Doing a security review of the way mix grabs code for dependencies. #myelixirstatus
-
-
Replying to @kevdogtweets @BFist
looked into that recently: https://blog.voltone.net/post/5 - would be happy to compare notes and work on improvements
3 replies 0 retweets 1 like -
Replying to @voltonez
I'm trying to find where mix figures out the git repo for each dependency. Mix.Dep.Loader seems to know that by magic.
1 reply 0 retweets 0 likes -
Replying to @kevdogtweets @voltonez
I think this is what I was looking for. Just re-read your blog post.pic.twitter.com/RczJbsgeeP
1 reply 0 retweets 0 likes -
Replying to @kevdogtweets @BFist
that's for Hex packages, which cannot have git deps; for top level project and its git/file deps it's done through eval of mix.exs
2 replies 0 retweets 0 likes -
Replying to @voltonez
Still, it is possible to Man-in-the-middle a developer and point them to a fake hex.pm, provide malware and a faked checksum?
4 replies 0 retweets 0 likes -
Replying to @kevdogtweets @BFist
should be safe: HTTPS with CA chain and hostname verification, and signed package registry
1 reply 0 retweets 0 likes -
Replying to @voltonez
excellent. That's what I was trying to verify. Any idea where in code I can find that?
3 replies 0 retweets 0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.