To develop software, developers rely on Version Control Systems (VCS) to keep track of their changes and share their work. Git is one of the most widely used VCS and while being by design decentralized, developers rely on very centralized synchronization systems such as GitHub.

This centralization raises serious concerns as any actor gaining access to these repositories can: change the history, update code, make releases, and even delete files. All while being hardly noticeable. As open source software is relied upon by all industries, it poses a real threat in terms of software supply chain security.

The core idea of this proposal is to bring Git hashes onto Stellar's blockchain to benefit from the traceability and accountability blockchain technology guarantees. The code itself is still versioned using Git and it is still hosted on the synchronization platform of choice, which does not interfere with maintainers' traditional workflows. This gives maintainers access to new ways of managing their project on-chain and at its core it provides a distributed way to prove the integrity of their project.

Our project will greatly benefit Stellar's ecosystem as open-source maintainers using our system will get to use Stellar and Soroban. This will in turn bring some of these maintainers to the Stellar ecosystem.

Version Control System (VCS), specifically using Git, is ubiquitous among software engineers. Git is by design decentralized, more so, the code history makes use of a Merkle tree: a given version, referred to as a commit, is given a hash and hashes are linked together to provide a history. Git is in essence a blockchain.

When working on a project using Git, everyone gets the complete history and people can push and pull code from one person to another. The resolution of differences between one's code to another can be challenging if many people work on the same code area.

In practice, a team of developers-maintainers need a more convenient way to synchronize their work. To address this problem, maintainers can use a central platform where they can synchronize their work. GitHub is the most used platform to share and collaborate on open-source projects. For many teams, the whole software development lifecycle happens there, from the inception of ideas to making a release of a new version.

This centralization brings a lot of challenges when it comes to securing the software supply chain. In past years, we have seen attacks on almost every, if not all, parts of this centralized structure. Maintainers are being compromised, they become rogue, through exploits on GitHub or in the continuous integration system the code is compromised, there are occurrences of release artifacts being compromised and GitHub is also deleting projects which they deemed (albeit enforced by local regulations) not suitable for their platforms.

To answer these concerns around software supply chain security, we propose to leverage the Stellar blockchain to store Git hashes. The following components are proposed: (i) a Soroban smart contract to register Git hashes on-chain; (ii) a dApp for maintainers to manage their projects and users to participate and monitor their dependencies; and (iii) tools to help maintainers deploy and use this system transparently.

The core of the proposal is a Soroban Smart Contract called: Soroban Versioning contract. This contract will set the foundation of what will be built to support maintainers with their projects.

The contract will hold project-specific metadata and a key pointing to the last code change hash. Updating the hash leaves a permanent record on-chain. These update events can be monitored to build an off-chain history and be further compared to the state on other platforms such as GitHub. We will build the necessary services to ingest these events. These services will play a pivotal role as sitting in between Soroban and our proposed dApp.

Strict access control is key to guarantee that only maintainers can update on-chain data. Soroban provides an elegant and robust solution with address signing. By storing a list of authorized maintainers on-chain, we are enabling projects to be more transparent as to who has specific rights.

As we have seen in past similar projects, the developer experience is paramount to get any traction and adoption. To that end, we will provide various pre-commit hooks to seamlessly fit most maintainers' workflow.

Last but not least, our codebase will not only be open-sourced, our development will also be open. We will ensure that we provide comprehensive documentation and that the code can be easily understood and audited. Maintainers will need guarantees that we are only doing what they explicitly want us to do with their credentials.

$33.1K

Consulting Manao's mission is to supports open-source software by provide consulting services around open-source

solutions. It has worked with various organizations such as NASA ROSES, CZI, NumFOCUS, SimDec and

Quansight. And suported the work of Pamphile T. Roy for 3 years on the following activities: SciPy core maintainer;

SciPy's Contributor Experience Lead; SALib's core maintainer; Member of Scientific Python Ecosystem's Steering

Committee; Member of NumFOCUS' Security Committee; Co-chair of NumFOCUS' Small Development Grant

Committee; Co-lead of x2 CZI grants (EOSS5-0000000176 and EOSS-DI-0000000031); Investigator on several

grants: AMD, NumFOCUS, NASA ROSES.