ericmj
Hex.pm is adding private packages and organizations
We are announcing the addition of private packages on Hex.pm. With private packages you can publish packages to Hex.pm that only your organization members can access and download. With your organization you get a repository namespace on Hex.pm so that your private packages will not conflict with packages in the global, public repository. Go check out the documentation https://hex.pm/docs/private to learn exactly how it works and go the sign up form https://hex.pm/dashboard/signup to request access to the beta.
Link to full announcement: https://hex.pm/blog/private-packages-and-organizations
Most Liked
ericmj
Thanks, it has been fixed now.
Yes, that’s what we are working on right now. Hexdocs requires more work since it needs to change from static file hosting to a server with authentication and needs subdomain isolation between organizations so that cookies cannot be stolen or XSS attacks performed.
ericmj
Hi @zazaian!
This is a very broad question so I will give a general description of some of our infrastructure, how we authenticate access, and store private information. Some if this applies in general to all of hex.pm and some of it is specific to private packages.
All communication to the hex.pm API and repository happens over HTTPS. When a user authenticates a new machine with mix hex.user auth we generate three keys:
- A repository key used to authenticate against the repository when fetching private packages
- An API key for performing read-only actions on the API
- An API key encrypted with your passphrase for performing write actions on the API (for example publishing a new package)
All keys use HMAC, which means we never store your user secret.
Packages are stored on a private Amazon S3 bucket and we use Fastly as CDN to access the bucket. Based on the URL of the request to the repository we determine if the package requires authenticated access, if it does the CDN edge node makes a “preflight request” to the hex.pm API to verify the repository key against our database. Only if it succeeds do we continue with the request to the S3 bucket.
Our API servers run on Google Cloud servers and our database uses Google Cloud SQL with at rest encryption.
As I said this is a broad question so if you can elaborate on your security needs or if you have more specific questions you will probably get better answers. If you have any questions you cannot share in public please contact us on support@hex.pm.
All the code around organizations and private packages is open source so if you want to review the security the best thing may be to look at the sources themselves: https://github.com/hexpm/hexpm.
josevalim
This is unwelcoming and unfair for both the work being put on Hex and to @ryanwinchester which is completely within his rights to sell software.
ericmj
The pricing is not decided yet but it will be free to use while we are in beta which is expected to run for a few months. The price will be based on the costs of running the new infrastructure required to support private packages and the interest in the service during the beta. We will have a pricing model similar to NPM and GitHub where there is monthly fee based on the number of members in your organization.
Open source projects and organizations can use the service for free, but keep in mind that packages will only be visible to members of the organization.
hubertlepicki
Do you know what will be the pricing, if any?







