in-toto

A framework to secure the integrity of software supply chains

Why the name “in-toto”?

in-toto is Latin for “as a whole”. We chose the name because our objective with in-toto is to build a system to protect the whole software supply chain.
What is the difference between in-toto and TUF?

TUF provides a framework that can be used to secure update systems (i.e., the last mile), whereas in-toto lets you verify the whole software supply chain. TUF and in-toto can play together very well, as you can use TUF to deliver updates and their corresponding in-toto metadata.
Is Python 3 supported?

Yes, Python 3 is supported with in-toto.
Is there a timeline for the support of Python 2.7?

Since some of our adopters don’t plan on phasing out of Python2, we are also not planning to phase it out any time soon.