[pmontra]

Almost. I believe that half of the people that approach Phoenix coming from Rails stop when they realize there isn't any registration and authentication framework as good as Devise. The closest match is Addict but it covers only the basics and requires too much work. If one has to write his own product that could be OK. If one has to code for a customer it erodes the profit.

[tbrooks]

I thought the same thing too. A couple responses:

1) The Elixir community is still in its infancy and the community is growing rapidly and flourishing. If the concern is there isn't an equivalent Elixir library for X gem, it's only a matter of time before it is. So please join!

2) I attended the Phoenix training at ElixirConf this week and an easy answer to registration and auth is "hey, write a plug". Once you dive into how straightforward plugs (1) and what (init/1, call/2) do, it's really simple.

You will appreciate the explicit nature of plugs compared to say, Rack middleware...

I'm rewriting a Rails app in Phoenix and overall, I've found it to be a really pleasant experience.

(1) http://hexdocs.pm/plug/extra-readme.html

[gozo]

I'm not so concerned by the lack of libraries as with that no one seem to know the state of Elixir, Phoenix or BEAM. Security vulnerabilities are found all the time in established stacks and things like robustness, reliability, maintenance and growth are ongoing issues. Yes, BEAM is proven in enterprise use, but most of us don't have those resources. The first time I tried Elixir the welcome site broke, which wasn't a big deal, but it still didn't exactly instill a lot of confidence.

[simoncion]

> Security vulnerabilities are found all the time in established stacks and things like robustness, reliability, maintenance and growth are ongoing issues.

If you stick to writing code only in a BEAM language, you're insulated from all errors except for those of system resource exhaustion (edit: or -obviously- system hardware failure ;) ) or programmer logic errors. [0]

The parts of Elixir and other such projects that are written in another language that compiles down to native code, [1] are vulnerable to the usual array of issues endemic to the language selected.

> Yes, BEAM is proven in enterprise use, but most of us don't have those resources.

I'm not sure what you mean by this, and what concerns are implied by this statement. Would you care to expand this statement?

The WhatsApp folks have found that they got a lot done with Erlang with a small staff and (what is reported to be) very few machines when compared to the amount of work performed.

[0] Erlang can neither save you from your own faulty logic, nor can it add resources to your system. ;)

[1] Erlang provides a mechanism called NIF that lets you write performance-critical (or whatever) code in C or another language, and link it in to Erlang. From there, you can access your other-language code with from your Erlang code what appears to be a regular Erlang function call.

[gozo]

I guess in case of a web application it wouldn't be so much BEAM itself as the libraries. It hard to know if e.g. the crypto library is secure and used correctly. The same goes for serialization and other things that normally leads to problems further up the stack.

"Would you care to expand this statement?"

It seem proven enough if you have dedicated highly skilled developers. Not necessarily if you're a smaller startup that have to do a lot of other things and are relying on the ecosystem. With one of the more well know stacks you have a long history of not only security fixes, but knowledge about how to do things.

It kind of boils down to if I would implement say a payment system with the stack could I feel confident we wouldn't get compromised? Currently I have a lot higher confidence in e.g. Python + Django + Nginx than Elixir + Phoenix + Cowboy.

That said, I'm still playing around with it.

[simoncion]

I understand and largely agree with your core points and concerns. I, myself am cautious and suspicious of new and/or unfamiliar software stacks. :)

So, the following disjointed commentary might be entirely superfluous. It also makes no mention of Elixir or Phoenix, as I've not yet used them:

AFAIK, everything shipped in Erlang/OTP has a test suite that you can run and -if you've the time and technical chops- inspect and evaluate for completeness and correctness.

Given that the Erlang community tends to be concerned about safety and reliability, I have substantially more confidence in the correctness of some random Erlang library on Github than of some random JavaScript (or -ye gods- Perl) library. ;)

Given that neither Cowboy nor Ranch appear to make use of any NIFs, I would be fairly confident in their safety in the face of garbage or malicious input.

The erlang-questions mailing list is a good place to ask questions of folks who use Erlang professionally and non-professionally for a wide variety of things. I've heard that the Elixir equivalents are similarly helpful.

[tbrooks]

Fwiw, the Rails app I'm rebuilding into Phoenix IS in fact a payment system.

EDIT: I also believe Heroku's request routing system is built on Erlang.

[simoncion]

Yeah, the routing system is. Fred Hebert (aka ferd, the author of "Learn You Some Erlang" and "Stuff Goes Bad: Erlang in Anger") is one of the folks working at Heroku on exactly that.