ITE-2: A general overview of combining TUF and in-toto to build compromise-resilient CI/CD

[Trishank Kuppusamy]

Hihi everyone,

Following on the heels of ITE-3, I am now proposing that ITE-2 be accepted.

You can think of ITE-3 as a special case of ITE-2, which is a more general description of how to combine TUF and in-toto to build compromise-resilient CI/CD.

I am now soliciting feedback on whatever this ITE can be accepted as it is. I'd say the only thing missing is how to record TUF timestamps on sigstore's Rekor transparent/tamper-evident log/ledger.

You may find the ITE itself here. Please send your feedback on the GitHub issue here.

Thanks for your time,

Trishank