Category

Hyperledger Sawtooth

May 24
1

One Year Later: Interoperability & Standardization Shine at Consensus

By | Blog, Events, Hyperledger Burrow, Hyperledger Fabric, Hyperledger Quilt, Hyperledger Sawtooth

Interoperability and standardization took center stage (literally) last week in New York at Consensus, when organizations like FedEx explained that both Ethereum and Hyperledger technology power their logistics solution and that it was a goal of theirs to be agnostic when choosing ledger technologies. Then there was the Enterprise Ethereum Alliance, which announced their 1.0 specification that many blockchain developer communities, including Hyperledger Sawtooth, plan to be compatible with in the near future.

It seems as though our hard work at Hyperledger has been paying off and Executive Director, Brian Behlendorf believes we’re now seeing evolution beyond the basic technology questions to more involved discussions about scale, interoperability and governance. In fact, he met with Steven Norton of The Wall Street Journal during Consensus to discuss just that. Brian told Steven:

“Now that we have running systems and there is real value on these different networks, figuring out how to wire them together is a greater priority now than it was a few years ago. But even outside the blockchain space, interoperability is always a process, never a destination. People are starting to finally ask how do we get out of a simplistic mode of saying everyone should all be on the same public ledger, and instead get to a more sophisticated set of questions, like what does interoperability actually mean. It might mean wiring these things together with common software underneath. It might also mean common software on top.”

The Hyperledger booth at Consensus 2018

The discussions around interoperability were a significant contrast to what we saw one year ago at Consensus, when many were just trying to wrap their minds around the technology capabilities and experimentation was in full swing. The idea of different blockchains interacting with one another still seemed like several years away. At that time, we only saw a glimpse of potential possibilities for interoperability when the HACERA team created a fun chess game called Dutchess at the Building Blocks Hackathon that used a combination of technologies like Ethereum, Solidity, Quorum, and Hyperledger Sawtooth.

Jonathan Levi from HACERA explaining different technologies powering Dutchess

At Hyperledger, we envision a world of many chains, some public like the crypto-currencies and some permissioned like you will see in healthcare settings. That’s why we focus on developing the common frameworks for building all kinds of chains. Our diverse developer communities remain diligent in helping the industry advance interoperability above the layer of the DLT, and are on constant look out for simple and open cross-blockchain approaches. An early example of this was the integration between the Hyperledger Sawtooth and Hyperledger Burrow projects last year. As a result of that integration, simple EVM smart contracts can be deployed to Hyperledger Sawtooth using the “Seth” (Sawtooth Ethereum) Transaction Family.

“This integration validates that positioning and establishes a strong upstream-downstream relationship between the Sawtooth and Burrow projects. Successful open source endeavours are community driven, collaborative efforts and this linkage between the Hyperledger Sawtooth and Hyperledger Burrow teams reinforces that ethos.” – Adam Ludvik, Bitwise IO & Casey Kuhlman, Monax  

Building on that development, the Hyperledger Sawtooth community released a feature called Dynamic Consensus, which goes beyond pluggable consensus to allow networks to change consensus on the fly. Hyperledger Sawtooth supports three consensus protocols right now and two more are in development. Also in development, is a change to the Sawtooth consensus API that will allow consensus providers written in a variety of languages. This follows a similar pattern to Sawtooth’s support for smart contracts in a variety of languages. This expands the breadth of possible consensus algorithm andprotocols that can be easily coupled to Sawtooth. A more recent example is the Hyperledger Fabric community, which has been working hard to create a bridge to the Ethereum community, so that developers can write EVM smart contracts on Fabric. The hope is that our community will continue to tighten integration and interoperability across Hyperledger projects and beyond, allowing a greater number of available options for developers. We hope that even more developers can start to think out of the box, connecting blockchains, and doing it securely. The problem of working with more than one technology stack is no longer a technical one.  

