CHAINS research project at KTH Royal Institute of Technology

4th KTH Workshop on the Software Supply Chain 2025

Welcome to the 4th KTH Workshop on the Software Supply Chain in Stockholm, Sweden. This workshop is organized in the context of the CHAINS research project.

Program

Time Event
0830 Welcome coffee
0900 Opening
0915 Keynote: Hervé Boutemy (Sonatype, Apache Software Foundation)
1015 Break + Poster session
1100 (duration 15+5 minutes each)
  * Julien Malka, Does Functional Package Management Enable Reproducible Builds at Scale? Yes
  * Aman Sharma, Causes and Mitigations of Unreproducible Builds in Java
  * Tina Heidinger (Github), Fredrik Skogman (GitHub), Github Attestations
  * Frank Reyes, Fixing Breaking Dependency Updates Using LLMs
1230 Lunch at Syster-o-bror
1400 Keynote: Henrik Plate (Endor Labs)
1500 Break
1530 Tool session
  * maven-lockfile, lockfiles for Java and Maven (Elias Lundell)
  * sbom.observer, Generating SBOMs for C/C++ (Andreas Bielk)
  * dirty-waters, transparency checks for SSC (Diogo Gaspar)
  * ghasum, GitHub Action Integrity (Eric Cornelissen)
1645 Closing

Talks

Trust in Software Supply Chain: Signature vs Attestations vs Reproducible Builds

Hervé Boutemy

Hervé Boutemy (Sonatype | Apache Software Foundation)

Speaker Bio

Hervé started with Java when it was in beta, built his first Java projects with Make (yes) then Ant: but life changed with Maven 1… Life changed even more when growing from OSS user during working day to becoming an active OSS contributor to Maven 2 during nights and week-ends. Today, Hervé works as Solutions Architect for Sonatype on next steps of the build journey, promoting best-practices around Software Supply Chains. On the OSS front, Hervé is an Apache Software Foundation member and Apache Maven PMC Chair. He’s also involved in many advanced projects like CycloneDX, SPDX, sigstore, or Reproducible Builds, where he is learning new supply chain technologies by implementing them with Maven.

Two Steps Forward, One Step Back: The Slow March of Software Supply Chain Security

Henrik Plateß

Henrik Plate (Endor Labs)

Speaker Bio

Henrik Plate is the principal security researcher at Endor Labs. He formerly worked for SAP Security Research, where he established and led the focus topic “Open Source Security” starting 2014. He co-authored several academic papers on this topic, presented at academic and industry conferences like the RSA, is the project lead and core-developer of Eclipse Steady (an open source solution using program analysis techniques to assess the exploitability of vulnerabilities), and contributes to the Risk Explorer for Software Supply Chains (an open source solution to understand supply chain threats and safeguards). He earned his PhD in 2024 from the University of Rennes, France, with a thesis titled “On the Security Risks of Open Source Consumption: Vulnerabilities and Supply Chain Attacks in the Era of Open-Source-Based Software Development”. He received his MSc in Computer Science and Business Administration in 1999 from the University of Mannheim, Germany, and holds a CISSP certification.

Sponsors

SSF Digital Futures

Previous editions