

Ask HN: In light of Rails security is now a good time to learn Django? - padseeker

I'm a little concerned after reading Patrick McKenzie's article. It seems like it isn't that simple to flick a switch and turn off the most vulnerable parts of rails (i.e. stuff related to YAML).<p>Maybe Django/Python has similar issues but it is not as popular as Rails. Should I be concerned and perhaps consider moving to another framework?
======
orangethirty
Django also has security flaws that will be discovered with time. All
frameworks do. Instead of getting scared by it, you should be pro-active in
learning Rails security in order to build more secure Rails apps (and improve
the framework itself). I still trust Rails.

------
exelib
Every framework has security holes. I have seen and used a lot of frameworks
and Django is the best framework for me. Second nice framework is Apache
Wicket, but it's stateful.

------
zpk
The replies are true, but to your question, yes. Right now would be a good
time provided you were on square footing with both.

~~~
padseeker
I've never used python, so it would be starting from scratch. I love a lot of
things about rails but deployment is not one of them. Is it easier to deploy
Django?

~~~
zpk
If you want a good start to Django follow this guy's setup. The virtual env
made managing my libraries a lot easier.

[http://www.jeffknupp.com/blog/2012/02/09/starting-a-
django-p...](http://www.jeffknupp.com/blog/2012/02/09/starting-a-django-
project-the-right-way/)

Rails the framework I think is better than Django. I just found conceptually
it had more of what I wanted already in there. However coming from a Java/Perl
background, Python was easier for me to grasp and read over Ruby. And timing
wise, I wouldn't deploy or upgrade a Rails app until I felt comfortable with
the security issues being addressed. Hell, I wouldn't want to surf the
internet with an app running on my computer today.

------
xijuan
Yes

------
Buzaga
Or you could update your Rails version so the problem is gone?

if you want to learn Django, do it, but the Rails World is certainly not in
ruins or shattered because of this, "move frameworks" because of this doesn't
make a much sense... you could as well have said "in light of Django Unchained
popularity is now a good time to learn Django?"

~~~
padseeker
There is a very logical reason why I asked the question and mentioned Django,
not all of which was spelled out in my post;

1\. I want to use a widely supported framework, and Django seems to be the
most likely candidate. There are a lot of things I like about Rails, but
perhaps the best thing about it is there are so many gems/plugins that make
extending an application very easy.

2\. I have already updated my app so it is running the latest (and patched)
version of Rails. The problem is in the article by Patrick Mackenzie (see here
- [http://www.kalzumeus.com/2013/01/31/what-the-rails-
security-...](http://www.kalzumeus.com/2013/01/31/what-the-rails-security-
issue-means-for-your-startup/)) it seemed to indicate there are a lot more
gotchas in Rails that will emerge as time goes by which is very concerning.

The couple of things I don't like about Rails is deployment and too much
magic. In light of the security issue if there are that many potential issues
with YAML then I wanted to know if Django was measurably more secure as well
as easier to deploy, and if it had less magic. Perhaps I should have spelled
those things out.

One more thing - I found your comment about Django Unchained comment rather
snarky and a little insulting. It's as if the the security problems in Rails
(2 of them found in the past month and more to come apparently) gives me a
chance to change my framework as if it were like a fasion trend. There are a
lot of moving parts in rails and I don't understand all of it, I've never read
the source code. I've already invested quite a bit in learning Rails but now I
am at a cross roads, do I go full monty and learn all the ins and outs of
Ruby, or do I consider looking elsewhere.

Your post definitely has a condescending tone and I did not appreciate it.
Please think about why you are posting before you add to a thread.

~~~
clark-kent
The solution to understanding the Rails magic is to learn the ins and outs of
Ruby. You will find out that it's just Ruby programming and it's not magic at
all.

