Great writeup! The supply chain is one of the weakest links in the software development process today due to the implicit trust developers have in the open source ecosystem, so I'm glad to see more interest in projects like in-toto.
Thank you; seeing that someone in industry was using it for real is a much nicer read than "alice and bob can sign hello world", especially with my concerns around trying to use any of this stuff in a CI/CD setup, where "developers attest ..." becomes very hard to discuss
Does your setup, or in-toto in general, get all the way into the weeds of clang, libc, the python VM, or whatever supporting tooling goes into building and running the Agent?
---
Assuming it does not drill _all_ the way down, is there something about in-toto that adds value above and beyond GPG signing git commits? AIUI, a git commit protects every byte within the DAG and doesn't require a monster JSON blob or external tooling beyond the gpg binary to do so
"Does your setup, or in-toto in general, get all the way into the weeds of clang, libc, the python VM, or whatever supporting tooling goes into building and running the Agent?"
Not yet. This chicken-and-egg problem will take time to solve. We will need to spread TUF + in-toto piece by piece...
"Assuming it does not drill _all_ the way down, is there something about in-toto that adds value above and beyond GPG signing git commits?"
Yes. While signing git commits are a good idea, how would the client know whether the built package corresponds to a signed git commit? With developers signing in-toto link metadata about source code, this become easier to check in the background by the client.
4 comments
[ 3.6 ms ] story [ 20.0 ms ] thread[1] https://www.datadoghq.com/blog/engineering/secure-publicatio...
Does your setup, or in-toto in general, get all the way into the weeds of clang, libc, the python VM, or whatever supporting tooling goes into building and running the Agent?
---
Assuming it does not drill _all_ the way down, is there something about in-toto that adds value above and beyond GPG signing git commits? AIUI, a git commit protects every byte within the DAG and doesn't require a monster JSON blob or external tooling beyond the gpg binary to do so
Not yet. This chicken-and-egg problem will take time to solve. We will need to spread TUF + in-toto piece by piece...
"Assuming it does not drill _all_ the way down, is there something about in-toto that adds value above and beyond GPG signing git commits?"
Yes. While signing git commits are a good idea, how would the client know whether the built package corresponds to a signed git commit? With developers signing in-toto link metadata about source code, this become easier to check in the background by the client.