ericmj

ericmj

Elixir Core Team

Hex.pm is adding private packages and organizations

We are announcing the addition of private packages on Hex.pm. With private packages you can publish packages to Hex.pm that only your organization members can access and download. With your organization you get a repository namespace on Hex.pm so that your private packages will not conflict with packages in the global, public repository. Go check out the documentation Private packages | Hex to learn exactly how it works and go the sign up form https://hex.pm/dashboard/signup to request access to the beta.

Link to full announcement: Private packages and organizations | Hex

Most Liked

ericmj

ericmj

Elixir Core Team

Thanks, it has been fixed now.

Yes, that’s what we are working on right now. Hexdocs requires more work since it needs to change from static file hosting to a server with authentication and needs subdomain isolation between organizations so that cookies cannot be stolen or XSS attacks performed.

ericmj

ericmj

Elixir Core Team

Hi @zazaian!

This is a very broad question so I will give a general description of some of our infrastructure, how we authenticate access, and store private information. Some if this applies in general to all of hex.pm and some of it is specific to private packages.

All communication to the hex.pm API and repository happens over HTTPS. When a user authenticates a new machine with mix hex.user auth we generate three keys:

  • A repository key used to authenticate against the repository when fetching private packages
  • An API key for performing read-only actions on the API
  • An API key encrypted with your passphrase for performing write actions on the API (for example publishing a new package)

All keys use HMAC, which means we never store your user secret.

Packages are stored on a private Amazon S3 bucket and we use Fastly as CDN to access the bucket. Based on the URL of the request to the repository we determine if the package requires authenticated access, if it does the CDN edge node makes a “preflight request” to the hex.pm API to verify the repository key against our database. Only if it succeeds do we continue with the request to the S3 bucket.

Our API servers run on Google Cloud servers and our database uses Google Cloud SQL with at rest encryption.

As I said this is a broad question so if you can elaborate on your security needs or if you have more specific questions you will probably get better answers. If you have any questions you cannot share in public please contact us on support@hex.pm.

All the code around organizations and private packages is open source so if you want to review the security the best thing may be to look at the sources themselves: GitHub - hexpm/hexpm: API server and website for Hex · GitHub.

josevalim

josevalim

Creator of Elixir

This is unwelcoming and unfair for both the work being put on Hex and to @ryanwinchester which is completely within his rights to sell software.

Where Next?

Popular in News Top

Elixir
Release: Release v1.10.3 · elixir-lang/elixir · GitHub 1. Bug fixes Elixir [Code] Return [{mod, bin}] from Code.compile_file/2, Code.re...
New
Elixir
Official announcement: Elixir v1.15 released - The Elixir programming language This release requires Erlang/OTP 24 and later. Elixir v1...
New
josevalim
NOTE: this is a focused thread, so we appreciate if everybody stayed on topic. Feel free to comment anything in regards to calendar forma...
New
Elixir
Release: Release v1.10.4 · elixir-lang/elixir · GitHub 1. Bug fixes Elixir [Kernel] Fix a bug where custom types were printed as built-...
New
Elixir
Release: Release v1.9.0 · elixir-lang/elixir · GitHub Releases The main feature in Elixir v1.9 is the addition of releases. A release is...
New
Elixir
Full announcement: Elixir v1.18 released: type checking of calls, LSP listeners, built-in JSON, and more - The Elixir programming languag...
New
Elixir
This release adds basic support for Erlang/OTP 26. When migrating to Erlang/OTP 26, keep it mind it changes how maps are stored interna...
New
jola
Hey everyone! It’s my enormous pleasure to present Hex Diff, an official hex.pm service for generating web-based diffs between package ve...
New
Elixir
1. Enhancements Elixir [Protocol] Optimize protocol consolidation to no longer load structs 2. Bug fixes Elixir [Kernel] Fix unnecessa...
New
Elixir
This release requires Erlang/OTP 27+ and is compatible with Erlang/OTP 29. 1. Enhancements EEx [EEx] Optimize compiler by flattening ex...
New

Other popular topics Top

JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 53690 245
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
marick
I had some trouble figuring out how to make many-to-many associations work. Once I got it working, I wrote a blog post. Because I’m a nov...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New

We're in Beta

About us Mission Statement