Community Architect, Tracy Kuhrt presenting at the Hyperledger NYC Meetup after Consensus

Hyperledger was established to bring together related, and even competing, technologies with the expectation that the common governance will lead to interoperability and gradual consolidation. Interoperability will be essential to the widespread adoption of blockchain technology because that is what will help the blockchain business ecosystem standardize and thrive. As Brian mentioned to The Wall Street Journal, standards are hard, but getting everyone to agree will end up being the bigger challenge:

“I think the tech is ready for the volume of transactions people want to throw at it and the flexibility of programming models that they want. It’s really the governance. It’s hard enough for one organization to launch any new product. Getting multiple parties to agree on anything — like a time of day for a meeting, let alone a common application — will end up being a bigger challenge. Standards are hard. These things are alive and humming like a benzene ring. They depend upon everybody running the right thing at all times. That I think operationally will be the big challenge.” – Brian Behlendorf

We look forward to the rest of 2018 and all the progress to be made with interoperability. We hope you join us in the effort by contributing to Hyperledger projects.

You can plug into the Hyperledger community at github, Rocket.Chat the wiki or our mailing list. As always, you can keep up with what’s new with Hyperledger on Twitter or email us with any questions: info@hyperledger.org.

May 22
1

Hyperledger Sawtooth Security Audit

By | Blog, Hyperledger Sawtooth

David Huseby, Hyperledger Security Maven

 

As part of the software development process at Hyperledger, any project that reaches their 1.0 milestone must have a security audit conducted by an outside firm. As we did with the Hyperledger Fabric security audit, we hired the audit firm Nettitude to also audit Hyperledger Sawtooth. Today we are announcing the publication of the audit report.

The audit found a mix of issues from low priority all the way to one high priority issue.  This report further supports the rule that fresh eyes find bugs. The one high priority issue was incorrect file permissions on the file storing a private key.  It’s little mistakes like that, that are sometimes the hardest to see when you’ve been staring at the same files and code for months.

Thanks to the persistence and attention to detail of the Nettitude analysts, Hyperledger Sawtooth is that much better today.  The overall low number of issues is a testament to the dedication and skill of the Hyperledger Sawtooth community. With the publication of this audit report, we close out the 1.0 process for Hyperledger Sawtooth and hopefully make good on the promise of the open source process.

May 14
1

(5.14.18) TechTarget: Hyperledger Sawtooth: Blockchain for the enterprise

By | Hyperledger Sawtooth, News

Enterprises ready to explore blockchain platforms can now consider Hyperledger Sawtooth 1.0, which was specifically designed to keep ledgers distributed and smart contracts secure within the business realm. Some of its capabilities also make Sawtooth a good fit for IoT applications.

May 10
3

Enterprise Blockchain Demos & Presentations at Consensus

By | Blog, Events, Hyperledger Fabric, Hyperledger Indy, Hyperledger Iroha, Hyperledger Sawtooth

Next week we will be busy at Consensus, happening in New York May 14-16. Consensus is a great event for our members to set the stage and speak to what’s happening in the Hyperledger community, as production blockchain deployments have been heavily increasing. Many members will demonstrate applications of distributed ledger technology for financial services, supply chain, identity management and various other use cases.

These demos highlight true collaboration and maturity of Hyperledger technologies across many industries. As we head farther into 2018, we’re excited to see how these frameworks continue to evolve and improve business processes across many other industries.

Hyperledger members will showcase the following demos and presentations at the Hyperledger booth (#315):

Monday, May 14

10:20am: IntellectEU – Enterprise Blockchain integration with IoT devices and back office systems by Hanna Zubko, CEO and Paulo Rodrigues, Global Business Developer Manager and CEO Portuguese Offices

This presentation will cover a real customer case leveraging Blockchain technology to offer a new insurance product: a flexible pay per mile insurance based on the real car mileage and condition, calculating the insurance premium rate and quoting the offer based on the accumulated data received from the IoT device installed in the car. This pilot project is based on Hyperledger Fabric 1.0 and IntellectEU’s Catalyst integration solution. Catalyst serves as a hub for connecting the insurance database, emulated IoT device, end user application and the ledger itself. Catalyst listens to the changes on all data sources and based on the business rules applies the corresponding logic.

12:30pm: SecureKey – Using Hyperledger Tracking to Make Frictionless Digital Identity Possible by Matt Jaksic, Business Development

SecureKey will demonstrate Verified.Me, its digital identity network launching later this year that will put consumers in control of how they validate their identities. Collaboratively created by leading organizations across many different sectors including Canada’s leading banks, Verified.Me will enable consumers to privately, securely and conveniently share information from trusted providers such as banks, telecommunications companies and governments. The platform is designed to empower the consumer by giving them the ability to explicitly choose what information to share, when to share it and with whom. Come see how Verified.Me can change the way we get things done faster and securely online, in person and on the phone!

