Announcing Elixir OpenChain ISO/IEC 5230 Certification

We are pleased to share that the Elixir project now complies with OpenChain (ISO/IEC 5230), an international standard for open source license compliance. This step aligns with broader efforts to meet industry standards for supply chain and cybersecurity best practices.

“Today’s announcement around Elixir’s conformance represents another significant example of community maturity,” says Shane Coughlan, OpenChain General Manager.
“With projects - the final upstream - using ISO standards for compliance and security with increasing frequency, we are seeing a shift to longer-term improvements to trust in the supply chain.”

Why OpenChain Compliance Helps

By following OpenChain (ISO/IEC 5230), we demonstrate clear processes around license compliance. This benefits commercial and community users alike, making Elixir easier to adopt and integrate with confidence.

Changes for Elixir Users

Elixir has an automated release process where its artifacts are signed. This change strengthens this process by:

• All future Elixir releases will include a Source SBoM in CycloneDX 1.6 or later and SPDX 2.3 or later formats.
• Each release will be attested along with the Source SBoM.

These additions offer greater transparency into the components and licenses of each
release, supporting more rigorous supply chain requirements.

Changes for Contributors

Contributing to Elixir remains largely the same, we have added more clarity and guidelines around it:

• Contributions remain under the Apache-2.0 License. Other licenses cannot be accepted.
• The project now enforces the Developer Certificate of Origin (DCO),
  ensuring clarity around contribution ownership.

Contributors will notice minimal procedural changes, as standard practices
around licensing remain in place.

For more details, see the CONTRIBUTING guidelines.

Commitment

These updates were made in collaboration with the Erlang Ecosystem Foundation, reflecting a shared commitment to robust compliance and secure development practices. Thank you to everyone who supported this milestone. We appreciate the community’s ongoing contributions and look forward to continuing the growth of Elixir under these established guidelines.

Read in full on the Elixir Blog:

Read on the OpenChain Blog:

Questions

If anyone has any questions about this, please feel free to ask.

If you are trying to build a career in Elixir you should really be grateful for this kind of work. There are big fish out there that this makes a huge difference to. Even if it doesn’t affect you personally, this sort of work makes Elixir that much more viable in all kinds of situations (like enterprise software).

Awesome work @maennchen and everyone involved

Fantastic work @maennchen. What guidance would you give to library writers (like me) that would also like to do their part in securing the software supply chain?

Here’s what I’d focus on as a library maintainer who wants to strengthen their security posture:

• Make sure your accounts are locked down: Enable two-factor authentication (2FA) wherever possible.
• Carefully vet your contributors: Know who’s contributing and have clear guidelines for reviews and approvals.
• Set up a clear security policy: One good reference is the EEF Vulnerability Disclosure Guide. A policy helps everyone know how to handle issues responsibly.
• Check out the OpenSSF tools:
  • OpenSSF Best Practices Badge
  • OpenSSF ScoreCard
    Both give you a framework and metrics for assessing and improving your project’s security.

We’re also working on / preparing a lot more, like becoming a CVE Numbering Authority, implementing build provenance (SLSA), trusted publishing, and improved SBoM generation. I’ll post updates once we have something concrete to share.

If you’re into these topics, I really encourage you to hop on one of our EEF security WG calls. We talk about all these initiatives there and always welcome more input!

what does it mean for common elixir users?

As mentioned in the original announcement, Elixir users now have Source SBoM and better attestations available.

This additional transparency will mostly be important to corporate users, which operate in environments that require additional compliance.

Thank you @maennchen for this work, it significantly contributes to the ecosystem and makes it even more likely for businesses and organizations to choose Elixir for critical projects!

This topic was also part of the discussion in the Thinking Elixir Podcast. Check it out if you want to learn more:

We’ve just published the Ægis Supply Chain Security & Compliance Initiative:

This covers a lot of what we’re trying to accomplish