245: Supply Chain Security and SBoMs

News includes a new library called phoenix_sync for real-time sync in Postgres-backed Phoenix applications, Peter Solnica released a Text Parser for extracting structured data from text, a useful tip on finding Hex package versions locally with mix hex.info, Wasmex updated to v0.10 with WebAssembly component support, and Chrome introduces a new browser feature similar to LiveView.JS. We also talked with Alistair Woodman and Jonatan Männchen from the EEF about Jonatan's role as CISO, the Security Working Group, and their work on OpenChain compliance for supply-chain security, Software Bill of Materials (SBoMs), and what these initiatives mean for the Elixir community, and more!

Show Notes online - http://podcast.thinkingelixir.com/245

Elixir Community News

• https://gigalixir.com/thinking – Gigalixir is sponsoring the show, offering 20% off standard tier prices for a year with promo code "Thinking".
• https://github.com/electric-sql/phoenix_sync – New library called phoenix_sync providing real-time sync for Postgres-backed Phoenix applications.
• https://hexdocs.pm/phoenix_sync/readme.html – Documentation for phoenix_sync, a solution for building modern, real-time apps with local-first/sync in Elixir.
• https://github.com/josevalim/sync – José Valim's original proof of concept repo that was promptly archived.
• https://electric-sql.com/ – Electric SQL's platform that syncs subsets of Postgres data into local apps and services, allowing data to be available offline and in-sync.
• https://solnic.dev/posts/announcing-textparser-for-elixir/ – Peter Solnica released TextParser, a library for extracting interesting parts of text like hashtags and links.
• https://hexdocs.pm/text_parser/readme.html – Documentation for the Text Parser library that helps parse text into structured data.
• https://www.elixirstreams.com/tips/mix-hex-info – Elixir stream tip on using mix hex.info to find the latest package version for a Hex package locally, without needing to search on hex.pm or GitHub.
• https://github.com/phoenixframework/tailwind/blob/main/README.md#updating-from-tailwind-v3-to-v4 – Guide for upgrading Tailwind to V4 in existing Phoenix applications using Tailwind's automatic upgrade helper.
• https://gleam.run/news/hello-echo-hello-git/ – Gleam 1.9.0 release with searchability on hexdocs, Echo debug printing for improved debugging, and ability to depend on Git-hosted dependencies.
• https://d-gate.io/blog/everything-i-was-lied-to-about-node-came-true-with-elixir – Blog post discussing how promises made about NodeJS actually came true with Elixir.
• https://hexdocs.pm/wasmex/Wasmex.Components.html – Wasmex updated to v0.10 with support for WebAssembly components, enabling applications and components to work together regardless of original programming language.
• https://ashweekly.substack.com/p/ash-weekly-issue-8 – AshWeekly Issue 8 covering AshOps with mix task capabilities for CRUD operations and BeaconCMS being included in the Ash HQ installer script.
• https://developer.chrome.com/blog/command-and-commandfor – Chrome update brings new browser feature with commandfor and command attributes, similar to Phoenix LiveView.JS but native to browsers.
• https://codebeamstockholm.com/ – Code BEAM Lite announced for Stockholm on June 2, 2025 with keynote speaker Björn Gustavsson, the "B" in BEAM.
• https://alchemyconf.com/ – AlchemyConf coming up March 31-April 3 in Braga, Portugal. Use discount code THINKINGELIXIR for 10% off.
• https://www.gigcityelixir.com/ – GigCity Elixir and NervesConf on May 8-10, 2025 in Chattanooga, TN, USA.
• https://www.elixirconf.eu/ – ElixirConf EU on May 15-16, 2025 in Kraków & Virtual.
• https://goatmire.com/#tickets – Goatmire tickets are on sale now for the conference on September 10-12, 2025 in Varberg, Sweden.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at [email protected]

Discussion Resources

• https://elixir-lang.org/blog/2025/02/26/elixir-openchain-certification/
• https://cna.erlef.org/ – EEF CVE Numbering Authority
• https://erlangforums.com/t/security-working-group-minutes/3451/22
• https://podcast.thinkingelixir.com/220 – previous interview with Alistair
• https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act – CRA - Cyber Resilience Act
• https://www.cisa.gov/ – CISA US Government Agency
• https://www.cisa.gov/sbom – Software Bill of Materials
• https://oss-review-toolkit.org/ort/ – Desire to integrate with tooling outside the Elixir ecosystem like OSS Review Toolkit
• https://github.com/voltone/rebar3_sbom
• https://cve.mitre.org/
• https://openssf.org/projects/guac/
• https://erlef.github.io/security-wg/security_vulnerability_disclosure/ – EEF Security WG Vulnerability Disclosure Guide

Guest Information

• https://x.com/maennchen_ – Jonatan on Twitter/X
• https://bsky.app/profile/maennchen.dev – Jonatan on Bluesky
• https://github.com/maennchen/ – Jonatan on Github
• https://maennchen.dev – Jonatan's Blog
• https://www.linkedin.com/in/alistair-woodman-51934433 – Alistair Woodman on LinkedIn
• [email protected]
• https://github.com/ahw59/ – Alistair on Github
• http://erlef.org/ – Erlang Ecosystem Foundation Website

Find us online

• Message the show - Bluesky
• Message the show - X
• Message the show on Fediverse - @[email protected]
• Email the show - [email protected]
• Mark Ericksen on X - @brainlid
• Mark Ericksen on Bluesky - @brainlid.bsky.social
• Mark Ericksen on Fediverse - @[email protected]
• David Bernheisel on Bluesky - @david.bernheisel.com
• David Bernheisel on Fediverse - @[email protected]

Sponsored By:

• Gigalixir: Today’s Thinking Elixir show is brought to you by our friends at Gigalixir, the premier deployment platform for Elixir and Phoenix projects. Use the promo code “Thinking” during signup to get 20% off the standard tier prices for an entire year. Or, visit https://gigalixir.com/thinking to sign up and get 20% off your first year. Promo Code: Thinking