Thinking Elixir Podcast - Episodes Tagged with “Security”

299: Don't Paste That Into Your Terminal

ThinkingElixir.com — Tue, 14 Apr 2026 04:15:00 -0600

The Erlang Ecosystem Foundation is seeking community support for a major grant to fund the Ægis security project and the deadline is April 17th to show support, Hex.pm published the results of its first-ever comprehensive third-party security audit revealing three high-severity findings that have since been fixed, José Valim unveils a massive Tidewave update including UI Variants and a new "vision" mode that lets your coding agent take screenshots and record videos of your web app, Hex.pm gains the ability to serve llms.txt files for Elixir and Erlang packages, Remote releases a new Elixir LSP called Dexter written in Go, Lotus gets significant updates as an embeddable BI engine for Phoenix apps, Ghostty terminal emulator bindings land in Elixir bringing GenServer-based terminals to LiveView, and we discuss the alarming ClickFix supply chain attack that compromised Axios and what it means for open source maintainers everywhere, and more!

Show Notes online - http://podcast.thinkingelixir.com/299

Elixir Community News

https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.
https://marketing.erlef.org/news/grant-petition.html – The Erlang Ecosystem Foundation is seeking community backing for a grant that would fund two full years of work on the Ægis security project — improving how packages are published, verified, and trusted across Hex and the broader ecosystem. The deadline to show support is April 17th.
https://hex.pm/blog/security-audit – Hex.pm published the results of its first comprehensive third-party security audit, made possible by Alpha-Omega under the OpenSSF. Two firms — Paraxial.io and zentrust partners GmbH — reviewed the Hex registry, clients, documentation infrastructure, and supporting systems. Three high-severity issues were found and have all been fixed.
https://paraxial.io/blog/hex-pentest – Michael Lubas of Paraxial.io shares details of the white-box penetration testing performed on Hex.pm as part of the Ægis security audit.
https://hex.pm/reports/2026/zentrust.pdf – The published report from zentrust partners GmbH covering their adversarial/red-team style assessment of Hex.pm, including 3 high-severity findings (all now fixed) plus medium and low severity items.
https://x.com/josevalim/status/2042245524116439169 – José Valim announces a massive update to Tidewave, teasing several days of videos and screenshots covering new features.
https://hexdocs.pm/tidewave/ui_variants.html – Documentation for Tidewave's new UI Variants feature, which lets your coding agent build different versions of a page or UI component so you can pick and refine your favorite — all integrated directly in the browser.
https://www.youtube.com/watch?v=8px8GdpID74 – Video demo of Tidewave's new UI Variants feature in action.
https://x.com/adamwathan/status/2041977909502489060 – Adam Wathan (creator of TailwindCSS) shows off ui.sh, a set of skills for creating UIs in coding agent CLIs like Claude Code and Codex — noted as a comparison point to Tidewave's more integrated, browser-native experience.
https://x.com/josevalim/status/2042608254065287565 – José Valim demos Tidewave's new "vision" mode, which lets your coding agent take screenshots and record videos of your web app — including demoing a feature working on both desktop and mobile resolutions and delivering results to Slack.
https://x.com/josevalim/status/2042581154067337280 – José Valim announces that Hex.pm will now serve llms.txt files for Elixir/Erlang packages if the accept header is text/markdown. Package authors using ExDoc should update to the latest version and republish their docs.
https://github.com/remoteoss/dexter – Remote released Dexter, a new Elixir LSP written in Go. An interesting alternative to the official LSP, though its positioning relative to the official tooling raises some questions.
https://github.com/typhoonworks/lotus – Lotus is an embeddable BI (Business Intelligence) engine for Elixir apps featuring an SQL editor, dashboards, visualizations, and AI-powered query generation that mounts directly into a Phoenix app — no Metabase, Redash, or extra infrastructure needed.
https://lotus.typhoon.works/lotus – The Lotus demo app showcasing its latest features including an AI-powered query assistant (BYOK), dashboards with filters and public sharing, 16 chart types, improved query results with right-click filtering and sorting, and more.
https://github.com/ghostty-org/ghostty – Ghostty is a fast, feature-rich, native terminal emulator. Its libghostty library is a cross-platform C and Zig library for building terminal emulators or embedding terminal functionality into applications.
https://github.com/dannote/ghostty_ex – ghostty_ex is an Elixir library that wraps libghostty-vt, bringing a SIMD-optimized VT parsing terminal emulator to the BEAM. Terminals are GenServers, with full Unicode, 24-bit color, and scrollback with text reflow.
https://github.com/dannote/ghostty_ex?tab=readme-ov-file#liveview – The LiveView integration section of the ghostty_ex README, showing how to install the LiveView hook into a Phoenix app and use the Ghostty.LiveTerminal.Component to handle keyboard events and PTY lifecycle.
https://x.com/flaviocopes/status/2039973060158095827 – Flavio Copes explains how Axios was compromised via a targeted ClickFix attack — a social engineering technique that tricks maintainers into pasting malicious text into their terminal.
https://github.com/axios/axios/issues/10636 – Public post-mortem from the Axios team on the npm supply chain compromise, shared with the community for transparency and awareness.
https://cybersecuritynews.com/clickfix-attack/ – An explainer on the ClickFix attack — how hackers use it to trick users into running malware by pasting content from the web into their terminal.
https://github.com/axios/axios/issues/10636#issuecomment-4182134203 – A GitHub comment documenting multiple recent instances of similar ClickFix-style supply chain attacks across other open source projects.
https://x.com/simonw/status/2040080868958765229 – Simon Willison weighs in on the Axios supply chain attack via ClickFix social engineering.
https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/ – Simon Willison's write-up on the Axios supply chain attack and the social engineering tactics used — noting how time pressure during meetings makes maintainers especially vulnerable to quickly clicking through install prompts.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky
Message the show - X
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen on X - @brainlid
Mark Ericksen on Bluesky - @brainlid.bsky.social
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel on Bluesky - @david.bernheisel.com
David Bernheisel on Fediverse - @dbern@genserver.social

269: Elixir with LLMs and Expert Arrives

ThinkingElixir.com — Tue, 09 Sep 2025 04:15:00 -0600

News includes the release of Expert, the new official Elixir LSP that's already supported by Zed editor, Tidewave Web getting its first major update with editor integration and notifications, Paulo Valente's handoff library v0.2.0 for distributed graph execution across BEAM nodes, LiveDebugger v0.4.0 with new inspect mode and improved features, fascinating research showing Elixir performing exceptionally well in LLM code generation benchmarks (scoring highest among all tested languages), the announcement that next ElixirConf US will be in Chicago, and a critical security alert about a new type of developer dependency attack that weaponizes AI CLI tools, and more!

Show Notes online - http://podcast.thinkingelixir.com/269

Elixir Community News

https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.
https://github.com/elixir-lang/expert – Expert, the new official Elixir LSP was released
https://expert-lsp.org/ – Expert LSP official website
https://github.com/elixir-lang/expert/blob/main/pages/installation.md#editor-specific-setup – Installation instructions for different editors
https://zed.dev/docs/languages/elixir#expert – Zed editor already supports Expert
https://x.com/josevalim/status/1960402157922082981 – José Valim announces Tidewave Web first update
https://tidewave.ai/blog/editor-integration-notifications – Tidewave Web blog post and full changelog
https://x.com/josevalim/status/1960692138112352355 – José mentions plans to open public roadmap soon
https://x.com/josevalim/status/1962491846795391333 – José Valim interviewed about Tidewave Web with Ruby focus
https://rubyai.beehiiv.com/p/ruby-ai-introducing-tidewave-interview-with-jos-valim#interview-with-jose-valim – Full Ruby AI interview with José Valim
https://x.com/josevalim/status/1960683093225865463 – José discusses Zed's Agent Client Protocol (ACP)
https://github.com/zed-industries/zed/blob/main/crates/agent_servers/src/claude.rs – Zed working on Claude Code support
https://github.com/orgs/tidewave-ai/projects/1 – Tidewave's public roadmap
https://github.com/polvalente/handoff – Paulo Valente's handoff library v0.2.0 for distributed graph execution
https://x.com/elixirmembrane/status/1961071773438574897 – LiveDebugger v0.4.0 release announcement
https://forms.gle/V6tUHpJt94vi1v1TA – LiveDebugger feedback form
https://github.com/software-mansion/live-debugger – LiveDebugger GitHub repository
https://x.com/josevalim/status/1962649394139877479 – José Valim shares Elixir's exceptional LLM performance results
https://x.com/tomthesilva/status/1962628935730241712 – Thomas Silva's research on language performance in code generation
https://github.com/Tencent-Hunyuan/AutoCodeBenchmark – Tencent's AutoCodeBenchmark multilingual coding evaluation
https://github.com/Tencent-Hunyuan/AutoCodeBenchmark/blob/main/figures/exp_acb.png – Benchmark results showing Elixir's top performance
https://x.com/hugobarauna/status/1961914102764261688 – Next ElixirConf US announced for Chicago
Errata correction from José about OIDC implementation attribution to Jonatan Männchen
https://x.com/zack_overflow/status/1960771720727683507 – New developer dependency attack vector using AI CLI tools
https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware – Supply chain security alert about compromised Nx package
https://semgrep.dev/blog/2025/security-alert-nx-compromised-to-steal-wallets-and-credentials/ – Semgrep security analysis of the NPM project's Nx compromise
https://www.anthropic.com/news/claude-for-chrome – Anthropic's post about securing browser interactions

