ericmj
Hex.pm is adding private packages and organizations
We are announcing the addition of private packages on Hex.pm. With private packages you can publish packages to Hex.pm that only your organization members can access and download. With your organization you get a repository namespace on Hex.pm so that your private packages will not conflict with packages in the global, public repository. Go check out the documentation Private packages | Hex to learn exactly how it works and go the sign up form https://hex.pm/dashboard/signup to request access to the beta.
Link to full announcement: Private packages and organizations | Hex
Most Liked
ericmj
Thanks, it has been fixed now.
Yes, that’s what we are working on right now. Hexdocs requires more work since it needs to change from static file hosting to a server with authentication and needs subdomain isolation between organizations so that cookies cannot be stolen or XSS attacks performed.
ericmj
Hi @zazaian!
This is a very broad question so I will give a general description of some of our infrastructure, how we authenticate access, and store private information. Some if this applies in general to all of hex.pm and some of it is specific to private packages.
All communication to the hex.pm API and repository happens over HTTPS. When a user authenticates a new machine with mix hex.user auth we generate three keys:
- A repository key used to authenticate against the repository when fetching private packages
- An API key for performing read-only actions on the API
- An API key encrypted with your passphrase for performing write actions on the API (for example publishing a new package)
All keys use HMAC, which means we never store your user secret.
Packages are stored on a private Amazon S3 bucket and we use Fastly as CDN to access the bucket. Based on the URL of the request to the repository we determine if the package requires authenticated access, if it does the CDN edge node makes a “preflight request” to the hex.pm API to verify the repository key against our database. Only if it succeeds do we continue with the request to the S3 bucket.
Our API servers run on Google Cloud servers and our database uses Google Cloud SQL with at rest encryption.
As I said this is a broad question so if you can elaborate on your security needs or if you have more specific questions you will probably get better answers. If you have any questions you cannot share in public please contact us on support@hex.pm.
All the code around organizations and private packages is open source so if you want to review the security the best thing may be to look at the sources themselves: GitHub - hexpm/hexpm: API server and website for Hex · GitHub.
josevalim
This is unwelcoming and unfair for both the work being put on Hex and to @ryanwinchester which is completely within his rights to sell software.








