On a recent discussion with my team, someone brought up the fact we should probably not rely too much on Hex.pm because some of the packages there might be created by people who know very little about programming and that this is a viable attack vector. This person was making a clear comparison of Hex.pm to NPM.
As we know, basically every week we get notifications from Github’s bot telling us some security issue was found in some JS library some project uses.
NPM has, over the time, become quite infamous regarding the quality of its content:
My counter-argument to this was that, in general, Elixir developers have more experience than JS developers. As an example I mentioned the team behind Phoenix and Ecto, where many of people working there have previous working experience in Ruby. Similarly, a considerable portion of the Elixir community came from Ruby.
However, even though I believe this to be the common profile for someone doing Elixir these days (after several talks I had with members of the community) I lack real data to make a point.
I also understand that I cannot generalize the opinions of a select few individuals from this forum and apply them to the whole of the community.
So basically my argument is quite poor. I argue that:
Elixir developers are usually people with more experience than JS people, and most of Elixir developers come from other languages, like Ruby. For this reason we should not worry that a toddler writing a package for NPM is going to do the same for Hex, because the developer’s profile for Elixir is quite different, and by default more experienced.
My idea of Elixir’s developer profile needs a citation.
While I was able to find an SO survey where Elixir developers are overall better payed than other developers:
I could not find a direct link that says: “Better salary means you also have more professional experience”.
For this reason I cannot support my claim either.
- Are there any studies or articles that have a view on what is the average developer profile of an Elixir developer (regarding years of experience) ?
- Do you think it is fair to compare NPM with Hex, alongside with its issues? (do they suffer from the same ?)