Doing a security review of the way mix grabs code for dependencies. #myelixirstatus
that's for Hex packages, which cannot have git deps; for top level project and its git/file deps it's done through eval of mix.exs
-
-
Still, it is possible to Man-in-the-middle a developer and point them to a fake hex.pm, provide malware and a faked checksum?
-
should be safe: HTTPS with CA chain and hostname verification, and signed package registry
- 2 more replies
New conversation -
-
-
Gotcha. I thought mix reached out to hex.pm to find what git repo to download and then did that locally.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.