CHAINS research project at KTH Royal Institute of Technology
4th KTH Workshop on the Software Supply Chain 2025
Welcome to the 4th KTH Workshop on the Software Supply Chain in Stockholm, Sweden. This workshop is organized in the context of the CHAINS research project.
- Location: KTH, Stockholm, Sweden, Salongen, KTH library
- Date: Friday 25 April, 2025
- Time: 9h-17h
- Registration is free of charge but compulsory for the sake of lunch/fika planning. Register Here 😄
Program
| Time | Event |
|---|---|
| 0830 | Welcome coffee |
| 0900 | Opening (Martin Monperrus) |
| 0915 | Keynote: Hervé Boutemy (Sonatype, Apache Software Foundation) |
| 1015 | Break + Poster session |
| 1100 | (duration 15+5 minutes each) |
| * Julien Malka, Does Functional Package Management Enable Reproducible Builds at Scale? Yes | |
| * Aman Sharma, Causes and Mitigations of Unreproducible Builds in Java | |
| * Tina Heidinger (Github), Fredrik Skogman (GitHub), Github Attestations | |
| * Frank Reyes, Fixing Breaking Dependency Updates Using LLMs | |
| 1230 | Lunch at Syster-o-bror |
| 1400 | Keynote: Henrik Plate (Endor Labs) |
| 1500 | Break |
| 1530 | Tool session (duration 10+5 minutes each) |
| Chair: Frank Reyes | |
| * maven-lockfile, Lockfiles for Java and Maven (Elias Lundell) | |
| * observer, Generating SBOMs for C/C++ (Andreas Bielk) | |
| * dirty-waters, Transparency checks for SSC (Raphina Liu) | |
| * ghasum, GitHub Action Integrity (Eric Cornelissen) | |
| 1645 | Closing |
Talks
Trust in Software Supply Chain: Signature vs Attestations vs Reproducible Builds
Hervé Boutemy (Sonatype | Apache Software Foundation)
Speaker Bio
Hervé started with Java when it was in beta, built his first Java projects with Make (yes) then Ant: but life changed with Maven 1… Life changed even more when growing from OSS user during working day to becoming an active OSS contributor to Maven 2 during nights and week-ends. Today, Hervé works as Solutions Architect for Sonatype on next steps of the build journey, promoting best-practices around Software Supply Chains. On the OSS front, Hervé is an Apache Software Foundation member and Apache Maven PMC Chair. He’s also involved in many advanced projects like CycloneDX, SPDX, sigstore, or Reproducible Builds, where he is learning new supply chain technologies by implementing them with Maven.
Two Steps Forward, One Step Back: The Slow March of Software Supply Chain Security
Speaker Bio
Henrik Plate is the principal security researcher at Endor Labs. He formerly worked for SAP Security Research, where he established and led the focus topic “Open Source Security” starting 2014. He co-authored several academic papers on this topic, presented at academic and industry conferences like the RSA, is the project lead and core-developer of Eclipse Steady (an open source solution using program analysis techniques to assess the exploitability of vulnerabilities), and contributes to the Risk Explorer for Software Supply Chains (an open source solution to understand supply chain threats and safeguards). He earned his PhD in 2024 from the University of Rennes, France, with a thesis titled “On the Security Risks of Open Source Consumption: Vulnerabilities and Supply Chain Attacks in the Era of Open-Source-Based Software Development”. He received his MSc in Computer Science and Business Administration in 1999 from the University of Mannheim, Germany, and holds a CISSP certification.
Sponsors
