Supply Chain¶
All upstream sources are SHA256 verified against known-good hashes in upstream.cdx.json. Sources that provide signatures (GPG or Sigstore) are also cryptographically verified. Only official sources are used (no mirrors except GNU FTP).
Upstream Dependencies¶
| Dependency | Version | Integrity | Signature | License |
|---|---|---|---|---|
| Python | 3.10–3.14 | SHA256 | Sigstore | PSF-2.0 |
| readline | 8.3 | SHA256 | GPG | GPL-3.0-only |
| bzip2 | 1.0.8 | SHA256 | GPG | bzip2-1.0.6 |
| gdbm | 1.26 | SHA256 | GPG | GPL-3.0-only |
| libffi | 3.5.2 | SHA256 | — | MIT |
| ncurses | 6.6 | SHA256 | GPG | X11 |
| OpenSSL | 3.6.1 | SHA256 | GPG | Apache-2.0 |
| sqlite | 3.51.3 | SHA256 | — | Public Domain |
| xz/liblzma | 5.8.2 | SHA256 | GPG | Public Domain |
| zstd | 1.5.7 | SHA256 | GPG | BSD-3-Clause |
| CA certs | 2025-12-02 | SHA256 | — | MPL-2.0 |
| Cosmopolitan | 4.0.2 | SHA256 | — | ISC |
GitHub Actions¶
All GitHub Actions are pinned to SHA hashes and kept updated via Dependabot.
| Action | Version | Purpose |
|---|---|---|
| actions/attest-build-provenance | v3 | Generate SLSA build provenance attestations |
| actions/cache | v5 | Cache dependencies between workflow runs |
| actions/checkout | v6 | Clone repository |
| actions/configure-pages | v5 | Configure GitHub Pages |
| actions/deploy-pages | v4 | Deploy to GitHub Pages |
| actions/download-artifact | v7 | Download workflow artifacts |
| actions/upload-artifact | v6 | Upload workflow artifacts |
| actions/upload-pages-artifact | v3 | Upload GitHub Pages artifact |
| astral-sh/setup-uv | v7 | Install uv package manager |