1:00pm: Thales eSecurity – Enterprise ready high security blockchain by Jon Geater, Chief Technology Officer and John Velissarios, Managing Director at Accenture

Accenture has developed an enterprise ready blockchain solution with enhanced cryptographic security from Thales eSecurity Hardware Security Module. It provides an immutable audit trail proving hardware, software and documentation authenticity and compliance across supply chains. Using CryptoSeal and FPGA fingerprinting technology, they are able to give materials in the supply chain a unique identity to prove authenticity. This combination of technologies allows someone to securely and transparently track all kinds of transactions, between OEMs, suppliers, manufacturers and customers. This dramatically reduces time delays, added costs, and human error that affect the surety of transactions underpinning our supply chains today.

3:00pm: Omnitude – Seamless Blockchain Integration by Martyn Brougham, COO Americas, and James Worthington, Blockchain Consultant

Omnitude is a middleware plug and play blockchain built on Hyperledger Fabric, for use across the whole spectrum of enterprise and eCommerce platforms and allows eCommerce businesses to adopt blockchain quickly and efficiently, without needing to replace current systems. The presentation will show how Omnitude allows eCommerce and enterprise businesses to adopt blockchain quickly and efficiently, without needing to replace current systems.

3:50pm: DLT Labs – DLT Wallet by David Freeman, Director

DLT Labs will be showing off their DL Digital Wallet, a sophisticated peer-to-peer network powered by Hyperledger Fabric, offering security, efficiency, and convenience for an overall improved customer experience. DL Digital Wallet facilitates seamless account overview, accommodates company loyalty programs and management, and is integrated with leading e-payment service providers. The cost of each transaction is fixed irrespective of value transferred and received and is significantly less costly than other charges by any payment network today.

Tuesday, May 15

10:20am: ScanTrust – “Cambio” Your Coffee: Using Blockchain to Drive Ethically Sourced Coffee by Tobias Kars, VP of Product & Delivery and Nathan J. Anderson, CEO/Co-founder

As tech-savvy and socially conscious consumers seek more information about the sustainability of the products they consume, businesses need to adapt and find ways to track their relationships with suppliers and communicate this to their customer base. This demo highlights how ScanTrust and Cambio Coffee, a leading Asian direct trade specialty coffee company, leverage Hyperledger Sawtooth to deliver greater supply chain transparency within the coffee industry and bring to light trusted product information.

12:30pm: Soramitsu – Hyperledger Iroha by Makoto Takemiya, Co-CEO

Hyperledger Iroha 1.0 is close to being released and has many new features and architectural differences from previous versions. In particular, a new consensus algorithm, YAC, has been developed that allows for full Byzantine fault tolerance. Predefined commands to perform common tasks, such as creating and transferring assets, allow programmers to quickly build applications on top of Hyperledger Iroha. Come by to see what’s new with Hyperledger Iroha!

1:00pm: Evernym – Verifiable Credentials with Hyperledger Indy and the Sovrin DLT by Drummond Reed, Chief Trust Officer and Judd Bagley, Sr. Communications Director

Evernym will share a live demonstration of the use of Verifiable Credentials on the Sovrin DLT, powered by Hyperledger Indy. The demo will include a brief overview of key concepts, then show actual business cases for how a self-sovereign identity owner can be issued verifiable digital identity credentials into a mobile digital wallet and then present them to relying parties who can verify them by checking public keys on the Sovrin ledger. The result is much simpler, faster, more secure, and more privacy-respecting digital identity as well as powerful new types of decentralized online relationships. Evernym personnel will be in attendance for Q&A during and after the demonstration.

2:10pm: Oracle – Hyperledger Fabric in Enterprise-Grade Cloud by Deepak Goel, Sr Director, Software Development

Oracle’s blockchain cloud service, built on Hyperledger Fabric, provides a hardened enterprise-grade platform for building blockchain applications and enabling existing enterprise applications to use distributed ledgers and trusted transactions. In this demo, they will show how it enables rapid experimentation and provides a production-ready blockchain infrastructure to realize successful use cases in production environment with high availability, enterprise security, dynamic scalability, and ease of operations built into the platform. They will walk you through the tools in the operations console and demonstrate how Hyperledger Fabric configuration, operations, and monitoring has been simplified and how developers and IT operations can be more productive leveraging Oracle’s blockchain cloud service as their Hyperledger Fabric platform.

