New Project: tl for URL asset transparency
39 views
Skip to first unread message
Brandon Philips
Aug 16, 2020, 12:37:27 PM8/16/20
to binary-tr...@googlegroups.com
Hello Everyone-
We have been working on a new project that provides content integrity
verification for URLs on the web. And we would love your feedback.
The idea is that we use a transparency log to provide content digests
for URLs on the web to provide users with integrity guarantees and
server operators with a third party check that the assets they host
aren't unknowingly changing.
The system has a public (beta) API and a command line tool up on
GitHub. The basic usage is something like:
```
tl get https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.8.tar.xz
```
You can download the utility here: https://github.com/transparencylog/tl
Or you can read more about the project here: https://www.transparencylog.com/
Thank You!
Brandon
We have been working on a new project that provides content integrity
verification for URLs on the web. And we would love your feedback.
The idea is that we use a transparency log to provide content digests
for URLs on the web to provide users with integrity guarantees and
server operators with a third party check that the assets they host
aren't unknowingly changing.
The system has a public (beta) API and a command line tool up on
GitHub. The basic usage is something like:
```
tl get https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.8.tar.xz
```
You can download the utility here: https://github.com/transparencylog/tl
Or you can read more about the project here: https://www.transparencylog.com/
Thank You!
Brandon
Holger Levsen
Aug 20, 2020, 1:56:28 PM8/20/20
to Brandon Philips, binary-tr...@googlegroups.com
Hi Brandon,
On Sun, Aug 16, 2020 at 09:37:15AM -0700, Brandon Philips wrote:
> We have been working on a new project that provides content integrity
> verification for URLs on the web. And we would love your feedback.
very nice!
> The idea is that we use a transparency log to provide content digests
> for URLs on the web to provide users with integrity guarantees and
> server operators with a third party check that the assets they host
> aren't unknowingly changing.
what's the techology behind the transparency log?
> The system has a public (beta) API and a command line tool up on
> GitHub. The basic usage is something like:
>
> ```
> tl get https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.8.tar.xz
> ```
>
> You can download the utility here: https://github.com/transparencylog/tl
>
> Or you can read more about the project here: https://www.transparencylog.com/
some questions:
- do you have any users already?
- are you working on getting this included into Debian, Fedora, etc?
Thanks for sharing!
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
There are no jobs on a dead planet. (Also many other things but people mostly
seem to care about jobs.)
On Sun, Aug 16, 2020 at 09:37:15AM -0700, Brandon Philips wrote:
> We have been working on a new project that provides content integrity
> verification for URLs on the web. And we would love your feedback.
> The idea is that we use a transparency log to provide content digests
> for URLs on the web to provide users with integrity guarantees and
> server operators with a third party check that the assets they host
> aren't unknowingly changing.
> The system has a public (beta) API and a command line tool up on
> GitHub. The basic usage is something like:
>
> ```
> tl get https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.8.tar.xz
> ```
>
> You can download the utility here: https://github.com/transparencylog/tl
>
> Or you can read more about the project here: https://www.transparencylog.com/
- do you have any users already?
- are you working on getting this included into Debian, Fedora, etc?
Thanks for sharing!
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
There are no jobs on a dead planet. (Also many other things but people mostly
seem to care about jobs.)
Brandon Philips
Aug 20, 2020, 2:19:48 PM8/20/20
to Holger Levsen, binary-tr...@googlegroups.com
Hello Holger-
On Thu, Aug 20, 2020 at 10:56 AM Holger Levsen <hol...@layer-acht.org> wrote:
> On Sun, Aug 16, 2020 at 09:37:15AM -0700, Brandon Philips wrote:
> > The idea is that we use a transparency log to provide content digests
> > for URLs on the web to provide users with integrity guarantees and
> > server operators with a third party check that the assets they host
> > aren't unknowingly changing.
>
> what's the techology behind the transparency log?
We are using a log very similar to the one used by Go:
https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md
We used this as the starting point for the service:
https://github.com/rsc/tlogdb
> > The system has a public (beta) API and a command line tool up on
> > GitHub. The basic usage is something like:
> >
> > ```
> > tl get https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.8.tar.xz
> > ```
> >
> > You can download the utility here: https://github.com/transparencylog/tl
> >
> > Or you can read more about the project here: https://www.transparencylog.com/
>
> some questions:
>
> - do you have any users already?
We have just started evangelizing the tool to get load onto our Beta service.
