maennchen

maennchen

Announcing Elixir OpenChain ISO/IEC 5230 Certification

We are pleased to share that the Elixir project now complies with OpenChain (ISO/IEC 5230), an international standard for open source license compliance. This step aligns with broader efforts to meet industry standards for supply chain and cybersecurity best practices.

“Today’s announcement around Elixir’s conformance represents another significant example of community maturity,” says Shane Coughlan, OpenChain General Manager.
“With projects - the final upstream - using ISO standards for compliance and security with increasing frequency, we are seeing a shift to longer-term improvements to trust in the supply chain.”

Why OpenChain Compliance Helps

By following OpenChain (ISO/IEC 5230), we demonstrate clear processes around license compliance. This benefits commercial and community users alike, making Elixir easier to adopt and integrate with confidence.

Changes for Elixir Users

Elixir has an automated release process where its artifacts are signed. This change strengthens this process by:

These additions offer greater transparency into the components and licenses of each
release, supporting more rigorous supply chain requirements.

Changes for Contributors

Contributing to Elixir remains largely the same, we have added more clarity and guidelines around it:

  • Contributions remain under the Apache-2.0 License. Other licenses cannot be accepted.
  • The project now enforces the Developer Certificate of Origin (DCO),
    ensuring clarity around contribution ownership.

Contributors will notice minimal procedural changes, as standard practices
around licensing remain in place.

For more details, see the CONTRIBUTING guidelines.

Commitment

These updates were made in collaboration with the Erlang Ecosystem Foundation, reflecting a shared commitment to robust compliance and secure development practices. Thank you to everyone who supported this milestone. We appreciate the community’s ongoing contributions and look forward to continuing the growth of Elixir under these established guidelines.

Read in full on the Elixir Blog:

Read on the OpenChain Blog:

Questions

If anyone has any questions about this, please feel free to ask.

Most Liked

zachdaniel

zachdaniel

Creator of Ash

If you are trying to build a career in Elixir you should really be grateful for this kind of work. There are big fish out there that this makes a huge difference to. Even if it doesn’t affect you personally, this sort of work makes Elixir that much more viable in all kinds of situations (like enterprise software).

Awesome work @maennchen and everyone involved :bowing_man:

46
Post #3
maennchen

maennchen

Here’s what I’d focus on as a library maintainer who wants to strengthen their security posture:

  • Make sure your accounts are locked down: Enable two-factor authentication (2FA) wherever possible.
  • Carefully vet your contributors: Know who’s contributing and have clear guidelines for reviews and approvals.
  • Set up a clear security policy: One good reference is the EEF Vulnerability Disclosure Guide. A policy helps everyone know how to handle issues responsibly.
  • Check out the OpenSSF tools:

We’re also working on / preparing a lot more, like becoming a CVE Numbering Authority, implementing build provenance (SLSA), trusted publishing, and improved SBoM generation. I’ll post updates once we have something concrete to share.

If you’re into these topics, I really encourage you to hop on one of our EEF security WG calls. We talk about all these initiatives there and always welcome more input!

16
Post #7
realcorvus

realcorvus

Thank you @maennchen for this work, it significantly contributes to the ecosystem and makes it even more likely for businesses and organizations to choose Elixir for critical projects!

Where Next?

Popular in Blog Top

bartblast
Awesome! I am glad to welcome Elixir’s official Language Server team, formed by (in alphabetical order): Jonatan Kłosko Łukasz Samson...
New
maennchen
We are pleased to share that the Elixir project now complies with OpenChain (ISO/IEC 5230), an international standard for open source lic...
New

Other popular topics Top

malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
New
sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
985 42920 311
New
siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52341 488
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New

We're in Beta

About us Mission Statement