3:50pm: Greenstream Technology – Blockchain Meets Cannabis: Emerging Tech for an Emerging Industry by Manu Varghese, Chief Product Officer and Jim Anastassiou, VP Engineering

Greenstream Network is an industry-wide gateway solution that will allow Licensed Producers, Retailers, Regulators and other industry stakeholders to communicate, interoperate and transfer assets and value through the Canadian cannabis ecosystem. The emerging Cannabis ecosystem faces a plethora of challenges like Trace and Track of the goods through the supply chain, auditing and compliance issues, process integrity, slower payments and challenges with respect to identity validation. Greenstream provides three key solutions: Supply Chain Integrity, Payments and Settlements Engine and Self Sovereign Identity. The Greenstream ecosystem is based on a permissioned DLT model and uses Hyperledger frameworks such as Hyperledger Fabric, Burrow and Indy to achieve specific objectives. This talk outlines the options considered and the factors evaluated; challenges faced and the learnings learned etc.

Wednesday, May 16

12:15pm: B9lab – Someone needs to build it: closing the Hyperledger talent gap by Elias Haase, Founder

Every day, B9lab gets requests for Hyperledger Fabric developers, from concept-phase startups to major enterprises. However, as these requests grow, so does the need for thorough vetting and certification in the Hyperledger talent market. How do you know if the developers you are hiring are as good as they say they are? Come see this presentation to find out!

12:45pm: REMME – REMME WebAuth – passwordless authentication powered by blockchain by Alex Momot, CEO

REMME WebAuth is a first and one of the basic DApps in the REMME ecosystem. This demo will demonstrate how users (employees or clients) could log in into the browser service via REMME in one click. REMME is an access management solution that obsoletes passwords. For each device users generate certificates. Once it is installed on a device it enables one-click authentication on the service that has REMME integrated with. REMME WebAuth could be integrated with any service, from crypto exchange to big enterprises’ intranets or web services.

1:45: Altoros – Decentralization of P2P Securities Transfer Implemented on Hyperledger Fabric by Greg Skerry, Blockchain Solution Architect, Trainer

This presentation will cover details of a working blockchain project implemented for a National Settlements Depository Institution: decentralized platform for peer-to-peer securities transfer and keeping the records of securities owned by each holder. The solution developed on the Hyperledger Fabric framework keeps an immutable, auditable chain of records reflecting securities ownership transfers. This presentation will focus on the product functionality: how the platform works; how it can be adapted for transferring different types of assets or rights, incl. intangible assets.

In addition to these demos and presentations, several Hyperledger members including MedicalChain, Embleema and Change Healthcare will participate in the “State of Blockchain in Healthcare” panel at Consensus 3:10pm on May 15.

You can also join Hyperledger on the last evening of Consensus from 6-8pm at the Meetup: “The Hyperledger Greenhouse: Meet Developers Building Blockchain Frameworks” to get a chance to network and hear directly from developers of several Hyperledger frameworks! Tracy Kuhrt, Community Architect at Hyperledger, will provide an overview of the frameworks and tools that you can leverage for your enterprise blockchain solution. Then breakout sessions will give you the opportunity to have a deeper discussion to learn more about Hyperledger Fabric, Sawtooth (Seth), Indy and more. Please bring your burning questions about how to get started and participate in the Hyperledger community.

Be sure to follow Hyperledger on Twitter for the latest updates at Consensus. We look forward to an exciting week and seeing everyone there!

 

Apr 26
2

The Dutchess Project: A Tale of True Interoperability Between Multiple Blockchains

By | Blog, Events, Hyperledger Indy, Hyperledger Sawtooth

As we gear up for Consensus 2018, and for the great Building Blocks Hackathon, we thought it would make sense to resurface a blog on The Dutchess Project from last year’s hackathon that demonstrated radical interoperability across the following technologies:

  • Public Ethereum accounts to transfer money
  • Solidity for business logic using smart contracts (the Dutch Auction, Escrow, Release of Funds)
  • Quorum (JP Morgan’s fork of Ethereum) for encrypting transaction payloads
  • Hyperledger Sawtooth simulating a Trusted Execution Environment (TEE) for Chess moves validation, approvals and auditability.
  • HACERA’s Self-Sovereign Decentralized ID implementation (using DIDs) for registering identity tokens and creating a permissioned and public identity chain (for secure verifiable claims)
  • Microsoft Azure cloud deployment

Ten project teams took home awards from the Consensus 2017: Building Blocks Hackathon. Among them was Dutchess, a chess game built with four blockchain technologies by Jonathan Levi, Sergey Klimenko, Elan Perah and Michael Bogdanov from the HACERA team. This project beautifully illustrates how different blockchains can handle isolated responsibilities while still working together within a larger system.

