CHAINS research project at KTH Royal Institute of Technology

Open-source contributions of the Chains project

The project’s contributions to the open-source infrastructure.

• Maven
  • maven-lockfile: build integrity in Maven with lockfiles
  • JSON output for mvn dependency:tree (merged) issue
  • Deterministic Maven SBOM for build-info-go (merged)
  • Expiration for deployment keys on Maven Central
• Pypi
  • add verifiable cryptographic signature to email event in “security history” log
• Go
  • Bug identified and reproduced related to the trimpath flag (issue 67011)
• Github
  • search on Github for all commits signed by a given GPG or SSH key
  • fix outdated Github workflow template
  • keep github action logs forever for transparency and auditability of published software packages
  • link to attestation in NPM automated notification emails
  • Github SBOMs are not compatible with Grype
• Docker
  • Search docker images by checksums sha256
• npm
  • [RRFC] Locally computed integrity values in the lockfile

Applications:

• Key contributions to make go-ethereum / geth reproducible
  • enabling reproducible builds: Detached HEAD state (merged)
  • enabling reproducible builds: Travis CI bug (merged)
  • enabling reproducible builds: vcs.modified=true on downloadable artefacts
• Maven artifacts reproducibility
  • windows binary not being placed in artifact
  • find reason for missing directory in archive
  • ldapchai bytecode difference
  • Questions: why do submodules of v4.1.32 have SBOM of metrics-parent?
  • Proposal to make output of git-commit-id-maven-plugin reproducible
  • Help needed to reproduce 1.13.0
• Diffoscope
  • Bug Report: Different output of diffoscope on different operating system
  • Bug Report: Propose fix for disabling syntax highlighting in the diff
  • Bug Report: Propose fix for correctly identifying line endings difference in file
  • Bug Report: Diffoscope falls back to xxd for two (seemingly) text files with identical content
  • Bug Report: XXD diff between jar files even though diff is in an HTML file zipped inside
• oss-rebuild
  • jar manifest stabilizer
• Reproducible-Central
  • Use HTTPS to clone in buildspec
  • refactor: remove redunant build files from content/org/apache/maven/extensions/maven-buildcache-extension
• Scorecard
  • improve code review score

Under our radar (not opened by us but relevant)

• sandboxed build scripts at rust

This site is open source. Improve this page.