Based on our readings and research, we came to the following conclusions.
-- The Chains team
- CHAINS strongly recommends checking and enforcing reproducible builds
- CHAINS strongly recommends the usage of dependency pinning. In Maven, this mean strict versions in the pom + Maven lockfile.
- CHAINS encourages transparency logs over releases and packages using verifiable data structures
- CHAINS recommends using functional package managers in CI (Guix, NIX)