails and I don't understand all of it, I've never read the source code. I've already invested quite a bit in learning Rails but now I am at a cross roads, do I go full monty and learn all the ins and outs of Ruby, or do I consider looking elsewhere.
Your post definitely has a condescending tone and I did not appreciate it. Please think about why you are posting before you add to a thread.
I hadn't read this post yet, it sure is alarming but I trust the ruby/rails community in the sense that it was always pretty fast to adopt, reject and take action on things and that it will keep this relative efficiency, specially against problems like these so at least this is something we can trust, I guess.
As for Django, go for it... it's just that this problems look really ugly in hindsight... 3 months ago it probably was, for most people, that Rails had most of good security stuff built right in, it can happen in another framework, in linux, or ubuntu next, that sort of thing...