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky
Message the show - X
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen on X - @brainlid
Mark Ericksen on Bluesky - @brainlid.bsky.social
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel on Bluesky - @david.bernheisel.com
David Bernheisel on Fediverse - @dbern@genserver.social

259: Chris McCord on phoenix.new

ThinkingElixir.com — Tue, 01 Jul 2025 04:15:00 -0600

News includes the public launch of Phoenix.new - Chris McCord's revolutionary AI-powered Phoenix development service with full browser IDE and remote runtime capabilities, Ecto v3.13 release featuring the new transact/1 function and built-in JSON support, Nx v0.10 with improved documentation and NumPy comparisons, Phoenix 1.8 getting official security documentation covering OWASP Top 10 vulnerabilities, Zach Daniel's new "evals" package for testing AI language model performance, and ElixirConf US speaker announcements with keynotes from José Valim and Chris McCord. Saša Jurić shares his comprehensive thoughts on Elixir project organization and structure, Sentry's Elixir SDK v11.x adding OpenTelemetry-based tracing support, and more! Then we dive deep with Chris McCord himself for an exclusive interview about his newly launched phoenix.new service, exploring how AI-powered code generation is bringing Phoenix applications to people from outside the community. We dig into the technology behind the remote runtime and what it means for the future of rapid prototyping in Elixir.

Show Notes online - http://podcast.thinkingelixir.com/259

Elixir Community News

https://www.honeybadger.io/ – Honeybadger.io is sponsoring today's show! Keep your apps healthy and your customers happy with Honeybadger! It's free to get started, and setup takes less than five minutes.
https://phoenix.new/ – Chris McCord's phoenix.new project is open to the public
https://x.com/chris_mccord/status/1936068482065666083 – Phoenix.new was opened to the public - a service for building Phoenix apps with AI runtime, full browser IDE, and remote development capabilities
https://github.com/elixir-ecto/ecto – Ecto v3.13 was released with new features including transact/1, schema redaction, and built-in JSON support
https://github.com/elixir-ecto/ecto/blob/v3.13.2/CHANGELOG.md#v3132-2025-06-24 – Ecto v3.13 changelog with detailed list of new features and improvements
https://github.com/elixir-nx/nx – Nx v0.10 was released with documentation improvements and floating-point precision enhancements
https://github.com/elixir-nx/nx/blob/main/nx/CHANGELOG.md – Nx v0.10 changelog including new advanced guides and NumPy comparison cheatsheets
https://paraxial.io/blog/phoenix-security-docs – Phoenix 1.8 gets official security documentation covering OWASP Top 10 vulnerabilities
https://github.com/phoenixframework/phoenix/pull/6295 – Pull request adding comprehensive security guide to Phoenix documentation
https://bsky.app/profile/zachdaniel.dev/post/3lscszxpakc2o – Zach Daniel announces new "evals" package for testing and comparing AI language models
https://github.com/ash-project/evals – Evals project for evaluating AI model performance on coding tasks with structured testing
https://bsky.app/profile/elixirconf.bsky.social/post/3lsbt7anbda2o – ElixirConf US speakers beginning to be announced including keynotes from José Valim and Chris McCord
https://elixirconf.com/#keynotes – ElixirConf website showing keynote speakers and initial speaker lineup
https://x.com/sasajuric/status/1937149387299316144 – Saša Jurić shares collection of writings on Elixir project organization and structure recommendations
https://medium.com/very-big-things/towards-maintainable-elixir-the-core-and-the-interface-c267f0da43 – Saša Jurić's article on organizing Elixir projects with core and interface separation
https://medium.com/very-big-things/towards-maintainable-elixir-boundaries-ba013c731c0a – Article on using boundaries in Elixir applications for better structure
https://medium.com/very-big-things/towards-maintainable-elixir-the-anatomy-of-a-core-module-b7372009ca6d – Deep dive into structuring core modules in Elixir applications
https://github.com/sasa1977/mix_phx_alt – Demo project showing alternative Phoenix project structure with core/interface organization
https://github.com/getsentry/sentry-elixir/blob/master/CHANGELOG.md#1100 – Sentry updates Elixir SDK to v11.x with tracing support using OpenTelemetry

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

https://phoenix.new/ – The Remote AI Runtime for Phoenix. Describe your app, and watch it take shape. Prototype quickly, experiment freely, and share instantly.
https://x.com/chris_mccord/status/1936074795843551667 – You can vibe code on your phone
https://x.com/sukinoverse/status/1936163792720949601 – Another success example - Stripe integrations
https://openai.com/index/openai-codex/ – OpenAI Codex, Open AI's AI system that translates natural language to code
https://devin.ai/ – Devin is an AI coding agent and software engineer that helps developers build better software faster. Parallel cloud agents for serious engineering teams.
https://www.youtube.com/watch?v=ojL_VHc4gLk – Chris McCord's ElixirConf EU Keynote talk titled "Code Generators are Dead. Long Live Code Generators"

Guest Information

https://x.com/chris_mccord – on X/Twitter
https://github.com/chrismccord – on Github
http://chrismccord.com/ – Blog

Find us online

Message the show - Bluesky
Message the show - X
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen on X - @brainlid
Mark Ericksen on Bluesky - @brainlid.bsky.social
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel on Bluesky - @david.bernheisel.com
David Bernheisel on Fediverse - @dbern@genserver.social

252: Riding the Tidewave of AI-Enhanced Phoenix

ThinkingElixir.com — Tue, 06 May 2025 04:15:00 -0600

News includes Tidewave, a new Phoenix MCP server that helps AI-enabled editors access application runtime, Chris McCord teasing his AI-enabled Phoenix app with LiveView hosted IDE features, a new GitHub Action for submitting Elixir dependencies to enhance security, ExMeralda.chat, a community chatbot for querying Hex packages, updates on Software Mansion's LiveDebugger v0.2.0 coming in May, mix test.interactive for enhanced ExUnit testing workflows, and information about slopsquatting, a new malware technique targeting AI-assisted developers, and more!Template

