|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Announcing Elixir OpenChain Certification" |
| 4 | +authors: |
| 5 | + - Jonatan Männchen |
| 6 | + - José Valim |
| 7 | +category: Announcements |
| 8 | +excerpt: "The Elixir project now meets OpenChain (ISO/IEC 5230). Each release ships with Source SBoMs in CycloneDX 1.6 and SPDX 2.3, plus attestation." |
| 9 | +tags: openchain compliance |
| 10 | +--- |
| 11 | + |
| 12 | +We are pleased to share that the Elixir project now complies with |
| 13 | +[OpenChain][openchain] ([ISO/IEC 5230][iso_5230]), an international |
| 14 | +standard for open source license compliance. This step aligns with broader |
| 15 | +efforts to meet industry standards for supply chain and cybersecurity best |
| 16 | +practices. |
| 17 | + |
| 18 | +“Today’s announcement around Elixir’s conformance represents another significant |
| 19 | +example of community maturity,” says Shane Coughlan, OpenChain General Manager. |
| 20 | +“With projects - the final upstream - using ISO standards for compliance and |
| 21 | +security with increasing frequency, we are seeing a shift to longer-term |
| 22 | +improvements to trust in the supply chain.” |
| 23 | + |
| 24 | +## Why OpenChain Compliance Helps |
| 25 | + |
| 26 | +By following OpenChain (ISO/IEC 5230), we demonstrate clear processes around |
| 27 | +license compliance. This benefits commercial and community users alike, making |
| 28 | +Elixir easier to adopt and integrate with confidence. |
| 29 | + |
| 30 | +## Changes for Elixir Users |
| 31 | + |
| 32 | +Elixir has an automated release process where its artifacts are signed. This |
| 33 | +change strengthens this process by: |
| 34 | + |
| 35 | +- All future Elixir releases will include a Source SBoM in |
| 36 | + [CycloneDX 1.6 or later][cyclonedx] and [SPDX 2.3 or later][spdx] formats. |
| 37 | +- Each release will be attested along with the Source SBoM. |
| 38 | + |
| 39 | +These additions offer greater transparency into the components and licenses of |
| 40 | +each release, supporting more rigorous supply chain requirements. |
| 41 | + |
| 42 | +## Changes for Contributors |
| 43 | + |
| 44 | +Contributing to Elixir remains largely the same, we have added more clarity and |
| 45 | +guidelines around it: |
| 46 | + |
| 47 | +- Contributions remain under the Apache-2.0 License. Other licenses cannot be |
| 48 | + accepted. |
| 49 | +- The project now enforces the [Developer Certificate of Origin (DCO)][dco], |
| 50 | + ensuring clarity around contribution ownership. |
| 51 | + |
| 52 | +Contributors will notice minimal procedural changes, as standard practices |
| 53 | +around licensing remain in place. |
| 54 | + |
| 55 | +For more details, see the [CONTRIBUTING guidelines][contributing]. |
| 56 | + |
| 57 | +## Commitment |
| 58 | + |
| 59 | +These updates were made in collaboration with the |
| 60 | +[Erlang Ecosystem Foundation][erlef], reflecting a shared |
| 61 | +commitment to robust compliance and secure development practices. Thank you to |
| 62 | +everyone who supported this milestone. We appreciate the community’s ongoing |
| 63 | +contributions and look forward to continuing the growth of Elixir under these |
| 64 | +established guidelines. |
| 65 | + |
| 66 | +[openchain]: https://openchainproject.org/ |
| 67 | +[erlef]: https://erlef.org/ |
| 68 | +[spdx]: https://spdx.org/rdf/terms/ |
| 69 | +[cyclonedx]: https://cyclonedx.org/specification/overview/ |
| 70 | +[iso_5230]: https://www.iso.org/standard/81039.html |
| 71 | +[dco]: https://developercertificate.org/ |
| 72 | +[contributing]: https://github.com/elixir-lang/elixir/blob/main/CONTRIBUTING.md |
0 commit comments