Secure SSL defaults for HTTPC for OTP-25+ #153
Conversation
src/hex_http_httpc.erl
Outdated
| %% Add safe defaults if possible. | ||
| _ = code:load_file(public_key), | ||
| HasCacertsGet = erlang:function_exported(public_key, cacerts_get, 0), |
There was a problem hiding this comment.
this (or hex_core in general) is definitely not a hot path but I think I was told going through code server at runtime is best avoided if alternatives exists, WDYT about doing:
case erlang:system_info(otp_release) >= "25" of
true ->
false ->
end;btw, should we add public_key to
Line 5 in 1352f5c
There was a problem hiding this comment.
Since we are going to use ssl, the public_key module WILL be loaded. We are just loading it a little earlier.
You might need to add inets and perhaps ssl as well. Perhaps other applications are also missing. But this only really matters if using hex_core in a release.
There was a problem hiding this comment.
I will change it to a try/catch as that is simpler.
essen
force-pushed
the
secure-ssl-defaults
branch
from
1352f5c to
4b5e340
Compare
|
Thank you! |
|
Thank you! When the next release gets published I can merge my branch making Erlang.mk use hex_core also for fetching packages (instead of just for publishing). |
|
I wanted to do one more thing before next release which is something like this: beam-telemetry/telemetry#134. I'm hoping to do that within a week, otherwise I'd cut new release with what we have which I think is just your patch. Thanks again, if you run any issues feel free to post here or create new issues, I'm on EEF slack and elixir/erlang forum too. |
|
No worries, I remembered that I can just target the current commit, so I did that and will pin to the next release whenever it comes out. |
|
hex_core v0.11.0 is out with this change, thank you again for the PR! |
Fixes #62
Tests have not been ran at the time of PR open but I did run Erlang.mk tests using this code and they passed (although not many dep fetches happen via Hex in the test suite).