 |
We are actively working with repeatr
to create a cross-compatible metadata format that can be both used
for supply-chain step memoization and supply-chain security.
|
 |
We are participating with the reproducible builds community to
improve the security properties of build systems. We are also
integrating in-toto into reprotest, so that people can create in-toto
metadta to attest for the reproducibility of a step.
You can set up your own rebuilder to reproduce debian packages and
produce in-toto metadata by following the instructions here
|
 |
We are working with the git community to improve the security model
of git metadata signing. We have already integrated three
series of patches to ensure GPG-signed git tags can't be
spoofed.
|
 |
We are actively working with the debian community so that in-toto
metadata is generated within Debian's software supply chain. In
addition, we intend to have in-toto metadata be verified when using
Debian's dpkg/apt toolchain.
You can take a look and play around with our debian apt-transport here
|
 |
The Arch Linux community already included our patches
git
tag verification. We aim to have an integration similar to
Debian's in the future.
|
 |
Docker is currently trying out in-toto metadata internally to protect
the security properties of their pipelines.
|
 |
We have a demo deployment of opensuse's OBS using in-toto. We are
working with the opensuse community to generate in-toto link metadata
within their OBS services. You can take a look at how this would work today by taking a look at this repo
|
 |
We are working actively with Control Plane to secure the software
supply chain in cloud native integrations.
|
 |
Datadog has deployed TUF and in-toto into their pipeline! Read More
here
|
