This repository has been archived by the owner on Dec 6, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
/
integrations.html
90 lines (88 loc) · 3.51 KB
/
integrations.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
---
layout: default
css_id: integrations
---
<h3>Ongoing Integrations</h3>
<table>
<tr>
<td><img src="/assets/images/logos/repeatr.png"/></td>
<td>
We are actively working with <a href="https://repeatr.io">repeatr</a>
to create a cross-compatible metadata format that can be both used
for supply-chain step memoization and supply-chain security.
</td>
</tr>
<tr>
<td><img src="/assets/images/logos/reproducible-builds.svg"/></td>
<td>
We are participating with the reproducible builds community to
improve the security properties of build systems. We are also
integrating in-toto into reprotest, so that people can create in-toto
metadta to attest for the reproducibility of a step.
You can set up your own rebuilder to reproduce debian packages and
produce in-toto metadata by following the instructions <a
href="https://salsa.debian.org/reproducible-builds/debian-rebuilder-setup">here</a>
</td>
</tr>
<tr>
<td><img src="/assets/images/logos/git.png"/></td>
<td>
We are working with the git community to improve the security model
of git metadata signing. We have already integrated <a
href='https://public-inbox.org/git/[email protected]/'>three
series</a> of patches to ensure GPG-signed git tags can't be
spoofed.
</td>
</tr>
<tr>
<td><img src="/assets/images/logos/debian.png"/></td>
<td>
We are actively working with the debian community so that in-toto
metadata is generated within Debian's software supply chain. In
addition, we intend to have in-toto metadata be verified when using
Debian's dpkg/apt toolchain.
You can take a look and play around with our debian apt-transport <a
href='https://github.com/in-toto/apt-transport-in-toto'>here</a>
</td>
</tr>
<tr>
<td><img src="/assets/images/logos/archlinux.png"/></td>
<td>
The Arch Linux community already included our patches
<a
href='https://lists.archlinux.org/pipermail/pacman-dev/2017-September/022123.html'>git
tag verification</a>. We aim to have an integration similar to
Debian's in the future.
</td>
</tr>
<tr>
<td><img src="/assets/images/logos/docker.png"></td>
<td>
Docker is currently trying out in-toto metadata internally to protect
the security properties of their pipelines.
</td>
</tr>
<tr>
<td><img src="/assets/images/logos/opensuse.png"></td>
<td>
We have a demo deployment of opensuse's OBS using in-toto. We are
working with the opensuse community to generate in-toto link metadata
within their OBS services. You can take a look at how this would work today by taking a look at <a href='https://github.com/in-toto/demo-opensuse'>this repo</a>
</td>
</tr>
<tr>
<td><img src="/assets/images/logos/control-plane.png"></td>
<td>
We are working actively with Control Plane to secure the software
supply chain in cloud native integrations.
</td>
</tr>
<tr>
<td><img src="/assets/images/logos/datadog.png"></td>
<td>
Datadog has deployed TUF and in-toto into their pipeline! Read <a
href="https://www.datadoghq.com/blog/engineering/secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto/">More
here</a>
</td>
</tr>
</table>