maennchen

maennchen

Announcing Elixir OpenChain ISO/IEC 5230 Certification

We are pleased to share that the Elixir project now complies with OpenChain (ISO/IEC 5230), an international standard for open source license compliance. This step aligns with broader efforts to meet industry standards for supply chain and cybersecurity best practices.

“Today’s announcement around Elixir’s conformance represents another significant example of community maturity,” says Shane Coughlan, OpenChain General Manager.
“With projects - the final upstream - using ISO standards for compliance and security with increasing frequency, we are seeing a shift to longer-term improvements to trust in the supply chain.”

Why OpenChain Compliance Helps

By following OpenChain (ISO/IEC 5230), we demonstrate clear processes around license compliance. This benefits commercial and community users alike, making Elixir easier to adopt and integrate with confidence.

Changes for Elixir Users

Elixir has an automated release process where its artifacts are signed. This change strengthens this process by:

These additions offer greater transparency into the components and licenses of each
release, supporting more rigorous supply chain requirements.

Changes for Contributors

Contributing to Elixir remains largely the same, we have added more clarity and guidelines around it:

  • Contributions remain under the Apache-2.0 License. Other licenses cannot be accepted.
  • The project now enforces the Developer Certificate of Origin (DCO),
    ensuring clarity around contribution ownership.

Contributors will notice minimal procedural changes, as standard practices
around licensing remain in place.

For more details, see the CONTRIBUTING guidelines.

Commitment

These updates were made in collaboration with the Erlang Ecosystem Foundation, reflecting a shared commitment to robust compliance and secure development practices. Thank you to everyone who supported this milestone. We appreciate the community’s ongoing contributions and look forward to continuing the growth of Elixir under these established guidelines.

Read in full on the Elixir Blog:

Read on the OpenChain Blog:

Questions

If anyone has any questions about this, please feel free to ask.

Most Liked

zachdaniel

zachdaniel

Creator of Ash

If you are trying to build a career in Elixir you should really be grateful for this kind of work. There are big fish out there that this makes a huge difference to. Even if it doesn’t affect you personally, this sort of work makes Elixir that much more viable in all kinds of situations (like enterprise software).

Awesome work @maennchen and everyone involved :bowing_man:

46
Post #3
maennchen

maennchen

Here’s what I’d focus on as a library maintainer who wants to strengthen their security posture:

  • Make sure your accounts are locked down: Enable two-factor authentication (2FA) wherever possible.
  • Carefully vet your contributors: Know who’s contributing and have clear guidelines for reviews and approvals.
  • Set up a clear security policy: One good reference is the EEF Vulnerability Disclosure Guide. A policy helps everyone know how to handle issues responsibly.
  • Check out the OpenSSF tools:

We’re also working on / preparing a lot more, like becoming a CVE Numbering Authority, implementing build provenance (SLSA), trusted publishing, and improved SBoM generation. I’ll post updates once we have something concrete to share.

If you’re into these topics, I really encourage you to hop on one of our EEF security WG calls. We talk about all these initiatives there and always welcome more input!

16
Post #7
realcorvus

realcorvus

Thank you @maennchen for this work, it significantly contributes to the ecosystem and makes it even more likely for businesses and organizations to choose Elixir for critical projects!

kip

kip

ex_cldr Core Team

Fantastic work @maennchen. What guidance would you give to library writers (like me) that would also like to do their part in securing the software supply chain?

maennchen

maennchen

As mentioned in the original announcement, Elixir users now have Source SBoM and better attestations available.

This additional transparency will mostly be important to corporate users, which operate in environments that require additional compliance.

Where Next?

Popular in Blog Top

bartblast
Awesome! I am glad to welcome Elixir’s official Language Server team, formed by (in alphabetical order): Jonatan Kłosko Łukasz Samson...
New
maennchen
We are pleased to share that the Elixir project now complies with OpenChain (ISO/IEC 5230), an international standard for open source lic...
New

Other popular topics Top

yurko
Here are few pieces of (common) Linux knowledge that we use for reasonably small one server apps. We use Ubuntu but this should work for ...
New
polypush135
As many of you may have realized by now (sorry for all the posts here) I’ve been working on a db problem where I’m trying to aggregate a ...
New
script
If I have a string “1000 cfu/ml” . I want to remove the characters and / and space . So the string is like this "1000" What is the ...
New
aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
minhajuddin
I have seen a lot of code which picks the first element from a list using Enum.at(0) instead of List.first. Is there a reason why people ...
New
qwerescape
Is there a way to get the call stack or stack trace at any point in the code? Not from exceptions, but an expression that returns how the...
New
msaraiva
Surface is an experimental library built on top of Phoenix LiveView and its new LiveComponent API that aims to provide a more declarative...
564 42633 214
New
beno
I will often find my self writing things similar to: case some_value do nil -> something() "" -> something() _ -> someth...
New
siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New
magnetic
Hey :wave:t3: Elixir community, I’ve been learning Elixir, and working on some side projects. My editor of choice is VSCode, and althoug...
New

We're in Beta

About us Mission Statement