Fl4m3Ph03n1x
What is the average profile of an Elixir's developer?
Background
On a recent discussion with my team, someone brought up the fact we should probably not rely too much on Hex.pm because some of the packages there might be created by people who know very little about programming and that this is a viable attack vector. This person was making a clear comparison of Hex.pm to NPM.
As we know, basically every week we get notifications from Github’s bot telling us some security issue was found in some JS library some project uses.
NPM has, over the time, become quite infamous regarding the quality of its content:
My counter-argument to this was that, in general, Elixir developers have more experience than JS developers. As an example I mentioned the team behind Phoenix and Ecto, where many of people working there have previous working experience in Ruby. Similarly, a considerable portion of the Elixir community came from Ruby.
However, even though I believe this to be the common profile for someone doing Elixir these days (after several talks I had with members of the community) I lack real data to make a point.
I also understand that I cannot generalize the opinions of a select few individuals from this forum and apply them to the whole of the community.
So basically my argument is quite poor. I argue that:
Elixir developers are usually people with more experience than JS people, and most of Elixir developers come from other languages, like Ruby. For this reason we should not worry that a toddler writing a package for NPM is going to do the same for Hex, because the developer’s profile for Elixir is quite different, and by default more experienced.
My idea of Elixir’s developer profile needs a citation.
Research
While I was able to find an SO survey where Elixir developers are overall better payed than other developers:
I could not find a direct link that says: “Better salary means you also have more professional experience”.
For this reason I cannot support my claim either.
Question
- Are there any studies or articles that have a view on what is the average developer profile of an Elixir developer (regarding years of experience) ?
- Do you think it is fair to compare NPM with Hex, alongside with its issues? (do they suffer from the same ?)
Most Liked
ericmj
Deciding generally if you should use packages from a certain ecosystem based on the perceived quality of the average developer in that ecosystem seems strange. Not using Hex packages and rewriting them from the scratch seems like a huge amount of wasted effort and will likely lead to less reliable software. How long do you think it would take to get a feature parity with packages such as Phoenix or Ecto, not to mention fix all the bugs that have already been discovered by their thousands of users?
You need to make your decision on a package by package basis to determine if you can trust it. We have some tools to help you with that such as https://diff.hex.pm and https://preview.hex.pm
LostKobrakai
I would likely sidestep the immediate questions and wonder if it actually makes sense to have answers for them. There’s imo different ways to look at the problem you seem to face.
Are third party dependencies possible attack vectors?
Yes – no matter how one turns the coin.
Having acknowledged that there’s two options:
- Not using third party code and writing everything on your own.
Works, but isn’t necessarily effective. (Also there’s no guarantee you’ll do better) - Using third party code, accepting the risk, but doing the best to mitigate it.
For option 2 what can be done lessen the possibility to accidentally pull in code, which poses a security risk to whatever the code was pulled into?
You seem to want to argue about the people building hex packages. I don’t think one can make a good argument over the whole of all developers with packages on hex. Also everyone of us makes errors and mistakes – even the most senior/experienced of developers. So imo your argument will always be kinda moot.
There are other means of reducing risk though, which is review. Whenever a library is added it goes through a review process (in however fancy form that may be, could even include how much “professional experience” you expect out of the author) and is only used once reviewed. Whenever the library is updated you can use e.g. diff.hex.pm to make sure nothing changed in a way violating previous review checks. Some companies even run their own internal registries, which holds only reviewed packages. One actual benefit of the elixir ecosystem over the node one is that it’s likely much easier to go the review route, as you’re not running with 1000s of dependencies. I’d expect that number to be more in the 100-200 range for most projects.
Github also recently added elixir/erlang into it’s security advisory database. That can be another source of being made aware of issues.
al2o3cr
Wait until they find out about programming languages. And operating systems. And embedded firmware.
If there’s code running or hardware hardware-ing that YOU didn’t design, there’s some level of supply-chain risk. The question is deciding what level is acceptable for your organization, and then verifying that things meet your requirements.
“Well I’ve heard this community’s developers are smarter / better / faster / longer than $OTHER_COMMUNITY” isn’t a part of that process.
Popular in Discussions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance










