The CHAINS research project on software supply chains @ KTH

Improving the foundations of software supply chains – one contribution at a time

Our contributions to the infrastructure.

• Maven
  • maven-lockfile: build integrity in Maven with lockfiles
  • JSON output for mvn dependency:tree (merged) issue
  • Deterministic Maven SBOM for build-info-go (merged)
  • Expiration for deployment keys on Maven Central
• Pypi
  • add verifiable cryptographic signature to email event in “security history” log
• Go
  • Bug identified and reproduced related to the trimpath flag (issue 67011)
• Github
  • search on Github for all commits signed by a given GPG or SSH key
  • fix outdated Github workflow template
  • keep github action logs forever for transparency and auditability of published software packages
  • link to attestation in NPM automated notification emails
  • Github SBOMs are not compatible with Grype
• Docker
  • Search docker images by checksums sha256
• npm
  • [RRFC] Locally computed integrity values in the lockfile

Applications:

• Key contributions to make go-ethereum / geth reproducible
  • enabling reproducible builds: Detached HEAD state (merged)
  • enabling reproducible builds: Travis CI bug (merged)
  • enabling reproducible builds: vcs.modified=true on downloadable artefacts
• Diffoscope
  • Propose fix for disabling syntax highlighting in the diff

Under our radar (not opened by us but relevant)

• sandboxed build scripts at rust

This site is open source. Improve this page.