digital copyright

[JudeSafo]

• digital-copyright to verify authenticity of your soureccode and halt forgery in the event of a software supply chain attack
• digital-copyright to verify authenticity of your soureccode and halt forgery in the event of a software supply chain attack

[boukeversteegh]

Closing this as it seems an automated PR and is broken.

• The commit adds a signature, and in another commit removes it again.
• The included links are not valid in both commits.
• No clarification in the PR.

Please try again with some explanation and please include a reference of a well known project that is using this technique.

[JudeSafo]

Hi,

The digital-copyright https://haiphenai.com/ byte level digital signature that you can reference to a blockchain node. Should you ever need to verify the authenticity of your source code (e.g. binary or API requests) you can compare the hashes to make sure they agree. If you're familiar with SSL/TLS encryption you can think of it as the same concept but for software supply chain.

Not spam, just testing this feature and seeing if it's of any utility for open source developers.

Appreciate any feedback and or questions!🙏🏾

On Sun, Mar 27, 2022 at 4:32 PM Bouke Versteegh @.***> wrote:

Closed #22 https://github.com/datastack-net/dockerized/pull/22.

— Reply to this email directly, view it on GitHub https://github.com/datastack-net/dockerized/pull/22#event-6314209318, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACHAMGNS2IEINVCLLEOATBDVCDHVPANCNFSM5RYKNIFQ . You are receiving this because you modified the open/close state.Message ID: @.***>

--

Jude Safo | Haiphenai.com

[boukeversteegh]

Hi, thank you for clarifying.

I think I understand the idea. So I commit a signed hash of the compiled binary to the blockchain. I'm not sure how it guarantees that the source code matches the binary (for that you need deterministic builds at least). To be frank I don't think I will get into this at the moment, but it's interesting so I have some questions that can perhaps help you to better promote your technology.

There are also conventional approaches to supply chain attacks, like signed packages and signed commits, or simply including a sha in the downloads list. Could you explain how this technology improves on it?

If you want to promote your technology, I would recommend to include a clear explanation of:

• An example of an attack that the tech protects against, the more concrete, the better.
• Who are the targets of the attack (project maintainer? end-users? ci-pipelines?)
• What does the maintainer need to do to setup the protection (just add this txt file? how is that made? who owns that private key? and submit something to a blockchain?)
• What the targets need to do to be protected (should they run any commands? lookup some codes online?)
• How the technology works, in brief.

[JudeSafo]

Great feedback boukeversteegh🙏🏾

You have no idea how helpful this is for me. I will continue to iterate converge towards something that is of practical value for the community.

Thanks again!