Chaire Cyber CNI

Chaire Cyber CNI – Cybersecurity for Critical Networked Infrastructures

[RU2/22] Luis Fernando de Oliveira Soeiro – CodeLedger : tracking the provenance of critical open source components

On Oct 17, 2022, our PhD Luis Fernando de Oliveira Soeiro presented her latest results regarding “CodeLedger : tracking the provenance of critical open source components“. This presentation took place during the research update fall 2022 event of the chair Cybersecurity for Critical Networked Infrastructures ( at the SNCF Head Office. You find more infos on our website

We cordially invite you to contact us for collaborations, partnerships, etc. We are constantly looking for new industry partners to strengthen our profile. Make an appointment to find out more!

To see the video, click on this link :


Open source components are used everywhere as external software dependencies throughout the software industry. Due to their licensing, open source components can also be modified upon use (or “vendored”), multiplying the amount of variants of them that exist in the wild, with relevant impact on both the security and legal compliance of IT products on the market. Global tracking of relevant source code artifacts (such as individual source code files, entire source code trees, commits, releases, etc.) is an important industrial need with state-of-the-art answers that remain lacking. For instance, several software composition analysis (SCA) industrial solutions are either not based on cryptographically secure intrinsic identifiers for source code artifacts, or impose relevant lock-in risks (on a single provider of a closed knowledge base of information about the provenance of open source artifacts), or both. A piece of the solution to this puzzle is comprehensive open data archival of open source software artifacts. In particular, the Software Heritage project has recently assembled the largest publicly accessible archive of open source software artifacts, consisting of tens of billion source code files and billion commits coming from more hundreds million software projects. The Software Heritage archive, based on a Merkle DAG data model with strong integrity guarantees, provides a first approximation of a ledger that captures the global public history of open source software development. It is however not a distributed ledger, making it a single point of failure (and potentially attack) for information about the provenance of open source software.
The goal of this PhD thesis is to research, design, and prototype a distributed variant of such a ledger, ideally via integration with an existing major blockchain/DLT (distributed ledger technology). Such an integration will provide tamper proof and redundant archival of information about the provenance of critical open source components, increasing the solidity of the software supply chain throughout the software industry.

About Luis Fernando de Oliveira Soeiro

I’ve received a B.Sc. in computer science at the Universisty of Brasilia (UnB), Brazil, in 1995. After that I’ve founded a company to provide consulting services related to technology, software processes and information security. In 1999 I’ve received a M.Sc. degree in computer science and software engineering at UnB. Some of the clients I’ve worked with were the Brazilian the Ministry of Science and Technology, the Federal Bank Caixa Economica Federal, and the Brazilian Central Bank. I’ve taught distributed systems and information security in three universities, the Brazilian Post Office and the Brazilian Army. In 2003 I’ve implemented a new software process for the Brazilian Senate, including a pilot project. I’ve also worked with the clusterization of a e-commerce suite used by the South State Government. In 2009 I’ve improved the software process at another client to integrate free and open source distributed version control systems with the proprietary centralized solution. I’ve then joined the Brazilian House of Deputies, where I’ve planned, developed and deployed a new electronic voting system, a new distributed communication system and a fingerprint management system for the members of parliament. There I also joined the software architecture advising group and a research group that studies the impact of information flows on society.

About Research Update

The Research Updates happen once per semester. They are our big status event where our PhD students, PostDocs, and Engineers present their progress, current works, and next challenges. The research update is the perfect opportunity for getting an overview on and discussing what is going on at the chair.

About the chair Cybersecurity of Critical Networked Infrastructures (

The Cyber CNI Chair at IMT Atlantique does research, innovation, and teaching in the field of cybersecurity for critical networked infrastructures. Such infrastructures include industrial processes, financial systems, building automation, energy networks, water treatment plants, or transportation.

The chair covers the full stack from sensors and actuators and their signals over industrial control systems, distributed services at the edge or cloud, to user interfaces with collaborative Mixed Reality, and security policies. The chair currently hosts 9 PhD students, 4 PostDocs, 11 Professors, 1 engineer, and 1 internship student.

The chair runs a large testbed that enables applied research together with the industry partners. The industry partners of the current third funding round are Airbus, BNP Paribas, EDF, and SNCF. The chaire is located in Brittany, France. Brittany is the cybersecurity region number 1 in France. The chair Cyber CNI is strongly embedded in the cybersecurity ecosystem through its partnerships with the Pôle d’Excellence Cyber (PEC) and the Brittany Region.

The chair provides a unique environment for cybersecurity research with lots of development possibilities.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.