Show Notes online - http://podcast.thinkingelixir.com/252

Elixir Community News

https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a limited time offer.
https://youtu.be/vGue4LtqeWg – Introduction video for Tidewave, a Phoenix/Rails MCP server that helps AI-enabled editors access your application's runtime.
https://github.com/hexpm/hexdocs/issues/49 – Hexdocs PR enabling documentation context for Tidewave, allowing AI assistants to access app documentation without manual copying.
https://x.com/chris_mccord/status/1915017804937375896 – Chris McCord teasing his AI-enabled Phoenix app that writes code.
https://x.com/chris_mccord/status/1917002231322116298 – Chris McCord demonstrating an interactive LiveView hosted IDE with realtime terminal support synced across browsers/devices.
https://bsky.app/profile/theerlef.bsky.social/post/3lngay5chys22 – EEF announcement about the "mix-dependency-submission" GitHub Action for submitting Elixir/Mix dependencies.
https://github.com/erlef/mix-dependency-submission – GitHub repo for the mix-dependency-submission tool that calculates dependencies for Mix and submits them to GitHub's API.
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api – GitHub documentation about the Dependency Submission API used by the mix-dependency-submission tool.
https://exmeralda.chat/chat/start – ExMeralda.chat, a chatbot for hex.pm packages from bitcrowd.dev, using their Elixir RAG library.
https://bitcrowd.dev/exmeralda-a-community-chatbot-for-hex-packages/ – Blog post explaining ExMeralda, a community chatbot for Hex packages that demonstrates RAG systems with LLMs.
https://www.reddit.com/r/elixir/comments/1k600mu/livedebugger_v020_upcoming_features_part_1/ – Reddit post from Software Mansion about upcoming features in LiveDebugger v0.2.0, expected in early May.
https://www.youtube.com/watch?v=HNl-y49Ou7E – Full interview discussing LiveDebugger in more depth.
https://github.com/randycoulman/mix_test_interactive – mix test.interactive - an interactive test runner for ExUnit tests that enhances testing workflows.
https://x.com/jskalc/status/1916824204156035300 – Twitter post highlighting mix test.interactive's features including running tests by names, rerunning on file save, and more.
https://erlef.org/blog/eef/election-2025 – Information about upcoming Erlang Ecosystem Foundation board elections with important dates.
https://andrealeopardi.com/posts/async-tests-in-elixir/ – Andrea Leopardi's blog post about reworking singleton architecture to leverage async tests in ExUnit.
https://www.youtube.com/watch?v=KrAqMyjbkJQ – ElixirConf US 2024 talk by Jason Stiebs on FLAME (Fleeting Lambda Application for Modular Execution).
https://www.youtube.com/watch?v=62OK9B4yRfg – ElixirConf US 2024 talk by James Isenhart on 'OpenTelemetry: From Desire to Dashboard'
https://gridinsoft.com/blogs/slopsquatting-malware/ – Article about slopsquatting, a new malware technique targeting AI-assisted developers by exploiting AI hallucinations of package names.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky
Message the show - X
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen on X - @brainlid
Mark Ericksen on Bluesky - @brainlid.bsky.social
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel on Bluesky - @david.bernheisel.com
David Bernheisel on Fediverse - @dbern@genserver.social

251: SSH Vulnerability and Cookies are Changing

ThinkingElixir.com — Tue, 29 Apr 2025 04:15:00 -0600

News includes a critical Unauthenticated Remote Code Execution vulnerability in Erlang/OTP SSH, José Valim teasing a new project, Oban Pro v1.6's impressive new "Cascade Mode" feature, Semaphore CI/CD platform being open-sourced as a primarily Elixir application, new sandboxing options for Elixir code with Dune and Mini Elixir, BeaconCMS development slowing due to DockYard cuts, and a look at the upcoming W3C Device Bound Session Credentials standard that will impact all web applications, and more!

Show Notes online - http://podcast.thinkingelixir.com/251

Elixir Community News

https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a limited time offer.
https://x.com/ErlangDiscu/status/1914259474937753747 – Unauthenticated Remote Code Execution vulnerability discovered in Erlang/OTP SSH.
https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2 – Official security advisory for the Erlang/OTP SSH vulnerability.
https://paraxial.io/blog/erlang-ssh – Paraxial.io's detailed blog post addressing how the SSH vulnerability impacts typical Elixir systems.
https://elixirforum.com/t/updated-nerves-systems-available-with-cve-2025-32433-ssh-fix/70539 – Updated Nerves systems available with SSH vulnerability fix.
https://bsky.app/profile/oban.pro/post/3lndzg72r2k2g – Announcement of Oban Pro v1.6's new "Cascade Mode" feature.
https://oban.pro/articles/weaving-stories-with-cascading-workflows – Blog post demonstrating Oban Pro's new Cascading Workflows feature used to create children's stories with AI.
https://bsky.app/profile/josevalim.bsky.social/post/3lmw5fvnyvc2k – José Valim teasing a new logo with "Soon" message.
https://tidewave.ai/ – New site mentioned in José Valim's teasers, not loading to anything yet.
https://github.com/tidewave-ai – New GitHub organization related to José Valim's upcoming announcement.
https://github.com/tidewave-ai/mcp_proxy_elixir – The only public project in the tidewave-ai organization - an Elixir MCP server for STDIO.
https://x.com/chris_mccord/status/1913073561561858229 – Chris McCord teasing AI development with Phoenix applications.
https://ashweekly.substack.com/p/ash-weekly-issue-13 – Zach Daniel teasing upcoming Ash news to be announced at ElixirConf EU.
https://elixirforum.com/t/dune-sandbox-for-elixir/42480 – Dune - a sandbox for Elixir created by a Phoenix maintainer.
https://github.com/functional-rewire/dune – GitHub repository for Dune, an Elixir code sandbox.
https://blog.sequinstream.com/why-we-built-mini-elixir/ – Blog post explaining Mini Elixir, another Elixir code sandbox solution.
https://github.com/sequinstream/sequin/tree/main/lib/sequin/transforms/minielixir – GitHub repository that contains Mini Elixir, an Elixir AST interpreter.
https://www.reddit.com/r/elixir/comments/1k27ekg/we_built_a_custom_elixir_ast_interpreter_for/ – Reddit discussion about Mini Elixir AST interpreter.
https://github.com/semaphoreio/semaphore – Semaphore CI/CD platform open-sourced under Apache 2.0 license - primarily an Elixir application.
https://semaphore.io/ – Official website for Semaphore CI/CD platform.
https://docs.semaphoreci.com/CE/getting-started/install – Installation guide for Semaphore Community Edition.
https://bsky.app/profile/markoanastasov.bsky.social/post/3lj5o5h5z7k2t – Announcement from Marko Anastasov, co-founder of Semaphore CI, about open-sourcing their platform.
https://github.com/elixir-dbvisor/sql – GitHub repository for SQL parser and sigil with impressive benchmarks.
https://groups.google.com/g/elixir-ecto/c/8MOkRFAdLZc?pli=1 – Discussion about SQL parser being 400-650x faster than Ecto for generating SQL.
https://bsky.app/profile/bcardarella.bsky.social/post/3lndymobsak2p – Announcement about BeaconCMS reducing development due to Dockyard cuts.
https://bsky.app/profile/did:plc:vnywtpvzgdgetnwea3fs3y6w – Related profile for BeaconCMS announcement.
https://beaconcms.org/ – BeaconCMS official website.
https://github.com/BeaconCMS/beacon – GitHub repository for BeaconCMS.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

Discussion about Device Bound Session Credentials, a W3C initiative being built into major browsers that will require minor changes to Phoenix for implementation.
https://w3c.github.io/webappsec-dbsc/ – W3C - Device Bound Session Credentials proposal
https://github.com/w3c/webappsec-dbsc/ – Device Bound Session Credentials explainer
https://developer.chrome.com/docs/web-platform/device-bound-session-credentials – Device Bound Session Credentials (DBSC) on the Google Chrome developer blog
https://en.wikipedia.org/wiki/Trusted_Platform_Module – Wikipedia article on Trusted Platform Module, relevant to Device Bound Session Credentials discussion.
https://www.grc.com/sn/sn-1021-notes.pdf – Other podcast show notes discussing Device Bound Session Credentials (DBSC).
https://twit.tv/shows/security-now/episodes/1021?autostart=false – Security Now podcast episode covering Device Bound Session Credentials (time coded link to discussion).

Find us online

Message the show - Bluesky
Message the show - X
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen on X - @brainlid
Mark Ericksen on Bluesky - @brainlid.bsky.social
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel on Bluesky - @david.bernheisel.com
David Bernheisel on Fediverse - @dbern@genserver.social

250: EEF Elections and Security

ThinkingElixir.com — Tue, 22 Apr 2025 04:15:00 -0600

News includes EEF board elections with voting beginning May 9th, Gleam v1.10.0 enhancing security with SBoMs and SLSA build provenance, an AshAuthentication vulnerability with mitigation steps, the Elixir Secure Coding Training project finding a permanent home at the EEF, announcements for both ElixirConf US 2025 in Orlando and ElixirConfEU in Krakow with speaker lineup, and more!

Show Notes online - http://podcast.thinkingelixir.com/250

Elixir Community News

https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a limited time offer.
https://erlef.org/blog/eef/election-2025 – EEF board elections announced with important dates - candidacy submissions by May 8th, voting open May 9-16th.
https://x.com/TheErlef/status/1911847956308959650 – Gleam v1.10.0 will ship with Build SBoMs and SLSA build provenance for all release artifacts and Docker images, improving visibility into dependencies and software supply chain security.
https://x.com/theerlef/status/1910348770514006242 – The "Elixir Secure Coding Training (ESCT)" project has been transferred to the Erlang Ecosystem Foundation for a more permanent home and maintainership.
https://bsky.app/profile/davelucia.com/post/3lmcqhzoc7c26 – Dave Lucia shares information about the ESCT project transfer from Podium to TvLabs and ultimately to the EEF.
https://github.com/erlef/elixir-secure-coding – An interactive cybersecurity curriculum designed for enterprise use at software companies using Elixir.
https://github.com/phoenixframework/phoenix/pull/6184 – Fix for Plug.Debugger screen which was showing ANSI codes in HTML.
https://github.com/phoenixframework/phoenix/pull/6194 – Fix for the Phoenix installer's incorrect application of custom variants in tailwind v4.
https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787 – AshAuthentication vulnerability published with mitigation steps - update packages, set require_interaction to true, and add confirm_route above auth_routes.
https://elixirconf.com/ – ElixirConf US 2025 is open for submitting talks and workshops in Orlando. Talk submissions due April 29, workshop submissions due April 15.
https://x.com/elixirconf/status/1907843035544826137 – Announcement for ElixirConf US 2025 in Orlando with deadlines for talk and workshop submissions.
https://x.com/ElixirConfEU/status/1911747531953832323 – ElixirConfEU Speakers were announced for the upcoming conference in Krakow, Poland.
https://www.elixirconf.eu/#tickets – Ticket information for ElixirConfEU - 250 Euros for virtual ticket, 600 Euros for in-person ticket.
https://www.elixirconf.eu/#keynotes – Keynote information for ElixirConfEU in Krakow, Poland, May 14-16 (training on May 14, regular sessions on May 15-16).

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky
Message the show - X
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen on X - @brainlid
Mark Ericksen on Bluesky - @brainlid.bsky.social
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel on Bluesky - @david.bernheisel.com
David Bernheisel on Fediverse - @dbern@genserver.social

248: Security Insights with Paraxial

ThinkingElixir.com — Tue, 08 Apr 2025 04:15:00 -0600

News includes a new Elixir case study about Cyanview's camera shading technology used at major events like the Olympics and Super Bowl, Oban Pro 1.6 with 20x faster queue partitioning, the openid_connect package reaching version 1.0, Supabase's new Postgres Language Server for developer tooling, and ElixirEvents.net as a community resource. Plus, we interview Michael Lubas, founder of Paraxial.io, about web application security in Elixir, what's involved in a security audit, and how his Elixir-focused security company is helping teams and businesses in the community.

Show Notes online - http://podcast.thinkingelixir.com/248

Elixir Community News

https://elixir-lang.org/blog/2025/03/25/cyanview-elixir-case/ – New Elixir case study about Cyanview, a Belgian company whose Remote Control Panel for camera shading is used at major events like the Olympics and Super Bowl. Their Elixir-powered solution enables remote camera control across challenging network conditions.
https://oban.pro/docs/pro/1.6.0-rc.1/changelog.html – Oban Pro 1.6 released with subworkflows, improved queue partitioning (20x faster), and a new guide explaining different job composition approaches.
https://oban.pro/docs/pro/1.6.0-rc.1/composition.html – New Oban Pro guide explaining when to use chains, workflows, chunks, or batches for job composition.
https://github.com/DockYard/openid_connect – The Elixir package 'openid_connect' reached version 1.0, providing client library support for working with various OpenID Connect providers like Google, Microsoft Azure AD, Auth0, and others.
https://hexdocs.pm/openid_connect/readme.html – Documentation for the newly released openid_connect 1.0 package.
https://bsky.app/profile/davelucia.com/post/3llqwsbyutc2z – Announcement that openid_connect is maintained by tvlabs.
https://bsky.app/profile/germsvel.com/post/3llee5lyerk2b – PhoenixTest v0.6.0 has been released with significant changes, including a breaking change.
https://github.com/germsvel/phoenix_test – GitHub repository for PhoenixTest.
https://hexdocs.pm/phoenix_test/upgrade_guides.html#upgrading-to-0-6-0 – Upgrade guide for updating to PhoenixTest v0.6.0 with its breaking change.
https://hexdocs.pm/phoenix_test/changelog.html#0-6-0 – Changelog for PhoenixTest v0.6.0.
https://supabase.com/blog/postgres-language-server – Supabase has released a new Postgres Language Server for developers, providing IDE intellisense and autocomplete for PostgreSQL.
https://marketplace.visualstudio.com/items?itemName=Supabase.postgrestools – VSCode extension for Supabase's new Postgres developer tools.
https://github.com/supabase-community/postgres-language-server – GitHub repository for Supabase's Postgres Language Server.
https://pgtools.dev/ – Official website for Postgres Tools with documentation and features.
https://pgtools.dev/checking_migrations/ – Feature in Postgres Tools that lints database migrations to check for problematic schema changes.
https://github.com/fly-apps/safe-ecto-migrations – Resource for ensuring safe Ecto migrations.
https://fly.io/phoenix-files/safe-ecto-migrations/ – Article about safe Ecto migrations posted on Fly.io.
https://elixirevents.net/ – Community resource created by Johanna Larsson for tracking, sharing, and learning about Elixir events worldwide.
https://bsky.app/profile/elixirevents.net – Bluesky account for ElixirEvents.net for following Elixir community events.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

https://paraxial.io/
https://paraxial.io/blog/index – Blog with posts about security for Elixir, Rails, and the Paraxial service
https://www.cnn.com/2025/03/18/tech/google-wiz-acquisition/index.html
https://podcast.thinkingelixir.com/93 – Our last discussion was 3 years ago in episode 93! Titled "Preventing Service Abuse with Michael Lubas"
https://www.amazon.com/Innovators-Dilemma-Revolutionary-Change-Business/dp/0062060244
https://www.merriam-webster.com/dictionary/Kafkaesque - having a nightmarishly complex, bizarre, or illogical quality
https://paraxial.io/blog/oban-pentest – Completed a Security Audit of Oban Pro - this is after ObanPro went free and OpenSource
https://paraxial.io/blog/elixir-best – Elixir and Phoenix Security Checklist: 11 Best Practices
https://paraxial.io/blog/rails-command-injection – Ruby on Rails Security: Preventing Command Injection
https://paraxial.io/blog/paraxial-three – Paraxial.io v3 blog post

Guest Information

Michael Lubas, Paraxial.io Founder - michael@paraxial.io
https://x.com/paraxialio – on Twitter/X
https://x.com/paraxialio – on Twitter/X
https://github.com/paraxialio/ – on Github
https://www.youtube.com/@paraxial5874 – Paraxial.io channel on YouTube
https://genserver.social/paraxial – on Fediverse
https://paraxial.io/ – Blog

Find us online

Message the show - Bluesky
Message the show - X
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen on X - @brainlid
Mark Ericksen on Bluesky - @brainlid.bsky.social
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel on Bluesky - @david.bernheisel.com
David Bernheisel on Fediverse - @dbern@genserver.social

245: Supply Chain Security and SBoMs

ThinkingElixir.com — Tue, 18 Mar 2025 04:15:00 -0600

News includes a new library called phoenix_sync for real-time sync in Postgres-backed Phoenix applications, Peter Solnica released a Text Parser for extracting structured data from text, a useful tip on finding Hex package versions locally with mix hex.info, Wasmex updated to v0.10 with WebAssembly component support, and Chrome introduces a new browser feature similar to LiveView.JS. We also talked with Alistair Woodman and Jonatan Männchen from the EEF about Jonatan's role as CISO, the Security Working Group, and their work on OpenChain compliance for supply-chain security, Software Bill of Materials (SBoMs), and what these initiatives mean for the Elixir community, and more!

