|
|
|
|
|
|
by gozo
3913 days ago
|
|
|
I guess in case of a web application it wouldn't be so much BEAM itself as the libraries. It hard to know if e.g. the crypto library is secure and used correctly. The same goes for serialization and other things that normally leads to problems further up the stack. "Would you care to expand this statement?" It seem proven enough if you have dedicated highly skilled developers. Not necessarily if you're a smaller startup that have to do a lot of other things and are relying on the ecosystem. With one of the more well know stacks you have a long history of not only security fixes, but knowledge about how to do things. It kind of boils down to if I would implement say a payment system with the stack could I feel confident we wouldn't get compromised? Currently I have a lot higher confidence in e.g. Python + Django + Nginx than Elixir + Phoenix + Cowboy. That said, I'm still playing around with it. |
|
|
So, the following disjointed commentary might be entirely superfluous. It also makes no mention of Elixir or Phoenix, as I've not yet used them:
AFAIK, everything shipped in Erlang/OTP has a test suite that you can run and -if you've the time and technical chops- inspect and evaluate for completeness and correctness.
Given that the Erlang community tends to be concerned about safety and reliability, I have substantially more confidence in the correctness of some random Erlang library on Github than of some random JavaScript (or -ye gods- Perl) library. ;)
Given that neither Cowboy nor Ranch appear to make use of any NIFs, I would be fairly confident in their safety in the face of garbage or malicious input.
The erlang-questions mailing list is a good place to ask questions of folks who use Erlang professionally and non-professionally for a wide variety of things. I've heard that the Elixir equivalents are similarly helpful.