On Tue, May 12, 2020 at 04:44:43PM -0400, 'Trishank Karthik Kuppusamy' via in-toto-dev wrote:
> Cc +in-toto...@googlegroups.com
> On Tue, May 12, 2020 at 4:33 PM Trishank Karthik Kuppusamy <
> > Hello everyone,
> > We are pleased to announce that two new drafts of in-toto Enhancements
> > (ITEs) have been published that discuss how to combine The Update
> > Framework (TUF) <https://theupdateframework.io/
> and in-toto to build an
> > end-to-end compromise-resilient CI/CD:
> > ITE-2: A general overview of combining TUF and in-toto to build
> > compromise-resilient CI/CD
> > <https://github.com/in-toto/ITE/blob/master/ITE/2/README.adoc
> > ITE-3: Real-world example of combining TUF and in-toto for packaging
> > Datadog Agent integrations
> > <https://github.com/in-toto/ITE/blob/master/ITE/3/README.adoc
> > TUF is a sibling project that is used to secure the last mile of the
> > distribution process. It is used in production by companies such as
> > Cloudflare, Docker, DigitalOcean, Flynn, IBM, Microsoft, LEAP, Kolide, and
> > VMware. A variant of TUF called Uptane is widely used to secure
> > over-the-air updates in automobiles.
> > In this context, we use TUF to provide some interesting properties:
> > 1. Compromise-resilient, transparent distribution and rotation of the
> > in-toto root layout public keys. In fact, all you need to distribute is one
> > so-called root metadata file to your client applications, and you can
> > slash-and-burn keys throughout your entire system (including in-toto
> > layouts and functionaries) at any time without your client applications
> > noticing anything.
> > 2. Consistent snapshots, which not only prevents rollback and
> > mix-and-match attacks <https://theupdateframework.io/security/
>, but also
> > lets you associate different versions of your root layout with different
> > packages, so you can transparently update rules for your software supply
> > chain without breaking old packages.
> > We believe that the lessons we have learned would be just as useful for
> > you, which is why we have published these ITEs. Let us know if you have
> > questions!
> > Thanks,
> > Trishank
> You received this message because you are subscribed to the Google Groups "in-toto-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to in-toto-dev...@googlegroups.com
> To view this discussion on the web visit https://groups.google.com/d/msgid/in-toto-dev/CAEd-exOsLD715i-OL4T0tL_OYUDqun%3DQH%3DKr6TNO4sKZkor2bg%40mail.gmail.com