Show Notes online - http://podcast.thinkingelixir.com/245

Elixir Community News

https://gigalixir.com/thinking – Gigalixir is sponsoring the show, offering 20% off standard tier prices for a year with promo code "Thinking".
https://github.com/electric-sql/phoenix_sync – New library called phoenix_sync providing real-time sync for Postgres-backed Phoenix applications.
https://hexdocs.pm/phoenix_sync/readme.html – Documentation for phoenix_sync, a solution for building modern, real-time apps with local-first/sync in Elixir.
https://github.com/josevalim/sync – José Valim's original proof of concept repo that was promptly archived.
https://electric-sql.com/ – Electric SQL's platform that syncs subsets of Postgres data into local apps and services, allowing data to be available offline and in-sync.
https://solnic.dev/posts/announcing-textparser-for-elixir/ – Peter Solnica released TextParser, a library for extracting interesting parts of text like hashtags and links.
https://hexdocs.pm/text_parser/readme.html – Documentation for the Text Parser library that helps parse text into structured data.
https://www.elixirstreams.com/tips/mix-hex-info – Elixir stream tip on using mix hex.info to find the latest package version for a Hex package locally, without needing to search on hex.pm or GitHub.
https://github.com/phoenixframework/tailwind/blob/main/README.md#updating-from-tailwind-v3-to-v4 – Guide for upgrading Tailwind to V4 in existing Phoenix applications using Tailwind's automatic upgrade helper.
https://gleam.run/news/hello-echo-hello-git/ – Gleam 1.9.0 release with searchability on hexdocs, Echo debug printing for improved debugging, and ability to depend on Git-hosted dependencies.
https://d-gate.io/blog/everything-i-was-lied-to-about-node-came-true-with-elixir – Blog post discussing how promises made about NodeJS actually came true with Elixir.
https://hexdocs.pm/wasmex/Wasmex.Components.html – Wasmex updated to v0.10 with support for WebAssembly components, enabling applications and components to work together regardless of original programming language.
https://ashweekly.substack.com/p/ash-weekly-issue-8 – AshWeekly Issue 8 covering AshOps with mix task capabilities for CRUD operations and BeaconCMS being included in the Ash HQ installer script.
https://developer.chrome.com/blog/command-and-commandfor – Chrome update brings new browser feature with commandfor and command attributes, similar to Phoenix LiveView.JS but native to browsers.
https://codebeamstockholm.com/ – Code BEAM Lite announced for Stockholm on June 2, 2025 with keynote speaker Björn Gustavsson, the "B" in BEAM.
https://alchemyconf.com/ – AlchemyConf coming up March 31-April 3 in Braga, Portugal. Use discount code THINKINGELIXIR for 10% off.
https://www.gigcityelixir.com/ – GigCity Elixir and NervesConf on May 8-10, 2025 in Chattanooga, TN, USA.
https://www.elixirconf.eu/ – ElixirConf EU on May 15-16, 2025 in Kraków & Virtual.
https://goatmire.com/#tickets – Goatmire tickets are on sale now for the conference on September 10-12, 2025 in Varberg, Sweden.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

https://elixir-lang.org/blog/2025/02/26/elixir-openchain-certification/
https://cna.erlef.org/ – EEF CVE Numbering Authority
https://erlangforums.com/t/security-working-group-minutes/3451/22
https://podcast.thinkingelixir.com/220 – previous interview with Alistair
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act – CRA - Cyber Resilience Act
https://www.cisa.gov/ – CISA US Government Agency
https://www.cisa.gov/sbom – Software Bill of Materials
https://oss-review-toolkit.org/ort/ – Desire to integrate with tooling outside the Elixir ecosystem like OSS Review Toolkit
https://github.com/voltone/rebar3_sbom
https://cve.mitre.org/
https://openssf.org/projects/guac/
https://erlef.github.io/security-wg/security_vulnerability_disclosure/ – EEF Security WG Vulnerability Disclosure Guide

Guest Information

https://x.com/maennchen_ – Jonatan on Twitter/X
https://bsky.app/profile/maennchen.dev – Jonatan on Bluesky
https://github.com/maennchen/ – Jonatan on Github
https://maennchen.dev – Jonatan's Blog
https://www.linkedin.com/in/alistair-woodman-51934433 – Alistair Woodman on LinkedIn
awoodman@erlef.org
https://github.com/ahw59/ – Alistair on Github
http://erlef.org/ – Erlang Ecosystem Foundation Website

Find us online

Message the show - Bluesky
Message the show - X
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen on X - @brainlid
Mark Ericksen on Bluesky - @brainlid.bsky.social
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel on Bluesky - @david.bernheisel.com
David Bernheisel on Fediverse - @dbern@genserver.social

242: Magic Links and Sudo Mode

ThinkingElixir.com — Tue, 25 Feb 2025 04:15:00 -0700

News includes exciting updates to Phoenix gen_auth with magic links and sudo mode security features, a comprehensive guide on Elixir and Phoenix security best practices from Paraxial.io, significant updates to the DaisyUI Components library for Phoenix LiveView reaching version 0.7.0, more on LiveDebugger tool for Phoenix applications, performance improvements in PostgreSQL's self-join handling, and more!

Show Notes online - http://podcast.thinkingelixir.com/242

Elixir Community News

https://gigalixir.com/thinking – Visit to sign up and get 20% off your first year. Or use the promo code "Thinking" during signup.
https://github.com/phoenixframework/phoenix/pull/6081 – Phoenix gen_auth is adding support for magic links (passwordless login) and sudo mode for sensitive operations.
https://elixirstream.dev/gendiff – Additional resource for Phoenix gen_auth updates.
https://github.com/9elements/hex-mcp – New Model Context Protocol server providing real-time Hex package version information for AI tools like Cursor.
https://paraxial.io/blog/elixir-best – Michael Lubas shares 11 best practices for security in Elixir and Phoenix applications.
https://elixirstatus.com/p/7bQOj-daisyuicomponents---a-phoenix-liveview--daisyui-library – DaisyUI Components library for Phoenix LiveView updated to version 0.7.0.
https://github.com/phcurado/daisy_ui_components – GitHub repository for DaisyUI Components, featuring over 30 pre-styled components.
https://daisy-ui-components-site.fly.dev/storybook/welcome – Interactive Storybook for exploring DaisyUI Components.
https://github.com/phcurado/daisy_ui_components/blob/main/CHANGELOG.md – Changelog showing recent updates to DaisyUI Components.
https://github.com/software-mansion-labs/live-debugger – LiveDebugger tool for Phoenix LiveView applications, providing insights into LiveViews, components, and state transitions.
https://www.phoronix.com/news/PostgreSQL-Self-Join-Eliminate – Postgres adds optimization for self-joins, improving query performance.
https://www.lambdadays.org/lambdadays2025 – Lambda Days conference tickets on sale, happening June 12-13 in Kraków, Poland, focusing on functional programming.
https://alchemyconf.com/ – Alchemy Conf happening April 2-3 in Braga, Portugal with 10% discount code "THINKINGELIXIR".
https://membrz.club/alchemyconf/events – Direct link for purchasing Alchemy Conf tickets.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky
Message the show - X
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen on X - @brainlid
Mark Ericksen on Bluesky - @brainlid.bsky.social
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel on Bluesky - @david.bernheisel.com
David Bernheisel on Fediverse - @dbern@genserver.social

240: Standards and Security

ThinkingElixir.com — Tue, 11 Feb 2025 04:15:00 -0700

News includes Erlang/OTP achieving OpenChain ISO certification for open source license compliance, the release of the new "Elixir Patterns" book by Hugo Barauna and Alex Koutmos, a security audit of Oban Web and Pro by Paraxial.io showing excellent results, upcoming Alchemy Conf in Portugal, and a major rewrite of the asdf version manager to Go, and more!

Show Notes online - http://podcast.thinkingelixir.com/240

Elixir Community News

https://bsky.app/profile/theerlef.bsky.social/post/3lhc5552djc24 – Erlang/OTP team announces compliance with OpenChain ISO/IEC 5230 standard for open source license compliance.
https://openchainproject.org/featured/2025/02/01/erlang-otp-iso5230 – Details about OpenChain certification and its importance for Erlang/OTP's 2025 goals for enhancing community infrastructure.
https://podcast.thinkingelixir.com/220 – Reference to Allistair Woodman episode providing additional context about Erlang/OTP.
https://www.elixirpatterns.dev/#pricing – New book "Elixir Patterns" by Hugo Barauna and Alex Koutmos has been released.
https://bsky.app/profile/hugobarauna.com/post/3lgv5yfw5o22q – Author's announcement about the Elixir Patterns book release.
https://www.elixirpatterns.dev/#free-chapters – Free sample chapters of Elixir Patterns book available with accompanying Livebooks.
https://www.youtube.com/watch?v=AZZvljvgKy8 – Launch livestream recording for the Elixir Patterns book.
https://paraxial.io/blog/oban-pentest – Security audit results for Oban Web and Oban Pro by Paraxial.io, showing no critical vulnerabilities.
https://alchemyconf.com/ – Announcement for Alchemy Conf happening April 2-3 in Braga Portugal.
https://x.com/hugobarauna/status/1886766098411909420 – Hugo Barauna announces he'll be speaking about Livebook and Livebook Teams internals at Alchemy Conf.
https://stratus3d.com/blog/2025/02/03/asdf-has-been-rewritten-in-go/ – Announcement about asdf v0.16 major update and rewrite in Go.
https://asdf-vm.com/guide/upgrading-to-v0-16.html#installation – Installation guide for the new asdf v0.16 with breaking changes.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - Bluesky
Message the show - X
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen on X - @brainlid
Mark Ericksen on Bluesky - @brainlid.bsky.social
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel on Bluesky - @david.bernheisel.com
David Bernheisel on Fediverse - @dbern@genserver.social

