Discussion Summary from the in-toto Community Meeting
February 24, 2020
Note: We had some issues during our meeting with faulty acoustics and, as a result, these notes are not as complete as we would like them to be. We apologize for any discussion threads that were inadvertently omitted, or any incorrect statements. Please feel free to help us “fill in the gaps” by sharing on the thread. We will come up with a more reliable technology for our next meeting.
Meeting participants:
Santiago Torres-Arias, Moderator
Gerard Borst, Mynor Cifuentes, Reza Curtmola, Marc Evers, Tobias Furuholm, Jim Gettys, Juan Gomez, Jack Kelly, Jon Knox, Bart Kors, Trishank Kuppusamy, Adam Lewis, Joshua Lock, Andrew Martin, Radu Matei, Lukas Pühringer, Brian Russell, Jennie Steshenko, Aditya Sirish A Yelgundhalli
Below is a brief summary of the topics discussed in the meeting.
Roadmap
Santiago brought the group up to date on progress towards in-toto V. 1.0.0, which is scheduled for completion in April 2020. This included work on cross-implementation interoperability for in-toto golang and work with Debian to test the reproducibility of packages. The current progress report on the Roadmap can be found at
https://github.com/in-toto/docs/blob/master/roadmap-reviews/2020/review_1_august_19.md, and
https://github.com/in-toto/docs/blob/master/roadmap-reviews/2020/review_2_december_19.md.
Lukas talked about the remaining tasks for the v1.0.0 release of the reference implementation, which boil down to setting in stone a stable API and generating library documentation.
Deployments
Gerard Borst and Bart Kors from Rabobank, who have created a fork of in-toto called Argos Supply Chain Notary, described their ongoing progress with the system. This included a change to the layout and link metadata format with the goal of making it more JSON compatible, the addition of an expected final product field in the layout, and the removal of inspections.
https://github.com/rabobank/argos
ITE 4
Aditya talked briefly about his work on ITE 4, which allows generic URI schemes to refer to abstract entities in in-toto metadata, such as GitHub PRs (see https://github.com/in-toto/ITE/pull/6). He invited everyone to review and comment on the PR, which is relevant for collaborations with SPDX (Source Package Data Exchange) and GitHub.
in-toto jenkins plugin
Aditya also mentioned preparing a demo that uses the in-toto Jenkins plugin to publish attestations for the steps of a web app build pipeline in a Grafeas store, performing final product verification in an in-toto Kubernetes admission controller
(Note: Parts of that demo have been presented by Mark Russinovich, CTO of Microsoft Azure, at RSA Conference https://www.youtube.com/watch?v=tHwLCDrs1zQ&feature=youtu.be&t=2597)
Other Issues
There was some discussion about moving to a different meeting technology as this Zoom technology had issues, particularly with accessibility and background noise.
Lukas and Justin will attend KubeCon and each is scheduled to do a talk.
(Note: KubeCon Europe was postponed to July/August due to COVID-19)
There was a general consensus that posting on the in-toto mailing list might be the best way to initiate discussions of concern to the community. These discussions could then be moved to GitHub in the form of issues or pull requests as warranted.
Please note that we have set up a Google Doc at https://docs.google.com/document/d/1lBsv06LJl6AuenkmWuIqf7Gxw85UNsO4GcjFuDjZLFw/edit
to collect agenda items for our next community meeting. We invite everyone to post any issues you'd like to discuss here.
Respectfully Submitted,
Lois Anne DeLong
NYU Tandon/in-toto