3

I am considering having a look at Opa. While I am comfortable with the usual way of building web applications, the project seems very interesting, and having the client-server communication handled automatically is a real plus.

My only concern is about security. If a new type of attack or vulnerability is discovered, I can usually take precautions myself. What if I develop an Opa application?

I guess MLState will react very promtply to add bug and security fixes, but is this assurance enough? The company is not huge, and they may be under pressure for other things.

Are Opa projecst flexible enough to allow patching security bugs on my own?

Andrea
  • 20,253
  • 23
  • 114
  • 183

1 Answers1

3

one of MLstate employees speaking :). Glad you like the concepts behind Opa. Now on to the question.

Of course we will try our best to address any security vulnerabilities as fast as possible. If you can patch security bugs on your own? Opa is fully open source so nothing stops you from making a fork of the compiler and making your own fixes at your own pace. In which case of course we'd hope you'd send us a patch to be included in the official branch. Does that answer your question?

akoprowski
  • 3,297
  • 1
  • 18
  • 26
  • That is what I expected, but it is not optimal either. If I find a bug in a framework - say in Django - I can roll a fix because Django is written in Python, the very same language I use to write my application. In Opa fixing a bug would mean working with OCaml, which I am not familiar with, and working at the compiler rather than the application level. So it is much more complicated. – Andrea Oct 16 '11 at 08:53
  • I don't think it's *that* bad. A lot of Opa functionality is implemented in Opa (i.e. it's stdlib). In particular things that a web framework would offer you (Django) are almost exclusively in the standard library plus partly accessed via the FFI (that would be JavaScript). So only compiler-level fixes would require tinkering with Ocaml and that part of Opa tends to be more stable than it's stdlib. – akoprowski Oct 16 '11 at 10:18
  • This is nice to know, and quite reassuring :-). Thank you very much – Andrea Oct 16 '11 at 12:58