CHAINS research project at KTH Royal Institute of Technology

5th KTH Workshop on the Software Supply Chain 2026

Welcome to the 5th KTH Workshop on the Software Supply Chain in Stockholm, Sweden. This workshop is organized in the context of the CHAINS research project.

Program

Time Event
TBD TBD

Keynote

“SBOMs Are No Longer Mandatory Which Is A Good Thing” and Other Opinionated Software Supply Chain Observations, by Justin Cappos, New York University

Justin Cappos

Abstract: Software supply chain security has moved from a niche problem to a critical part of modern software infrastructure. However, that does not mean that it is well understood overall. This keynote focuses on a number of common misconceptions about security in the software supply chain. I will take a position on topics such as “Security might improve now that SBOMs are no longer mandated”, “Integrating Sigstore provides less protection against compromise than you might expect”, “Signing software updates with Notation or similar technologies provides little security benefit”, “Signing Git commits provides only small security value in practice”, and “Reproducible builds are a religion (not a science), but you should join!”. Pointed questions / rebuttals from the audience are welcome!

Speaker Bio: Justin Cappos is a professor in the Computer Science and Engineering Department at New York University. He is a creator of a variety of widely used software supply chain technologies, including TUF, Uptane, gittuf, and in-toto. Working with his collaborators, he has also contributed to security architectures used in Git, reproducible builds, major Linux package managers, popular programming language ecosystems, legal repositories, automobiles, and more. Due to the depth and breadth of these contributions — along with, perhaps, a few gray hairs — he is, to his surprise, sometimes given the moniker “father of software supply chain security”.

Poster session

List of posters:

TBD

Sponsors

SSF

Previous editions

This site is open source. Improve this page.