Skip to content

carbynestack/carbynestack

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Carbyne Stack

DOI Codacy Badge Conventional Commits Known Vulnerabilities pre-commit Contributor Covenant

Carbyne Stack is a Cloud Native Secure Multiparty Computation (MPC) platform released under Apache License 2.0. Use Carbyne Stack to build resilient scalable infrastructure for sensitive data workloads. More information can be found on the Carbyne Stack website.

DISCLAIMER: Carbyne Stack is alpha software. The software is not ready for production use. It has neither been developed nor tested for a specific use case. The underlying Secure Multiparty Computation protocols are currently used in a way that is not secure.

Getting Started

Carbyne Stack can be deployed and experimented with locally. See the Getting Started section on the Carybne Stack website for instructions.

Contributing

Please see the Carbyne Stack Contributor's Guide.

Citation

We use Zenodo to archive our work and make it citable via Digital Object Identifiers (DOIs).

In case you want to cite the Carbyne Stack software in general (and not a specific version) you can use the following BibTex entry:

@software {carbynestack,
  title = {Carbyne Stack},
  author = {Becker, Sebastian and Duplys, Paul and Graf, Johannes and
   Graffi, Kalman and Grassi, Alessandro and Greven, David and Grewe, Julian and
   Jain, Shalabh and Klenk, Timo and Matyunin, Nikolay and Modica, Hanna and
   Raskin, Vadim and Scherer, Petra and Suschke, Volker and Trieflinger, Sven and
   Vlasakiev, Veselin and Weinfurtner, Jared},
  date = {2021},
  institution = {Robert Bosch GmbH},
  license = {Apache License 2.0},
  url = {https://carbynestack.io},
  abstract = {Carbyne Stack is an open-source cloud native stack for building
   scalable Secure Multiparty Computation applications.},
  repository = {https://github.com/carbynestack/carbynestack},
  doi = {10.5281/zenodo.8192460}
}

The given DOI will always reference the latest archived release of Carbyne Stack on Zenodo.

Citing a Release

It is generally preferable to use the DOI for a specific version of Carbyne Stack to ensure that other users/researchers can access the exact (research) artefact you used for reproducibility. To achieve this you can add a second BibTex entry pointing to a specific archived release:

@softwareversion {carbynestack-v<version>,
  version = {<version>},
  date = {<release-date>},
  crossref = {carbynestack},
  doi = {<version-doi>}
}

You can lookup the release-date and version-doi for a given version here.

Enhancement Proposals

We use Carbyne Stack Enhancement Proposals (CSEPs) to suggest, communicate and coordinate on new significant efforts for the Carbyne Stack project. The CSEP process is intended to provide a consistent and controlled path for larger changes to Carbyne Stack (such as new features) so that all stakeholders can be confident about the direction of the project.

License

Carbyne Stack is open-sourced under the Apache License 2.0. See the LICENSE file for details.

3rd Party Licenses

Carbyne Stack relies heavily on 3rd party Open Source Software. Artifacts that comprise 3rd party OSS and that are distributed by us, e.g., Java archives and Docker Images, are built to satisfy the license obligations of the 3rd party OSS components. A Software Bill of Materials (SBOM), copyright notices, license texts and links to the source codes for the 3rd party OSS components are made available at the root of the module source tree in a folder called 3RD-PARTY-LICENSES. The following sections describe how this information is distributed with or alongside the generated Carbyne Stack artifacts.

GitHub Releases

When Carbyne Stack software artifacts are built and published, all information about linked and redistributed 3rd-party OSS components is collected from the 3RD-PARTY-LICENSES folder of the respective artifact and attached to the GitHub release page. Where applicable, license texts and notice files are packed into a file for each component following the naming scheme <artifact-name>-3rd-party-copyrights.zip. Sources files are downloaded and bundled into a single archive called <artifact-name>-3rd-party-sources.zip.

Docker Images

All Carbyne Stack Docker images are based on one of the Carbyne Stack Docker Base Images. With each release of one of these base images, a Disclosure Documentation is published, which contains a list of all included software packages, their licenses and sources that are distributed with the corresponding image. The download link to the Disclosure Documentation can also be obtained from the image using:

docker inspect --format '{{index .Config.Labels "3rd-party-disclosure"}}' ${IMAGE_REPOSITORY}:${IMAGE_TAG}

More information about additional software components distributed with an image is also provided inside the Docker Image in the folder /3RD-PARTY-LICENSES or as follows:

  • Docker images built using ko include the SBOM and associated files in the folder /var/run/ko.
  • For images created using Maven by means of the Dockerfile Maven Plugin the artifacts are made available in the root folder of the image.

Java Archives

Java Archives (JARs) are built using Maven. The SBOM is created as part of the regular build process and made available together with the associated files at a location that depends on the type of the JAR that is built:

  • For plain JARs that just contain the component itself and for fat JARs built using the Maven Assembly Plugin , the artifacts are made available in the root folder of the JAR.

  • For runnable fat JARs built by the Spring Boot Maven Plugin the artifacts are made available in the folder /BOOT-INF/classes/ of the JAR.

NOTE: While the SBOM is derived automatically from the dependencies specified in the project object model (pom.xml), the files required to fulfill license obligations (e.g. license and notice files) have to be provided manually.

Export Control

Carbyne Stack includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. Before using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See the Wassenaar Arrangement website for more information.

Robert Bosch GmbH has classified this software as Export Commodity Control Number (ECCN) 5D002, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this distribution makes it eligible for export under the "publicly available" Section 742.15(b) and 734.3(b)(3) exemptions (see the BIS Export Administration Regulations, Section 742.15(b) and Section 734.3(b)(3)) for both object code and source code.

For additional information see the Carbyne Stack website.