173: Web App Security Best Practices and Sobelow

ThinkingElixir.com — Tue, 17 Oct 2023 04:15:00 -0600

We delve into the tricky world of cybersecurity with our guest, Michael Lubas. We touch on the widely-discussed 23andMe data breach, discussing what went wrong and how it applies to Elixir apps. A significant part of our talk is centered around the informative guide by the EEF Security Working Group called “Web Application Security Best Practices for BEAM languages.” An essential tool featured in our discussion is Sobelow, a security-focused static code analysis tool invaluable in warding off potential security breaches. We wrap up the conversation by discussing the practical application of these tools, using Paraxial.io's vulnerable-by-design “Potion Shop” app as a case study to run Sobelow and practice fixing issues. Join us for an enlightening discussion packed full of important insights!

Show Notes online - http://podcast.thinkingelixir.com/173

Elixir Community News

https://github.com/phoenixframework/phoenix_live_view/pull/2845 – Information on the upcoming LiveView that speeds up client DOM patching 5x.
https://twitter.com/chris_mccord/status/1709681327019086044 – The post to further explain the upcoming LiveView.
https://twitter.com/josevalim/status/1709841186972705033 – José Valim's clarification on how LiveView's 5x DOM patching works.
https://twitter.com/wojtekmach/status/1709675064944144605 – Teaser about a cool new Req feature by Wojtek Mach.
https://twitter.com/wojtekmach/status/1710053454217887970 – Release note for Req v0.3.12 and v0.4.4 and encouragement to upgrade.
https://twitter.com/Tangui/status/1709645048906748378 – Announcement of a new HTTP Caching library called http_cache.
http://svground.fr/blog/posts/introducing-http-cache/ – Blog post that accompanies the release of the new HTTP Caching library.
https://github.com/tanguilp/plug_http_cache – plug_http_cache - An Elixir plug that caches HTTP responses.
https://github.com/tanguilp/tesla_http_cache – tesla_http_cache - HTTP caching Tesla middleware.
https://news.livebook.dev/remote-execution-smart-cell---launch-week-2---day-1-m3dv2 – Post about Day 1 of Livebook's launch week with information on the new feature.
https://twitter.com/thmsmlr/status/1709309268183367901 – Announcement of Livebook Copilot by Thomas Millar.
https://github.com/thmsmlr/kino_copilot – kino_copilot - Livebook SmartCell that refactors code, generates SQL for data analysis, writes documentation, and generates dashboards.
https://twitter.com/hugobarauna/status/1709631824555573554 – Demonstration of Livebook voice transcription by Hugo Baraúna.
https://github.com/brainlid/langchain_demo – LangChain Demo project that includes an example of an Agent.
https://fly.io/phoenix-files/created-my-personal-ai-fitness-trainer-in-2-days/ – Blog post - Created my Personal AI Fitness Trainer in 2 Days
https://www.youtube.com/watch?v=AsfQNtoaB1M – YouTube video overview for AI Personal Fitness Trainer with demo
https://spawnfest.org/ – Information on SpawnFest, a 48-hour online software development contest.
https://codebeameurope.com/ – Information on CodeBEAM Europe event.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

https://www.wired.com/story/23andme-credential-stuffing-data-stolen/ – 23andMe breach
https://erlef.github.io/security-wg/web_app_security_best_practices_beam/ – Web Application Security Best Practices for BEAM languages - a guide from the EEF Security Working Group
https://paraxial.io/blog/real-sobelow – Elixir Security - Real World Sobelow
https://podcast.thinkingelixir.com/148 – Security Scanning our Apps with Sobelow
https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement – Why use Sobelow? The Equifax breach, $425 million penalty, was a remote code execution (RCE) vulnerability
https://paraxial.io/blog/elixir-rce – Understanding remote code execution (RCE) attacks in Elixir
https://paraxial.io/blog/potion-shop – Potion Shop
https://www.meetup.com/new-york-city-elixir/events/296705817/ – The NYC Elixir meetup
https://www.meetup.com/denver-erlang-elixir/ – Denver Elixir meetup

Guest Information

https://twitter.com/paraxialio – on Twitter
https://github.com/paraxialio/ – on Github
https://genserver.social/paraxial – on Fediverse
https://paraxial.io/blog/index – Blog
https://www.linkedin.com/company/paraxial-io – LinkedIn
https://www.youtube.com/@paraxial5874 – Paraxial YouTube channel

Find us online

Message the show - @ThinkingElixir
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen - @brainlid
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel - @bernheisel
David Bernheisel on Fediverse - @dbern@genserver.social
Cade Ward - @cadebward
Cade Ward on Fediverse - @cadebward@genserver.social

155: Thinking Elixir News

ThinkingElixir.com — Tue, 13 Jun 2023 04:15:00 -0600

OpenSource contributions recognition for Jonatan Kłosko, more from Sean Moriarity on AI with Elixir, the latest update on LLaMa running locally, Stephen Bussey is helping people move from OO languages like Ruby to Elixir with a new book, unraveling recent Arrow related contributions, a security fix to apply and conferences requesting speakers!

Show Notes online - http://podcast.thinkingelixir.com/155

Elixir Community News

https://twitter.com/michalslaski/status/1664237603728551936 – Jonatan Kłosko won an award for opensource contributions to Livebook.
https://podcast.thinkingelixir.com/151 – Previous interview with Jonatan Kłosko about Livebook
https://dockyard.com/blog/2023/05/16/open-source-elixir-alternatives-to-chatgpt – Sean Moriarity wrote a post titled “Open-Source Elixir Alternatives to ChatGPT”
https://twitter.com/natfriedman/status/1665402680376987648 – LLaMa update running on local hardware
https://twitter.com/yoooodaaaa/status/1663988571047354371 – Stephen Bussey's new book in beta called "From Ruby to Elixir"
https://pragprog.com/titles/sbelixir/from-ruby-to-elixir/ – PragProg book page where it can be purchased as early access.
https://twitter.com/josevalim/status/1664743585873264641 – José Valim calling out contributions by Qqwy with links to the Arrow related PRs
https://github.com/elixir-nx/explorer – Nx Explorer
https://arrow.apache.org/docs/format/ADBC.html – ADBC Apache project for data connectivity
https://arrow.apache.org/ – Arrow Apache project
https://github.com/jorgecarleitao/arrow2 – Aarow2 Rust project
https://jorgecarleitao.github.io/arrow2/main/guide/ – Arrow2 guide
https://elixirforum.com/t/mime-v2-0-4-has-been-released-with-a-potential-security-fix/56216 – PSA for security concern with package version update available
https://elixirforum.com/t/livemonacoeditor-monaco-editor-component-for-phoenix-liveview/56212 – New library LiveMonacoEditor for integrating the VSCode JS-powered editor called Monoco into LiveView
https://github.com/BeaconCMS/live_monaco_editor – BeaconCMS linked LiveMonacoEditor project
https://codebeameurope.com/ – CodeBEAM EU October 19-20
https://twitter.com/ElixirConf/status/1663920528829161474 – ElixirConf US 2023 - call for speakers
https://docs.google.com/forms/d/e/1FAIpQLSeN6BFybOd4vXweCuBvINjhbO-Ev7Zk1sZf8YBXwjnwQC0-aA/viewform – Form for submitting a talk

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

Message the show - @ThinkingElixir
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen - @brainlid
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel - @bernheisel
David Bernheisel on Fediverse - @dbern@genserver.social
Cade Ward - @cadebward
Cade Ward on Fediverse - @cadebward@genserver.social

148: Security Scanning our Apps with Sobelow

ThinkingElixir.com — Tue, 25 Apr 2023 04:15:00 -0600

We go deeper on the Sobelow library, a security-focused static analysis tool for Elixir and Phoenix apps. We talk with Griffin Byatt, the creator, and Holden Oullette, the new maintainer. We learn how and why the project was created, how it works, what it can and can't do, and how to use it in CI pipelines for continuous scanning. Sobelow is a cornerstone project in the community that checks a critical box for certification requirements which means we get to use Elixir when it might otherwise be a hard sell. Join us as we learn more about the project and the people behind it!

Show Notes online - http://podcast.thinkingelixir.com/148

Elixir Community News

https://news.livebook.dev/hubs-and-secret-management---launch-week-1---day-3-3tMaJ2 – Livebook Launch Week - Day 3 - Hubs, secrets, teams, authentication
https://news.livebook.dev/build-and-deploy-a-whisper-chat-app-to-hugging-face-in-15-minutes---launch-week-1---day-4-wYM0w – Livebook Launch Week - Day 4 - What is deploying apps to HuggingFace?
https://news.livebook.dev/data-wrangling-in-elixir-with-explorer-the-power-of-rust-the-elegance-of-r---launch-week-1---day-5-1xqwCI – Livebook Launch Week - Day 5 - Data wrangling in Elixir with https://news.livebook.dev/data-wrangling-in-elixir-with-explorer-the-power-of-rust-the-elegance-of-r---launch-week-1---day-5-1xqwCI
https://github.com/elixir-nx – The Nx GitHub organization page was set up
https://twitter.com/sorentwo/status/1646493981591625732 – Oban update 2.15.0
https://github.com/sorentwo/oban/releases/tag/v2.15.0 – Oban release notes
https://twitter.com/osterbergmarcus/status/1646833341881016323 – Tweet asking about bulk steam inserts
https://twitter.com/elixirphoenix/status/1646913447030865921 – Phoenix response says the bulk insert is in main now.
https://hexdocs.pm/ecto/Ecto.Changeset.html#cast_assoc/3-sorting-and-deleting-from-many-collections – Ecto's Sorting and deleting from -many collections
https://twitter.com/iteamon/status/1648310734479130627 – Dry run implementation by Tymon Tobolski
https://twitter.com/theerlef/status/1646211583172034563 – ElixirConf EU keynote to look forward to

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

https://twitter.com/paraxialio/status/1641242283134660616
https://github.com/nccgroup/sobelow
https://github.com/nccgroup/sobelow/releases/tag/v0.12.2 – recent release
https://github.com/podium/elixir-secure-coding
https://www.podium.com/
https://podcast.thinkingelixir.com/122 – Securing Elixir and Teaching the Team interview with Holden
https://www.crowdstrike.com/cybersecurity-101/shift-left-security/ – Shift left
https://www.nccgroup.com/us/
https://github.com/podium/elixir-secure-coding
https://github.com/ExHammer/hammer
SAST - Static Application Security Testing
IAST - Interactive Application Security Testing

Guest Information

https://twitter.com/HoldenOullette – Holden on Twitter
https://github.com/houllette/ – Holden on Github
https://oullette.xyz/ – Holden's Blog
https://twitter.com/griffinbyatt – Griffin on Twitter
https://github.com/GriffinMB/ – Griffin on Github
https://griffinbyatt.com/ – Griffin's page

Find us online

Message the show - @ThinkingElixir
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen - @brainlid
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel - @bernheisel
David Bernheisel on Fediverse - @dbern@genserver.social
Cade Ward - @cadebward
Cade Ward on Fediverse - @cadebward@genserver.social

134: Inside the Security Working Group

ThinkingElixir.com — Tue, 17 Jan 2023 04:15:00 -0700

We get a glimpse into the EEF's Security Working Group with Bram Verburg. We learn about existing resources available to the community and we get hints of work underway for the future. Bram shares some cool security tips and insights as well!

Show Notes online - http://podcast.thinkingelixir.com/134

Elixir Community News

http://example.com/ – Example website
https://github.com/phoenixframework/phoenix/blob/master/CHANGELOG.md – New release candidate for Phoenix! 1.7.0-rc.1
https://github.com/phoenixframework/phoenix_live_view/blob/master/CHANGELOG.md – New minor Phoenix LiveView releases
https://twitter.com/whatyouhide/status/1610675036108771328 – Andrea Leopardi published his second video where he works through the ProtoHackers.com challenges using Elixir
https://github.com/sorentwo/oban/pull/819 – Oban now supports SQLite3
https://github.com/JohnnyCurran/TimeTravel – Time Travel with LiveView events
https://www.chriis.dev/opinion/setting-up-a-google-chrome-shortcut-to-elixir-documentation-in-30-seconds – Chris Gregori shared a post about setting up a Google Chrome shortcut to Elixir documentation
https://twitter.com/benvp_/status/1610884773387321345 – Tip for saving hex docs offline locally
https://twitter.com/theerlef/status/1611076916957843456 – erlef/setup-beam v1.15.1 has been released
https://github.com/erlef/setup-beam/releases/tag/v1.15.1
https://github.com/elixir-nx/ex_faiss – Sean Morriarity released a new library in the Nx family called ex_faiss
https://dockyard.com/blog/2023/01/04/search-and-clustering-with-exfaiss – Blog post to accompany ex_faiss
https://github.com/lexmag – Core team Aleksei
https://github.com/am-kantox – Finitomata Aleksei
https://twitter.com/yburyug/status/1611125098286813184 – Fun Phoenix success story

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

https://erlef.github.io/security-wg/
https://erlef.org/wg/security
https://github.com/erlef/security-wg
https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/
https://podcast.thinkingelixir.com/64 – OTP Certificate Woes with Bram Verburg
https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/releases – Section on releases and Erlang's ability to conditionally include the compiler
https://bluecode.com/en/
https://www.linkedin.com/in/FrancescoCesarini
https://podcast.thinkingelixir.com/122 – Interview with Holden Oullette about Elixir Secure Coding Training for teams
https://en.wikipedia.org/wiki/Whac-A-Mole
https://podcast.thinkingelixir.com/131 – Interview with Michael Lubas about securing Elixir and Phoenix applications
https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/crash_dumps
https://github.com/voltone/x509/
https://github.com/beam-telemetry/telemetry
https://www.lua.org/start.html
https://www.cisa.gov/uscert/bsi/articles/knowledge/sdlc-process/secure-software-development-life-cycle-processes – Secure Software Development Lifecycle
https://github.com/nccgroup/sobelow
https://github.com/rrrene/credo
https://en.wikipedia.org/wiki/Data-flow_analysis
https://erlef.org/
https://members.erlef.org/join-us

Guest Information

https://twitter.com/voltonez – on Twitter
https://fosstodon.org/@voltone – on Fediverse
https://github.com/voltone – on Github
https://blog.voltone.net/ – Blog

Find us online

Message the show - @ThinkingElixir
Message the show on Fediverse - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen - @brainlid
Mark Ericksen on Fediverse - @brainlid@genserver.social
David Bernheisel - @bernheisel
David Bernheisel on Fediverse - @dbern@genserver.social
Cade Ward - @cadebward
Cade Ward on Fediverse - @cadebward@genserver.social

131: Start Securing Elixir and Phoenix

ThinkingElixir.com — Tue, 27 Dec 2022 04:15:00 -0700

Securing our apps is our responsibility as developers. We are the custodians and the guardians of our user's data. We met up again with Michael Lubas to discuss some lesser known community security resources and helpful tips to get us started with securing our Elixir and Phoenix applications!

Show Notes online - http://podcast.thinkingelixir.com/131

Elixir Community News

https://erlangforums.com/t/otp-25-2-released/2166 – Erlang/OTP 25.2 is the second maintenance patch package for OTP 25, with mostly bug fixes as well as improvements.
https://twitter.com/livebookdev/status/1603787699458113539 – HuggingFace announced “spaces”, a feature that lets people run Docker images on HuggingFace.
https://huggingface.co/spaces/livebook-dev/single_file_phx_bumblebee_ml – Elixir Phoenix was specifically shown as a Docker example on HuggingFace
https://twitter.com/sean_moriarity/status/1602817446875992066 – Sean Moriarity added “negative prompts” feature to Nx's Stable Diffusion support.
https://github.com/elixir-nx/bumblebee/pull/109 – PR adding "negative prompt" support
https://twitter.com/miruoss/status/1604849993130676225 – Michael Ruoss has a new Kino plugin for working with kubernetes pods
https://github.com/mruoss/kino_k8s_term – KinoK8sTerm
https://twitter.com/livebookdev/status/1603391808209391617 – Livebook added two new neural network tasks to Bumblebee integration.
https://twitter.com/hanrelan/status/1603470678081929216 – Customized Livebook Stable Diffusion shows intermediate steps when generating images.
https://blog.ftes.de/elixir-dijkstras-algorithm-with-priority-queue-f6022d710877 – Fredrik Teschke wrote a blogpost using Livebook to visualize Dijkstra's algorithm for finding the shortest path between nodes in a graph.
https://notes.club/ – Notesclub is a website by Hec Perez that makes it easy to share and discover Livebook notebooks online.
https://twitter.com/louispilfold/status/1602740866602631170 – Louis Pilfold announced his last full day at Nomio. He is now working full time on Gleam.
https://twitter.com/louispilfold/status/1600960290455113728 – Louis Pilfold shared that Bumblebee, Nx and Axon work in Gleam thanks to Gleam's new Elixir support.
https://twitter.com/kipcole9/status/1604929772253229057 – Kip Cole has a library called Image. He added Image.Classification.classify(image) using Bumblebee.
https://sessionize.com/code-beam-lite-stockholm-2023 – Code BEAM Lite Stockholm 2023, 12 May 2023, Stockholm, Sweden. Call for speakers is open until Feb 5th 2023.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

https://paraxial.io
https://paraxial.io/blog/securing-elixir – Securing Elixir/Phoenix Applications - 5 Tips to Get Started
https://paraxial.io/blog/xss-phoenix – Cross Site Scripting (XSS) Patterns in Phoenix
https://podcast.thinkingelixir.com/93 – Previous interview with Michael
https://www.youtube.com/watch?v=w3lKmFsmlvQ – ElixirConf 2017 - Plugging the Security Holes in Your Phoenix Application - Griffin Byatt
https://felt.com/blog/rate-limiting – Rate Limiting Algorithms for Client-Facing Web Apps by Tyler Young
https://github.com/podium/elixir-secure-coding – Elixir Secure Coding Training (ESCT) that runs in Livebook
https://github.com/rrrene/html_sanitize_ex
https://fly.io/phoenix-files/github-actions-for-elixir-ci/ – Blog post about Elixir CI/CD checks
https://github.com/mirego/mix_audit – mix_audit
https://hexdocs.pm/mix/Mix.Tasks.Deps.Unlock.html – mix hex.audit
https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ – Erlang Ecosystem Foundation resource - Secure Coding and Deployment Hardening Guidelines
https://github.com/slab/safeurl-elixir – SafeURL hex package by Slab
https://slab.com/

Guest Information

https://twitter.com/paraxialio – on Twitter
https://github.com/paraxialio/ – on Github
https://paraxial.io/ – Blog
michael@paraxial.io
https://genserver.social/paraxial – on Mastadon

Find us online

Message the show - @ThinkingElixir
Message the show on Mastadon - @ThinkingElixir@genserver.social
Email the show - show@thinkingelixir.com
Mark Ericksen - @brainlid
Mark Ericksen on Mastadon - @brainlid@genserver.social
David Bernheisel - @bernheisel
David Bernheisel on Mastadon - @dbern@genserver.social
Cade Ward - @cadebward
Cade Ward on Mastadon - @cadebward@genserver.social

122: Securing Elixir and Teaching the Team

ThinkingElixir.com — Tue, 25 Oct 2022 04:15:00 -0600

It’s important to learn safe coding practices. As developers, we want people to love our products and happily pay to use them. We also want to protect our services and users from hackers and information leaks. However, sometimes we unknowingly create vulnerabilities in our systems. One of the best ways to prevent problems is to train the team working on the project. To help do this, Holden Oullette started an OpenSource project called Elixir Secure Coding Training for teams. Livebook based, the lessons can be forked and customized for what’s relevant to our projects. Check out what's already available! There’s more work and lessons to create. People are invited to jump in and help out. The goal is to create an education and training resource for the Elixir community!

Show Notes online - http://podcast.thinkingelixir.com/122

Elixir Community News

https://twitter.com/AshFramework/status/1582062954891350016 – Ash Framework 2.0 released
https://github.com/ash-project/ash/blob/2.0/CHANGELOG.md – Ash Framework changelog
https://www.ash-hq.org/
https://elixirforum.com/t/ex-cldr-common-locale-data-repository-cldr-functions-for-elixir/17350/92 – Ex_cldr and Kip Cole's development plans
https://podcast.thinkingelixir.com/120 – Interview with Kip Cole
https://hexdocs.pm/ex_cldr_routes – New CLDR library to help localize Phoenix routes
https://hexdocs.pm/phoenix_localized_routes – There are other route localizing options as well
https://twitter.com/lukaszsamson/status/1578521810554916864 – Elixir-LS fixed 4 year old bug with help from reporter!
https://github.com/elixir-lsp/elixir-ls/issues/120 – Elixir-LS history and details on the fix
https://twitter.com/fhunleth/status/1580524909939556353 – Nerves on Apple silicon improvements in upcoming release
https://spawnfest.org/ – Spawnfest competition closed. People sharing their creations.
https://twitter.com/spawnfest/status/1581347422671806464 – List of Spawnfest judges
https://twitter.com/michalmuskala/status/1581743531764617217 – JSON Native project shared
https://github.com/spawnfest/json_native
https://twitter.com/livebookdev/status/1581995785637756928 – Livebook Ecto extension called Lively supports Entity Relationship Diagrams and more.
https://github.com/orgs/spawnfest/repositories?q=2022+in%3Atopics – See all the submissions with this non-obvious GitHub search
https://www.elixirconf.eu/ – ElixirConf EU 2023 in in Lisbon Portugal - Hybrid conference 20-21 April 2023 - In person and virtual

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

Guest Information

https://twitter.com/holdenoullette – on Twitter
https://github.com/houllette/ – on Github
https://oullette.xyz – Blog

Find us online

Message the show - @ThinkingElixir
Email the show - show@thinkingelixir.com
Mark Ericksen - @brainlid
David Bernheisel - @bernheisel
Cade Ward - @cadebward

93: Preventing Service Abuse with Michael Lubas

ThinkingElixir.com — Tue, 05 Apr 2022 04:15:00 -0600

We talk with Michael Lubas about steps we can take to protect our Phoenix applications from common automated bot attacks. We cover API abuse to send email spam, carding attacks, and credential stuffing. We learn how Michael started paraxial.io which aims to specifically serve the Elixir community and more!

Show Notes online - http://podcast.thinkingelixir.com/93

Elixir Community News

https://erlef.org/blog/eef/election-2022-results – Erlang Ecosystem Foundation board election voting results
https://erlef.org/blog/eef/election-2022 – Previous election notice and explanations
https://hexdocs.pm/ex_doc/changelog.html – ExDoc v0.28.3 was released
https://twitter.com/josevalim/status/1508528099973120004 – Call to help move ExDoc away from webpack to esbuild
https://twitter.com/dominicletz/status/1506675402059792388 – iOS app store now has an Elixir application deployed in it!
https://podcast.thinkingelixir.com/69 – Previous interview with Dominic Letz about doing Elixir on the desktop and mobile.
https://www.erlang.org/news/155 – Erlang 25.0 rc-2 was released and requesting feedback
https://twitter.com/josevalim/status/1507443537851392007 – Jose Valim's experience compiling Elixir from scratch on Apple's new MacStudio M1 Max
Conference reminders
https://www.empex.co/mtn – Empex MTN in Salt Lake City on May 6
https://codesync.global/conferences/code-beam-sto-2022/ – CodeBEAM in Stockholm on May 19-20
https://www.elixirconf.eu/ – ElixirConf EU in London on June 9-10
https://elixirconf.com/events – ElixirConf US in Colorado on August 30-Sep2
https://github.com/lucasvegi/Elixir-Code-Smells – Elixir Code Smells - public project
https://fly.io/phoenix-files/safe-ecto-migrations/ – Safe Ecto Migrations
https://twitter.com/TylerAYoung/status/1508413319178297352 – Today I Learned about doctests and importing

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Discussion Resources

Guest Information

https://twitter.com/paraxialio – on Twitter
https://github.com/paraxialio/ – on Github
https://paraxial.io/ – Website
sales@paraxial.io

Find us online

Message the show - @ThinkingElixir
Email the show - show@thinkingelixir.com
Mark Ericksen - @brainlid
David Bernheisel - @bernheisel
Cade Ward - @cadebward