Dutchess won two challenges in total. It won the Enterprise Ethereum Alliance challenge to “use an Enterprise Ethereum Alliance stack to create a decentralized Dutch auction network with secret bid matching” and the Microsoft challenge to “leverage Microsoft Azure as part of your blockchain project.”

The HACERA Dutchess team: Jonathan Levi, Sergey K, Michael B and Elan Perah receiving the Enterprise Ethereum Award from Jeremey Millar (Consensys) and Sandra Ro (CME Group)

We spent an hour with Jonathan to learn about the Dutchess project and what blockchain developers can learn from it. At the beginning of the hackathon, Jonathan wanted to build something useful, participate in as many of the challenges as possible, learn new technologies, and apply blockchain development expertise from his company to a project. Jonathan is the founder of the blockchain technology company HACERA, which works with several blockchain technology stacks to provide secure identity and access control management of users, devices and data on blockchains. This experience shines through in the way the Dutchess project uses multiple blockchains in an auditable and verifiable chess game with identity protection and privacy preservation.

Dutchess uses four blockchain technologies: Ethereum, Quorum, Hyperledger Indy, and Hyperledger Sawtooth

There are six steps to each Dutchess game, which use a total of four different blockchain technologies to implement. The project uses Ethereum for payments, Quorum for smart contracts, Hyperledger Indy for identity management, and Hyperledger Sawtooth for auditable computing. In addition, the project uses three instances of Microsoft Azure. Here’s how the project leverages these technologies across the six steps.

Step 1: Bidding in a dutch auction and sending funds into escrow

Two users, each of whom has some funds in Ethereum, can choose to play a chess game that’s preceded by a dutch auction. During the auction, whichever player agrees to pay the auction fee wins an advantage on the game board — the winner plays with all their pieces while their opponent plays without a queen.

This auction uses one instance from Microsoft Azure that runs Quorum, which is a permissioned version of Ethereum. Quorum’s smart contract contains the logic of the auction and the ability to place blocks periodically. Since a dutch auction is a reverse auction, the smart contract starts with a high offer and reduces the offer with each block placed. The offer starts with 100 Ether. At the next block, it’s 90 Ether. At the next block, it’s 80 Ether, and so on until a player places a bid to accept the offer. By accepting the offer, this player wins the auction, gets the advantage, and sends the value of the bid into escrow via Quorum.

Step 2: Registering IDs for Dutchess accounts

With the bidding done, each player moves on to register an ID for his or her Dutchess account. The IDs allow players to play without exposing their actual identity. To the user, it just looks like they are choosing a username, but behind the scenes the game is registering a Sovrin identity using Hyperledger Indy. This registration process outputs a signed token and a waive token. The waive token is the one that you see in the game interface.

Step 3: Play chess with the ID token

Now, players start playing chess with their tokens. Each game has a white player, a black player, a transaction processor, and an auditor. Each time a move is made by a player, the move is sent to the transaction processor, which checks to ensure that the move is valid. If the move is valid, the transaction processor then posts the state of the board to an instance of Hyperledger Sawtooth in the form of a string. This string documents every position of every piece on the board at the end of each turn. Since a new string is committed to Hyperledger Sawtooth at the end of every move, all Dutchess games can be replayed and analyzed one move at a time by reading the string data back from the blockchain.

Step 4: Update ranking

When players complete a game, the auditor sends a ranking agent information about who won, who lost, or if the game was a stalemate. The ranking agent keeps every outcome of every Dutchess games in the Hyperledger Sawtooth blockchain, where it can be queried. The ranking agent also keeps a tally of player rank among all registered Dutchess player IDs.

