[simoncion]

> Security vulnerabilities are found all the time in established stacks and things like robustness, reliability, maintenance and growth are ongoing issues.

If you stick to writing code only in a BEAM language, you're insulated from all errors except for those of system resource exhaustion (edit: or -obviously- system hardware failure ;) ) or programmer logic errors. [0]

The parts of Elixir and other such projects that are written in another language that compiles down to native code, [1] are vulnerable to the usual array of issues endemic to the language selected.

> Yes, BEAM is proven in enterprise use, but most of us don't have those resources.

I'm not sure what you mean by this, and what concerns are implied by this statement. Would you care to expand this statement?

The WhatsApp folks have found that they got a lot done with Erlang with a small staff and (what is reported to be) very few machines when compared to the amount of work performed.

[0] Erlang can neither save you from your own faulty logic, nor can it add resources to your system. ;)

[1] Erlang provides a mechanism called NIF that lets you write performance-critical (or whatever) code in C or another language, and link it in to Erlang. From there, you can access your other-language code with from your Erlang code what appears to be a regular Erlang function call.

[gozo]

I guess in case of a web application it wouldn't be so much BEAM itself as the libraries. It hard to know if e.g. the crypto library is secure and used correctly. The same goes for serialization and other things that normally leads to problems further up the stack.

"Would you care to expand this statement?"

It seem proven enough if you have dedicated highly skilled developers. Not necessarily if you're a smaller startup that have to do a lot of other things and are relying on the ecosystem. With one of the more well know stacks you have a long history of not only security fixes, but knowledge about how to do things.

It kind of boils down to if I would implement say a payment system with the stack could I feel confident we wouldn't get compromised? Currently I have a lot higher confidence in e.g. Python + Django + Nginx than Elixir + Phoenix + Cowboy.

That said, I'm still playing around with it.

[simoncion]

I understand and largely agree with your core points and concerns. I, myself am cautious and suspicious of new and/or unfamiliar software stacks. :)

So, the following disjointed commentary might be entirely superfluous. It also makes no mention of Elixir or Phoenix, as I've not yet used them:

AFAIK, everything shipped in Erlang/OTP has a test suite that you can run and -if you've the time and technical chops- inspect and evaluate for completeness and correctness.

Given that the Erlang community tends to be concerned about safety and reliability, I have substantially more confidence in the correctness of some random Erlang library on Github than of some random JavaScript (or -ye gods- Perl) library. ;)

Given that neither Cowboy nor Ranch appear to make use of any NIFs, I would be fairly confident in their safety in the face of garbage or malicious input.

The erlang-questions mailing list is a good place to ask questions of folks who use Erlang professionally and non-professionally for a wide variety of things. I've heard that the Elixir equivalents are similarly helpful.

[tbrooks]

Fwiw, the Rails app I'm rebuilding into Phoenix IS in fact a payment system.

EDIT: I also believe Heroku's request routing system is built on Erlang.

[simoncion]

Yeah, the routing system is. Fred Hebert (aka ferd, the author of "Learn You Some Erlang" and "Stuff Goes Bad: Erlang in Anger") is one of the folks working at Heroku on exactly that.