Minutes from 4/20 Community Meeting.
Lois A DeLong
Discussion Summary from the in-toto Community Meeting
April 20, 2020
Meeting participants:
Santiago Torres-Arias, Moderator
Gerard Borst, Justin Cappos, Reza Curtmola, Adrian Diglio, kpcyrd, Trishank Kuppusamy, Joshua Lock, Radu Matei, Bryan Russell, Aditya Sirish, Ralph Squillace, Kate Stewart, Kay Williams
The meeting was held for the first time using the Jitsi platform. It appeared to be a good alternative as there were much fewer problems with audio.
Below is a brief summary of the topics discussed in the meeting.
Update on ITEs
Trishank Kuppusamy and Santiago Torres-Arias presented progress reports on three in-process ITEs (or in-toto Enhancements). Both ITEs 2 and 3 deal with how to use in-toto in tandem with TUF, with ITE 3 offering a specific use case of how the two programs were implemented together by DataDog. Trishank noted that ITE 2 is also relevant to Cloud Native Application Bundles, which facilitate the bundling, installing and managing of container-native apps, and is used in Microsoft Windows build effort. TUF is used to provide compromise-resilient, transparent distribution and rotation of the in-toto root layout public keys, and consistent snapshots. (Note: ITEs 2 and 3 were merged as drafts on May 5. Comments are invited)
ITE 2 https://github.com/in-toto/ITE/blob/master/ITE/2/README.adoc
ITE3 https://github.com/in-toto/ITE/blob/master/ITE/3/README.adoc
Santiago reported that ITE 4 (https://github.com/in-toto/ITE/blob/master/ITE/4/README.adoc),
which allows generic URI schemes to refer to abstract entities in in-toto metadata, such as GitHub PRs, has been adopted as a draft, but input is still being solicited.The ITE will likely be open for feedback and comments for at least two or three months.
Updates on Integrations and Implementations
Santiago announced that he will be working on developing an SPDX prototype over the summer.
Grafeas/Jenkins
Santiago also reported that in-toto is now in Grafeas as a metadata type and Grafeas instances can be used to store link metadata files. The integration includes a Jenkins in-toto plugin that can gather information to be transferred to Grafeas.
Aditya Sirish described a pull request that proposes several changes to the Jenkins plugin, including “translation layers” that support the necessary conversions from in-toto formats to Grafeas metadata formats. The work is described here. Note that since the meeting, this pull request has been merged into the plug-in.
Bryan Russell of Google echoed the need to reconcile compatibility and architectural differences to allow in-toto data to be stored in Grafeas. He pointed to Google’s use of protocol buffers, or protobufs as a place where “translation” may be required.
Kay Williams of Microsoft mentioned performance issues as the largest concern and pointed to the need to “unmarshall JSON” as a way to address protobuf compatibility.
Setting up rebuilders:
Kpcyrd talked a bit about progress on the rebuilderd project, explaining that rebuilding requires three components, working together--a monitor, a scheduler, and a worker. The rebuilderd system offers “one-stop shopping” for these tasks. It allows verification of pre-compiled packages by repeating the build step in an identical environment, and then verifying that the package is identical. https://github.com/kpcyrd/rebuilderd
In-toto 1.0.0.--End of the Roadmap
Santiago noted that in-toto had reached the end of its one year Roadmap and asked if anything needed to be tweaked before it moves to 1.0.0. Trishank brought up the issue of parameter substitution, or a way to tell in-toto “I may not know the value of something ahead of time.” He asked if this might be a compatibility issue. Santiago agreed that the issue of parameter substitution should be included in V.1.0.0.
Santiago noted there was a need to make a push for any tooling required for inspection of containers.
No immediate date was set at the time, but plans for the next meeting are currently being discussed. Look for an announcement soon.