Step 5: Payment resolution with claims, proof of winning, and proof of ranking

To collect payment after winning a Dutchess game, the winning player must make a claim that he or she won the game. If the claim is true, the ranking agent will issue a signed proof of the win, which the player can take to Quorum for payment resolution.

Players can also use the ranking agent to output a proof of rank instead of a proof of win. For example, the top ranked player could make a claim that they are #1. The ranking agent would issue a signed proof, that yes, they are #1. This proof could be used to prove a player’s rank to some other system, such as a betting system based on player rank.

Step 6: Release funds

As long as the proof from the ranking agent says the player did indeed win the game, Quorum pays Ether out to the winner from the escrow account setup in step 1.

The architecture of Dutchess achieves isolation of responsibility

Here is a diagram of the architecture of Dutchess, as presented at the Consensus 2017: Building Blocks Hackathon:

The beautiful thing about this architecture is how the game completely isolates multiple types of responsibilities. You can play chess in an anonymous way because the chess game doesn’t know your Ethereum account. You can know who won a game without having to know how the game was won because Hyperledger Sawtooth has the play-by-play while the ranking agent only knows wins, losses, stalemates, and a calculated player rank. This allows players to generate a proof of win or proof of rank from the ranking agent without it having to know anything about the amount of Ether being awarded. Finally, Quorum is able to distribute funds without needing to know anything about how wins and rankings are established. Quorum only needs to know that a player won, or that a player ranks at a certain position. Thus, each responsibility within the game is completely isolated.

Implications for business applications built on blockchain technologies

The Dutchess project shows how blockchain developers need not worry about consolidating all functionality of their business applications to one blockchain. Instead, different organizations with different responsibilities can work with the best blockchain for their specific type of responsibility. Sometimes that will be a permissionless blockchain like Ethereum or Bitcoin. Other times that will be a permissioned blockchain like Hyperledger Sawtooth or Quorum. Points of interoperability can be established between one isolated responsibility and another.

The key takeaway here is that any time a business application requires something as a condition of something else, one blockchain can handle the something, and hand a proof of it off to another blockchain that can handle the something else. This architecture of isolated responsibilities can be applied to any kind of real-world application in areas such as auctions, trading, futures, betting, stock trading, equity, asset management, and more.

Next steps for facilitating interoperability between multiple blockchains

In less than two days, the Dutchess team achieved a lot. They made it clear that the problem of working with more than one technology stack is not a technical one. Blockchain developers can start thinking out of the box, connecting blockchains, and doing it securely. A huge amount of value can be created just by facilitating interoperability.Before you start your next blockchain application, be sure to check out the Dutchess game at https://hacera.com/demos.

We can’t wait to see what folks build this year with Hyperledger technologies at the Building Blocks Hackathon prior to Consensus on May 12-13. You can see all the ways Hyperledger will be involved at Consensus here – hope to see you there!

Apr 17
3

Hyperledger Bug Bounty Program Now Open

By | Blog, Hyperledger Composer, Hyperledger Fabric, Hyperledger Iroha, Hyperledger Sawtooth

Dave Huseby, Hyperledger Security Maven

When I started as the Hyperledger Security Maven just over a year ago, I set out to make sure that Hyperledger’s community of contributors were doing everything possible to make good on the promise of better software and better security from the open source process. As of right now, we have in place a public bug tracker, continuous integration builds, core infrastructure initiative compliance, and a full responsible disclosure security bug policy and process. Today, I am happy to announce the next piece of our security process: the Hyperledger Bug Bounty.  

For the last six months we have been running a private bug bounty with HackerOne. Today we are opening up the Hyperledger Bug Bounty for public participation. Currently only Hyperledger Fabric is in the scope of the bounty program but we hope to add Hyperledger Sawtooth and other Hyperledger projects soon. HackerOne will continue to administer the bug bounty for us with close cooperation between their team and our community. We chose HackerOne because we think it is the best use of our resources and they share a similar commit to open source software as Hyperledger and The Linux Foundation.

At Hyperledger we have a broad base of committed developers and it is their professionalism that makes our security process solid and straightforward. When I first started, we already had in place our public bug tracking system and most teams had set up continuous integration build systems for monitoring build health. In the last year we formalized the process by which projects can move from development status to their first 1.0 release, including a number of security requirements.

