惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
C
Cisco Blogs
Cloudbric
Cloudbric
The Last Watchdog
The Last Watchdog
L
LINUX DO - 热门话题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
V2EX - 技术
V2EX - 技术
H
Heimdal Security Blog
S
Security Affairs
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Simon Willison's Weblog
Simon Willison's Weblog
WordPress大学
WordPress大学
小众软件
小众软件
Security Latest
Security Latest
AWS News Blog
AWS News Blog
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
Engineering at Meta
Engineering at Meta
阮一峰的网络日志
阮一峰的网络日志
罗磊的独立博客
F
Full Disclosure
S
Schneier on Security
L
LangChain Blog
MyScale Blog
MyScale Blog
Know Your Adversary
Know Your Adversary
P
Privacy International News Feed
Google Online Security Blog
Google Online Security Blog
Scott Helme
Scott Helme
Stack Overflow Blog
Stack Overflow Blog
爱范儿
爱范儿
A
Arctic Wolf
Martin Fowler
Martin Fowler
B
Blog RSS Feed
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
The Register - Security
The Register - Security
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
Latest news
Latest news
F
Fortinet All Blogs
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
Hacker News: Ask HN
Hacker News: Ask HN

Yiming Chen

How "let it fail" leads to simpler code - Yiming Chen 我的 2021 - Yiming Chen How to Speak by Patrick Winston - Yiming Chen Stop using Behaviour to define interfaces, use Protocol! - Yiming Chen What I learned from implementing Combinators in 3 Elixir patterns - Yiming Chen Clippings of 2020 June & July - Yiming Chen CSSKatas: A Better Way to Sharpen Your CSS Skills - Yiming Chen Clippings of 2020 May - Yiming Chen Book Review: The Goal - A Process of Ongoing Improvement - Yiming Chen
Making Audit Logs on Hex.pm Public - Yiming Chen
Yiming Chen · 2020-06-29 · via Yiming Chen

Third-party libraries are one of the most important building blocks for modern software development. We can hardly build anything useful without depending on other's work. But this dependency introduces a significant security risk: malicious code can be injected to these third party libraries and get pulled into our application.

One way to inject malicious code is through the package manager. We've seen many such accidents in various package managers in the past years:

This security threat is out there targeting every language and every ecosystem.

And this is why Hex team has been working on securing the Elixir/Erlang package manager for so long.

  1. Hex.pm displays the package tarball checksum since 2017 Aug.
  2. A new outer checksum mechanism was introduced in 2019 July.
  3. Hex package differ was introduced in 2020 Jan.

All these features are aimed to help Elixir/Erlang developers to audit a package.1 Most importantly, Hexpm has been recording user actions as audit logs since 2016 Jan. These audit logs include info about what actions are performed on packages, when these actions are performed, and who performed these actions. So with these audit logs in place, we can know what actions are performed after an user account was compromised (if they published any new packages, added new owners to packages, etc.).

Now you can check these audit logs on Hexpm:

  1. Check who owns a package and who published a release.

    In a package's show page, Hexpm displays its owner and publishers for its releases.

    owners.png

  2. Check all actions performed around a package.

    Hexpm displays all recent activities for a package:

    package_recent_activities.png

    And you can see all activities related to this package in a dedicated page:

    package_all_activities.png

  3. Check all actions taken by your own user account.

    You can go to your account dashboard and check all your recent activities:

    user_activities.png

  4. Check all these audit logs via Hexpm API. If you have access to Hexpm API endpoints, you can fetch audit logs from the following endpoints:
    • GET /api/users/me/audit_logs
    • GET /api/orgs/:organization/audit_logs
    • GET /api/packages/:name/audit_logs
    • GET /api/repos/:repository/packages/:name/audit_logs

By making audit information public, everyone can review the full history of a package on Hexpm. Hopefully by doing so, we can bring more transparency to Hexpm and make our ecosystem more secure together.