For example just yesterday we got a GitHub Action published that
projects using GitHub can use. We have started reaching out to
projects today.
https://github.com/transparencylog/publish-releases-asset-transparency-action
> - are you working on getting this included into Debian, Fedora, etc?
Not yet. But, we would love to collaborate with those projects!
Cheers,
Brandon
On Thu, Aug 20, 2020 at 10:56 AM Holger Levsen <hol...@layer-acht.org> wrote:
> On Sun, Aug 16, 2020 at 09:37:15AM -0700, Brandon Philips wrote:
> > The idea is that we use a transparency log to provide content digests
> > for URLs on the web to provide users with integrity guarantees and
> > server operators with a third party check that the assets they host
> > aren't unknowingly changing.
>
> what's the techology behind the transparency log?
https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md
We used this as the starting point for the service:
https://github.com/rsc/tlogdb
> > The system has a public (beta) API and a command line tool up on
> > GitHub. The basic usage is something like:
> >
> > ```
> > tl get https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.8.tar.xz
> > ```
> >
> > You can download the utility here: https://github.com/transparencylog/tl
> >
> > Or you can read more about the project here: https://www.transparencylog.com/
>
> some questions:
>
> - do you have any users already?
For example just yesterday we got a GitHub Action published that
projects using GitHub can use. We have started reaching out to
projects today.
https://github.com/transparencylog/publish-releases-asset-transparency-action
> - are you working on getting this included into Debian, Fedora, etc?
Cheers,
Brandon
Holger Levsen
Aug 20, 2020, 2:30:19 PM8/20/20
to Brandon Philips, binary-tr...@googlegroups.com
hi Brandon,
On Thu, Aug 20, 2020 at 11:19:36AM -0700, Brandon Philips wrote:
> > what's the techology behind the transparency log?
>
> We are using a log very similar to the one used by Go:
> https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md
>
> We used this as the starting point for the service:
> https://github.com/rsc/tlogdb
ah, nice! (& thanks for these pointers!)
> > - do you have any users already?
> We have just started evangelizing the tool to get load onto our Beta service.
*g*
> For example just yesterday we got a GitHub Action published that
> projects using GitHub can use. We have started reaching out to
> projects today.
> https://github.com/transparencylog/publish-releases-asset-transparency-action
cool!
> > - are you working on getting this included into Debian, Fedora, etc?
> Not yet. But, we would love to collaborate with those projects!
:)) I'm sadly to loaded with stuff to be able to help...
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
"... the premise [is] that privacy is about hiding a wrong. It's not.
Privacy is an inherent human right, and a requirement for maintaining
the human condition with dignity and respect." (Bruce Schneier)
On Thu, Aug 20, 2020 at 11:19:36AM -0700, Brandon Philips wrote:
> > what's the techology behind the transparency log?
>
> We are using a log very similar to the one used by Go:
> https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md
>
> We used this as the starting point for the service:
> https://github.com/rsc/tlogdb
> > - do you have any users already?
> We have just started evangelizing the tool to get load onto our Beta service.
> For example just yesterday we got a GitHub Action published that
> projects using GitHub can use. We have started reaching out to
> projects today.
> https://github.com/transparencylog/publish-releases-asset-transparency-action
> > - are you working on getting this included into Debian, Fedora, etc?
> Not yet. But, we would love to collaborate with those projects!
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Privacy is an inherent human right, and a requirement for maintaining
the human condition with dignity and respect." (Bruce Schneier)
Brandon Philips
Aug 20, 2020, 2:36:04 PM8/20/20
to Holger Levsen, binary-tr...@googlegroups.com
Hey Holger-
Do you have any suggestions on what lists to use on Debian to see if
there is interest?
Thank You,
Brandon
Do you have any suggestions on what lists to use on Debian to see if
there is interest?
Thank You,
Brandon
Holger Levsen
Aug 20, 2020, 2:57:57 PM8/20/20
to Brandon Philips, binary-tr...@googlegroups.com
On Thu, Aug 20, 2020 at 11:35:47AM -0700, Brandon Philips wrote:
> Do you have any suggestions on what lists to use on Debian to see if
> there is interest?
I think the best way is to file an RFP bug (see https://wiki.debian.org/RFP
> Do you have any suggestions on what lists to use on Debian to see if
> there is interest?
for how) and then the RFP bug will automatically appear on https://lists.debian.org/debian-devel
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Reply all
Reply to author
Forward
0 new messages