Fl4m3Ph03n1x

Fl4m3Ph03n1x

What is the average profile of an Elixir's developer?

Background

On a recent discussion with my team, someone brought up the fact we should probably not rely too much on Hex.pm because some of the packages there might be created by people who know very little about programming and that this is a viable attack vector. This person was making a clear comparison of Hex.pm to NPM.

As we know, basically every week we get notifications from Github’s bot telling us some security issue was found in some JS library some project uses.

NPM has, over the time, become quite infamous regarding the quality of its content:

My counter-argument to this was that, in general, Elixir developers have more experience than JS developers. As an example I mentioned the team behind Phoenix and Ecto, where many of people working there have previous working experience in Ruby. Similarly, a considerable portion of the Elixir community came from Ruby.

However, even though I believe this to be the common profile for someone doing Elixir these days (after several talks I had with members of the community) I lack real data to make a point.

I also understand that I cannot generalize the opinions of a select few individuals from this forum and apply them to the whole of the community.

So basically my argument is quite poor. I argue that:

Elixir developers are usually people with more experience than JS people, and most of Elixir developers come from other languages, like Ruby. For this reason we should not worry that a toddler writing a package for NPM is going to do the same for Hex, because the developer’s profile for Elixir is quite different, and by default more experienced.

My idea of Elixir’s developer profile needs a citation.

Research

While I was able to find an SO survey where Elixir developers are overall better payed than other developers:

I could not find a direct link that says: “Better salary means you also have more professional experience”.
For this reason I cannot support my claim either.

Question

  • Are there any studies or articles that have a view on what is the average developer profile of an Elixir developer (regarding years of experience) ?
  • Do you think it is fair to compare NPM with Hex, alongside with its issues? (do they suffer from the same ?)

Most Liked

ericmj

ericmj

Elixir Core Team

Deciding generally if you should use packages from a certain ecosystem based on the perceived quality of the average developer in that ecosystem seems strange. Not using Hex packages and rewriting them from the scratch seems like a huge amount of wasted effort and will likely lead to less reliable software. How long do you think it would take to get a feature parity with packages such as Phoenix or Ecto, not to mention fix all the bugs that have already been discovered by their thousands of users?

You need to make your decision on a package by package basis to determine if you can trust it. We have some tools to help you with that such as https://diff.hex.pm and https://preview.hex.pm

12
Post #5
LostKobrakai

LostKobrakai

I would likely sidestep the immediate questions and wonder if it actually makes sense to have answers for them. There’s imo different ways to look at the problem you seem to face.

Are third party dependencies possible attack vectors?
Yes – no matter how one turns the coin.

Having acknowledged that there’s two options:

  1. Not using third party code and writing everything on your own.
    Works, but isn’t necessarily effective. (Also there’s no guarantee you’ll do better)
  2. Using third party code, accepting the risk, but doing the best to mitigate it.

For option 2 what can be done lessen the possibility to accidentally pull in code, which poses a security risk to whatever the code was pulled into?

You seem to want to argue about the people building hex packages. I don’t think one can make a good argument over the whole of all developers with packages on hex. Also everyone of us makes errors and mistakes – even the most senior/experienced of developers. So imo your argument will always be kinda moot.

There are other means of reducing risk though, which is review. Whenever a library is added it goes through a review process (in however fancy form that may be, could even include how much “professional experience” you expect out of the author) and is only used once reviewed. Whenever the library is updated you can use e.g. diff.hex.pm to make sure nothing changed in a way violating previous review checks. Some companies even run their own internal registries, which holds only reviewed packages. One actual benefit of the elixir ecosystem over the node one is that it’s likely much easier to go the review route, as you’re not running with 1000s of dependencies. I’d expect that number to be more in the 100-200 range for most projects.

Github also recently added elixir/erlang into it’s security advisory database. That can be another source of being made aware of issues.

al2o3cr

al2o3cr

Wait until they find out about programming languages. And operating systems. And embedded firmware.

If there’s code running or hardware hardware-ing that YOU didn’t design, there’s some level of supply-chain risk. The question is deciding what level is acceptable for your organization, and then verifying that things meet your requirements.

“Well I’ve heard this community’s developers are smarter / better / faster / longer than $OTHER_COMMUNITY” isn’t a part of that process.

Where Next?

Popular in Discussions Top

jswny
I would like to better understand what the advantages/disadvantages of umbrella applications are compared to structuring your app as as s...
New
pillaiindu
In django there is a cache framework backed by memcached. Rails also puts a lot of emphasis on caching, and even the idea of russian-doll...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
AstonJ
I’ve just started the Phoenix part of the utterly brilliant online course by @pragdave. On generating the Phoenix app he uses the --no-ec...
New
jer
I’ve been using umbrellas for a while, and generally started off (on greenfield projects at least) by isolating subapps based on clearly ...
New
rms.mrcs
A couple of days ago I was discussing with a friend about different approaches to write microservices. He said that if he was going to w...
New
klo
Got a question about when to concat vs. prepending items to list then reversing to achieve appending. So i know lists boil down to [1 | ...
New
AstonJ
Can you believe the first professionally published Elixir book was published just 8 years ago? Since then I think we’ve seen more books f...
New
sergio
Kind of like when jquery came out, it was super necessary. Existing drag and drop libraries have a bunch of baggage to support old browse...
New
AstonJ
It’s been a while since we’ve had a thread like this, so what better way to kick off the year with :003: What does being an Elixir user ...
New

Other popular topics Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
aesmail
Hello guys, I have finally made it. I created an admin interface for a framework. It’s been on my todo list for years and with the curre...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement