REUSE and compliance

April 25, 2025 • Issue 90

If you are responsible for any software at scale in recent years you have likely heard of software supply chain as a topic. This is not just a cloud native buzzword but is in fact an industry-wide buzz .. I mean term. There is a ton of work happening across the world on SBOM, licensing and compliance for a few reason.

I'm in the EU, so the CRA is what I hear the most about. The Cyber Resilience Act is a piece of EU legislation that puts the responsibility for failures of security, resilience and privacy failures at the feet of companies if they are not taking adequate steps. Some people have worked quite hard to make this not land on the stoops of open source developers as "you are responsible for your library having caused damage" but instead at companies as "you are responsible for not making sure the open source you rely on is sustainably maintained". If you ship software-based products to consumers you suddenly have more responsibility for failures and showing that you, as a business, are a responsible actor.

There is different but related legislation in the US that I'm not generally tracking. SBOM is a rising topic and actually a topic people are putting money behind.

The Erlang Ecosystem Foundation is trying to make sure Erlang, Elixir and everything is OpenChain compliant and all that. And Frank Hunleth has been on an absolute tear through the Nerves projects and libraries to make them all REUSE compliant. Which lets us confirm REUSE compliance and makes it maintainable.

There are more things to come. Elixir will get some more best practices around SBOM (SPDX I assume). We will of course leverage that when the time comes for Nerves. And we can already pull a fair bit of license information using "make legal-info".

You will see a lot of REUSE compliance in upcoming changelogs. This is the reason. Both as a Nerves initiative and as ecosystem wide initiatives we are trying to make it clear what you are shipping, who built it and make it easy to deal with licensing.

-Lars

NervesConf, May 8, Chattanooga, Tennessee

This is so soon and the FOMO is very real for me as I will miss it. I know Alex has a good line-up and I've heard a bunch of great Nerves folks say they'll be going.

Grab a ticket and enjoy!

Everything you need at nervesconf.us

NervesConf EU, September 10, Varberg, Sweden

We've gone over to the regular tickets now. Still not very expensive. Check it out, travel and hotel information is now available.

Tickets and CFP at nervesconf.eu

Project updates

NervesHub CLI updates

Some folks have missed that NervesHub has a full API and a CLI. The CLI is now a burrito, meaning an Elixir app hidden in an executable. And importantly you can download it much more easily now:

brew install nerves-hub/tap/nh

This should let you use th `nh` command from then on. Try `nh user whoami` and `nh user auth` to get going. See the docs for setup.

NervesHub UI refresh continues. Let us console you.

The full web-based iex console is one of NervesHub's best features and with the new update we've spiced things up.

The new edge-to-edge immersive terminal is an experience like no other. With notes of burnt solder and a touch glass fiber with just enough solder mask it .. jokes aside.

It provides a lot of space for you to do your thing. That's it.

It also increases the dropzone for dropping files on the device. Because you knew that right? That you can drop a file onto the device and have it uploaded. It works so well I accidentally dropped the above screenshot onto the device. Glorious.

Theater mode is a pseudo-fullscreen mode that stays in the bounds of your browser tab but removes all but the most important UI bits. It allows you to console as hard as anyone has ever consolled before.

atecc508a, v1.3.1

Changes
- Fix sign_digest timeout to work for the ATECC608
- Update licensing and copyright for REUSE compliance
- Drop Elixir 1.11 and 1.12 support since too hard to test any more

nerves_runtime, v0.13.8

This release has many updates, but none of them are expected to be noticeable to most Nerves users. Most are in support of the Raspberry Pi’s TRYBOOT feature which is not supported in official Nerves systems.

Changes
- Update licensing and copyright for REUSE compliance
- Add Nerves.Runtime.FwopOps.status/1 to report the currently running slot and the one that will run on the next boot
- Improve active (current) firmware slot detection when ops.fw is available. While nothing has changed in official Nerves systems, more documentation has been added here to make the ops.fw tasks use official.
- Support reloading KV cache and reload it automatically on firmware operations that may affect it.
- Return error and warning details from fwup calls to avoid losing failure reasons
- Reduce Dialyzer warnings when calling Nerves.Runtime.mix_target/0 at runtime

nerves_hub_cli, v3.0.0

The NervesHubCLI has been updated to use Burrito for building native binaries. See practical use info earlier in the newsletter.

This includes support for MacOS (x86_64 and aarch64), Linux (x86_64 and aarch64), and Windows (x86_64).

This new packaging of the NervesHubCLI simplifies the installation process, and provides a more consistent experience across platforms and projects.

System updates

All systems

This is a major Buildroot update.

Please see the nerves_system_br v1.30.0 release notes for upgrade instructions if you’ve forked this system.

Changes
- Add REUSE compliance to help improve OSS copyright and licensing accuracy
- Update Raspberry Pi libraries and firmware to latest releases
Updated dependencies
- Erlang/OTP 27.3
- Buildroot 2024.11.2

nerves_system_mangopi_mq_pro, v0.12.0

nerves_system_vultr, v0.27.0

nerves_system_x86_64, v1.30.0

nerves_system_grisp2, v0.14.0

nerves_system_osd32mp1, v0.21.0

nerves_system_bbb, v2.26.0

All Raspberry Pi

Changes
- Add REUSE compliance to help improve OSS copyright and licensing accuracy
- Update Raspberry Pi libraries and firmware to latest releases
Updated dependencies
- Linux 6.6.74 (Raspberry Pi 1.20250127 release)
- rpicam-apps 1.5.3
- rpi-libcamera v0.3.2+rpt20241119
- rpi-distro-firmware-nonfree 1:20230625-2+rpt3

nerves_system_rpi4, v1.30.0

nerves_system_rpi3a, v1.30.0

nerves_system_rpi3, v1.30.0

nerves_system_rpi2, v1.30.0

nerves_system_rpi0, v1.30.0

nerves_system_rpi, v1.30.0

kiosk_system_rpi4, v0.3.0

Raspberry Pi 5

Changes
- Enable support for the RP1’s PIO feature

kiosk_system_rpi5, v0.3.0

nerves_system_rpi5, v0.5.0

Buildroot

nerves_system_br, v1.30.0

This update pulls in Buildroot 2024.11.2 and Erlang/OTP 27.3. This is a major Buildroot update.

Changes
- Pull in upstream Raspberry Pi updates for various things. This includes WiFI WPA3 support on some RPis and better CM5 and Pi 500 support
- Add REUSE compliance to help improve OSS copyright and licensing accuracy
Package updates
- Erlang/OTP 27.3
- Buildroot 2024.11.2. See the following: Buildroot 2024.11 Buildroot 2024.11.1 Buildroot 2024.11.2
- rpicam-apps 1.5.3
- rpi-libcamera v0.3.2+rpt20241119
- rpi-distro-firmware-nonfree 1:20230625-2+rpt3

Other

nerves_hub_link, v2.7.1

Added
- Improve how custom sets of metrics are defined (#279)
- Optional network traffic metrics (#267)
- REUSE compliance
Updated
- Use Credo within the CI build to ensure code quality (#257)
- Fix how download retry config is fetched (#280)
- Update documentation structure (#281)
- Require Alarmist when using alarms in the default health report (#263)

vintage_net_qmi, v0.4.3

Handle more than one RSSI report for modems that are capable of reporting more than one cellular technology’s strength at a time.

Nerves Meetup (remote)

Check out the event page for the next event, start of May.

Last event Josh Kalderimis, NervesHub maintainer and NervesCloud co-founder, gave a big ol' update on The New Era of NervesHub. Hopefully the video was captured and can be shared on the Nerves YouTube where you'll find a lot of cool videos.

Gus Workman spoke about solar and batteries with the Soleil project

Got questions?

Trouble-shooting is best done on the Nerves Forum over at Elixir's Forum. But if you have big-picture questions you would like to ask around Nerves, feel free to send them in and we might just have ourselves a column here.

Nerves and Elixir shirts can be bought at oswag.org. Stickers with every purchase.
-Lars

Participating in the community

The Nerves community is found wherever Elixirists gather. Try any of the following:

Questions are best asked on the Elixir Forum.

Social conversation and banter:

Elixir Slack, #nerves channel
Elixir Discord, #nerves channel

How you can help Nerves

Contribute in the way that works for you:

Send corrections or improvements for documentation wherever it fails to help you.
Write about Nerves, give talks about Nerves. Make videos about Nerves. It is all good.
Write or port a new hardware library and include it in the Elixir Circuits collection.
Get in touch about taking over maintenance duties for some libraries, we might be able to provide you hardware.
Apply for an EEF stipend on something Nerves-related and build it. We can help if you have questions about this.

Finally, if you have questions about the newsletter or want to suggest something you can simply respond to this email.

- Lars