The first security requirement is to meet the requirements of the Core Infrastructure Initiative (CII). The Core Infrastructure Initiative is a set of best practices for open source software security. Earning the CII badge requires open source projects to set up services and processes and key positions that all serve the goal of producing more secure and trustworthy software. At the time of this writing, Hyperledger Fabric, Sawtooth, Iroha, and Composer have all earned their CII badge.

The second security requirement is to nominate one to three members of a project’s community to participate on the Hyperledger security team. The Hyperledger security team manages and executes our policy of responsible disclosure of security bugs. Security bugs are confidentially reported to Hyperledger through security@hyperledger.org or by filing a security bug in our JIRA. It is the job of the volunteer security team to triage, respond to, fix, and disclose the security bugs that are reported. As of right now, the security team consists of 16 members from five of our project communities.

The third security requirement is for a project to undergo a security audit from an outside auditor to establish a baseline for the codebase. We hired the auditing firm Nettitude to do security audits of Hyperledger Fabric, Sawtooth, Iroha and Composer.  So far Hyperledger Fabric, Sawtooth and Iroha have been completed and are in various stages of resolution and publication. Currently only the Hyperledger Fabric security audit report has been fully resolved and published. The rest will be published soon.

Looking ahead into the future, I plan on getting more involved with the Software Package Data Exchange (SPDX) to see if we can use Hyperledger blockchain platforms to better track the provenance of open source software, including our own. I hope to one day use verifiable claims to automatically check for vulnerabilities in dependencies from our continuous integration build system. If open source software packages were to issue a verifiable claim stating that a specific version of their software has no known security vulnerabilities, then when one is reported, the claim can be revoked. The revocation of the claim could then function as an automatic signal to all users of that software that they need to update. Continuous integration systems could check the claims of all dependencies and stop the build if one or more are found to have vulnerabilities.  This represents the next generation of reproducible builds and would leverage blockchains for provenance tracking of software from construction all the way through deprecation.

Security is always an ongoing process of improvement. Thanks to the commitment and professionalism and general good cheer of the Hyperledger community, we have made great strides in the last year. Now with our public bug bounty, we hope to further make good on the open source promise and to deserve the trust our users have in us.

We encourage developers to join our efforts on the bug bounty program and also start contributing to Hyperledger projects. You can plug into the Hyperledger community at github, Rocket.Chat the wiki or our mailing list. You can also follow Hyperledger on Twitter or email us with any questions: info@hyperledger.org.

Mar 28
1

(3.28.18) CoinDesk: Hyperledger Tech Heats Up Ahead of Software Debuts

By | Hyperledger Burrow, Hyperledger Composer, Hyperledger Fabric, Hyperledger Indy, Hyperledger Iroha, Hyperledger Sawtooth, News

Just six minutes.

That’s how long Hyperledger executive director Brian Behlendorf had to get former Chilean president Michelle Bachelet up to speed on blockchain. Spurred by a special request from the nation’s lawmakers, Behlendorf was one of multiple blockchain experts called to the country to talk about the merits of the technology and the ways in which it could modernize the copper-rich nation’s mining supply chain.

More here.

Feb 01
1

(2.1.18) JAXenter: Making smart contracts safe with Hyperledger Sawtooth

By | Hyperledger Sawtooth, News

JAXenter: Hyperledger Sawtooth 1.0 has just been released. What’s the star feature of this milestone?

Dan Middleton: Since Hyperledger focuses on enterprise-grade blockchain technologies and is recognized as one of the leaders (rather than focusing on cryptocurrency), this is a major milestone for the Hyperledger technical community. Sawtooth has a number of differentiating features you’ll see listed below. The distinction for a 1.0 release, though, is not features but maturity. See #6 for a fuller description of what that means.

In a nutshell, though it means the code has been rigorously tested and reviewed, the platform has been field tested, and you can build your apps on the API without fear of it changing and breaking your apps — an issue that plagued many companies starting out with other blockchains.

More here.

Jan 31
2

(1.31.18) Enterprise Times: Sawtooth 1.0 to speed up blockchain development

By | Hyperledger Sawtooth, News

The Hyperledger Sawtooth 1.0 modular platform for building, deploying and running distributed ledgers has been released. This is the second of the Linux Foundation Hyperledger projects to reach this milestone. Last year the Hyperledger Fabric also hit 1.0 and is expected to go to 1.1 in the next few months. This year should also see at least one more of the nine current projects hit the 1.0 milestone.

More here.