Package vulnerability disclosure for Hex - Elixir Idea #2 - GSoC 2020

35 views

Skip to first unread message

Lois Soto López

unread,

Mar 15, 2020, 4:58:56 PM3/15/20

to gsoc-erlef

Hello everyone.

My name is Lois Soto López and I'm a 4th year IT student at Universidade de A Coruña, and I'm looking forward to increase my domain of Phoenix web framework.

Some time ago, and knowing of my interest in Computer Science field, a colleague introduced me to Elixir through some subject (I would never have to take) practices. I really liked this languaje so he sugested me to try Phoenix and I found it much more interesting than other web frameworks I had already studied (such as Django).

I'm interested in contributing to the Elixir #2 idea for GSoC 2020 to improve my knowledge and domain of Phoenix framework as well as have the opportunity to work on a well designed website. Another reason is that, considering what I've learnt in college, I would be able to write a competitive proposal for this project.

Before submiting anything I would appreciate any information about the expected level of detail of the proposal or if possible, get in contact with any of the possible mentors to start defining the main lines of the project.

Regards, and thank you for your time,

Lois Soto López.

Eric Meadows-Jönsson

unread,

Mar 17, 2020, 7:38:15 AM3/17/20

to gsoc-erlef

Hi Lois,

Thanks for your interest in this proposal idea.

The proposal as described on the wiki would be the start of the project. A good proposal would also include possible ways to extend the functionality. Examples of this would be how to inform users of confirmed vulnerabilities in packages they use, including how to display it on the website, integrate with package retirement [1], and the `mix hex.audit` task [2]. There are also existing tooling and services in the Elixir/Erlang community that solve similar or related issues, for example MixAudit [3] and Dependabot [4], that use a shared database of reported vulnerabilities [5]. You can draw inspiration from their existing work or think of ways we can integrate with the existing tooling and services to share our efforts.

To get more ideas I would also recommend looking how other package managers have implemented similar features, for example npm [6][7].

[1] https://hexdocs.pm/hex/Mix.Tasks.Hex.Retire.html#content

[2] https://hexdocs.pm/hex/Mix.Tasks.Hex.Audit.html#content

[3] https://github.com/mirego/mix_audit

[4] https://dependabot.com/

[5] https://github.com/dependabot/elixir-security-advisories

[6] https://www.npmjs.com/advisories/report

[7] https://docs.npmjs.com/packages-and-modules/securing-your-code

Reply all

Reply to author

Forward

0 new messages