The SecureSECO ledger stores all steps in the software development life cycle of a software artifact, from source code to running piece of code. We currently have a Live prototype (source code on github) of the ledger running for testing purposes. Please be careful and follow the accompanying tutorial.
So what does the ledger store?
To illustrate, here are the read and write operations to the ledger. At the top of the table, you can find the different steps in the Software Development Life Cycle (SDLC) software goes through. For each step, we decide whether data needs to be written to the ledger or read from it, or both. Please note that this table is still prone to evolve.
Per illustration, we identify how the initial three projects (SearchSECO, TrustSECO, and UseSECO) are visualized in this table.
SearchSECO is the project in which code fragments are extracted from the worldwide software ecosystem, which can later help to identify whether source code has been reused according to the license. When a piece of source code is committed to a repository, it is first checked whether the code is present in the ledger (hence the R). Then, if the author wants to, the method fragment is committed to the ledger. Later, when the software is packaged into a bundle, the ledger is checked again to see whether the code is already in the ledger.
TrustSECO is the project in which we aim to build trust around packages, for instance by producing reproducible builds, by tracing who the authors of a package are, and by seeing if package dependencies are reliable. We thus write to the ledger when a reproducible build has been created, with its build hash. Furthermore, when a package is released, we administer who is the software engineer that released the package, to increase traceability and thus reliability of the package. These data are typically needed when an end-user is deciding whether a package configuration is trustworthy or not.
UseSECO is the project that registers package use in a distributed ledger, to enable software producers to remain in contact with software consumers. When an end-user triggers the API call to the ledger to register package use, this is for instance written to the ledger. Subsequently, software producers can create reports of this usage to enable better product management. One example is that they might want to contact all users of deprecated packages.