
In-toto: providing farm-to-table guarantees for bits and bytes - trishankdatadog
https://blog.acolyer.org/2019/10/02/in-toto/
======
trishankdatadog
The Datadog TUF + in-toto implementation is discussed in more detail here[1].
Let me know if you have questions!

[1] [https://www.datadoghq.com/blog/engineering/secure-
publicatio...](https://www.datadoghq.com/blog/engineering/secure-publication-
of-datadog-agent-integrations-with-tuf-and-in-toto/)

~~~
mdaniel
Thank you; seeing that someone in industry was using it for real is a much
nicer read than "alice and bob can sign hello world", especially with my
concerns around trying to use any of this stuff in a CI/CD setup, where
"developers attest ..." becomes very hard to discuss

Does your setup, or in-toto in general, get all the way into the weeds of
clang, libc, the python VM, or whatever supporting tooling goes into building
and running the Agent?

\---

Assuming it does not drill _all_ the way down, is there something about in-
toto that adds value above and beyond GPG signing git commits? AIUI, a git
commit protects every byte within the DAG and doesn't require a monster JSON
blob or external tooling beyond the gpg binary to do so

~~~
trishankdatadog
"Does your setup, or in-toto in general, get all the way into the weeds of
clang, libc, the python VM, or whatever supporting tooling goes into building
and running the Agent?"

Not yet. This chicken-and-egg problem will take time to solve. We will need to
spread TUF + in-toto piece by piece...

"Assuming it does not drill _all_ the way down, is there something about in-
toto that adds value above and beyond GPG signing git commits?"

Yes. While signing git commits are a good idea, how would the client know
whether the built package corresponds to a signed git commit? With developers
signing in-toto link metadata about source code, this become easier to check
in the background by the client.

------
bpt3
Great writeup! The supply chain is one of the weakest links in the software
development process today due to the implicit trust developers have in the
open source ecosystem, so I'm glad to see more interest in projects like in-
toto.

