toc/reviews/incubation-in-toto.md

in-toto Incubating Stage Review

in-toto is currently a CNCF sandbox project. Please refer to in-toto's initial sandbox proposal for discussion on in-toto's alignment with the CNCF and details on sandbox requirements.

In the time since being accepted as a sandbox project, in-toto has demonstrated healthy growth and progress. The Python reference implementation has had several releases.

• v1.1.1 is the latest patch release, shipped on Juky 27th, 2021. It added:

  • Tests that use source and destination prefixes in match rules, courtesy of Brandon Michael Hunter (#456)

  Other changes include:

  • Updated documentation of command alignment during verification workflow (#455)
  • Started using GitHub-native dependabot (#450)
  • Bump dependencies: attrs (#451), six (#452), securesystemslib (#453), cffi (#457), python-dateutil (#458), iso8601 (#459), pathspec (#460)
  • Fixed linter warnings (#462)

• v1.1.0 is the latest minor release, shipped on April 30th, 2021. It added:

  • SPDX License identifiers and copyright information (#440)
  • Aditya Sirish (@adityasaky) as a maintainer (#443)

  Other changes include:

  • PyPI development status from Beta to Production/Stable (#447)
  • Santiago Torres-Arias's (@SantiagoTorres) email to reflect Purdue affiliation (#446)
  • Debian downstream release metadata (#437)
  • Bump dependency: cryptography (#442)

  Finally, this release removed:

  • Support for Python 2.7 (#438)

• v1.0.1, shipped on March 1st, 2021. This was the final in-toto release that supported Python 2.7. This release added:

  • Python 3.9 in the CI test matrix (#419)
  • Logo and other visual enhancements on readthedocs (#420, #428)
  • Review of first evaluation period for 2021 roadmap (#421)

  The changes include:

  • Switch to GitHub Actions for CI (#432)
  • Switch to only running bandit on Python versions greater than 3.5 (#416)
  • Debian downstream release metadata (#418)
  • Bump tested dependencies: cffi (#415, #427), cryptography (#424, #429), securesystemslib (#430, #431), iso8601 (#423)
  • NOTE: the latest version of cryptography is no longer used on Python 2, as that is not supported.

  This release removed:

  • Dropped support for Python 3.5 (#419)

• v1.0.0 is the latest major release, shipped on November 23rd, 2020. This release added:

  • '-P/--password' (prompt) cli argument for in-toto-run/in-toto-record (#402)
  • in-toto-run link command timeout setting (#367)
  • API and usage documentation for cryptographic key handling with securesystemslib (#402, #408)
  • Artifact recording exclude pattern documentation (#373, #405)
  • Test key generation mixin (#402)
  • 2021 roadmap document (#381)

  The changes include:

  • Move 'settings' docs to new 'configuration' section and make minor enhancements in structure and content (#405)
  • Update tested dependencies (#377, #383, #384, #386, #389, #390, #394, #397, #398, #400, #404, #406, #409, #410, #411)
  • Debian downstream release metadata (#382)

  This release removed:

  • 'util' crypto module in favor of securesystemslib key interfaces (#402)
  • Obsolete coveralls.io API call in Travis test builds (#399)

  And it fixed:

  • Minor docs issues (#396, #385, #395)
  • pylint 2.6.0 (#387) and lgtm.com (#379) warnings

• v0.5.0, shipped on July 13th, 2020. New features include:

  • Docs: Major CLI and API documentation overhaul and release (#341, #369)
  • Bugfix: Use kwargs in in-toto-run to fix lstrip-paths bug (#340)
  • Feature: Add option to specify target directory for generated metadata (#364)
  • Tests: Add Python 3.8 to tested versions (#339)
  • Tests: Add tmp dir and gpg key test mixins (#345)
  • Tests: Use constant from securesystemslib to detect GPG in tests (#352)
  • Tests: Enhance test suite feedback on Windows (#368)
  • Dependencies: Misc updates (#342, #346, #349, #350, #353, #354, #356, #358, #359, #362, #363, #366)

• v0.4.2, shipped on January 7th, 2020. New features include:

  • Drop custom OpenPGP subpackage and subprocess module and instead use the ones provided by securesystemslib, which are based on the in-toto implementation and receive continued support from a larger community (#325)
  • Fix a race condition that caused tests to sporadically fail was already fixed in securesystemslib and is now also available to in-toto (#282, secure-systems-lab/securesystemslib#186)
  • Add Sphinx boilerplate and update installation instructions (#298, #331)
  • Update misc dependencies (#317, #318, #319, #320, #322, #323, #324, #326, #327, #328, #333, #335, #329)
  • Update downstream debian metadata (#311, #334)

• v0.4.1, was shipped on Oct 14th, 2019. New features include:

  • Update securesystemslib dependency to v0.12.0 (#299)
  • Add --version option to CLI tools (#310)
  • Address linter warnings (#308)
  • Update downstream debian metadata (#302, #305, #309)

• v0.4.0, shipped on September 9th, 2019. New features include:

  • Full artifact rule spec compliance (#269, #280)
  • Enhanced OpenPGP key export and key expiration verification (#266, #288)
  • Transitive PyNaCl dependency is now optional (#291)
  • Improved automatic test coverage analysis (#295)
  • Static analysis improvements (279, #296)
  • Improve upstream release packaging for Debian and Arch Linux (#279, #290)

More changes and small improvements are mentioned in the current release changelog.

Further, the Go implementation has had several pre-releases, the latest being v0.3.2. In recent months, the Go implementation has emerged as the bleeding-edge implementation, with support for newer experimental features such as those of proposed enhancements to the in-toto specification. One recent example is the addition of PKI support to the Go implementation.

There are also in-toto implementations written in Rust and Java. The former was largely developed by a student contributor during Google Summer of Code 2021, and the latter is now being reworked to incorporate newer changes to in-toto, such as the switch to a new signature envelope.

Beyond the current release other improvements to the broader reference implementation have been achieved.

A formalized governance policy has been instituted project-wide. This includes not only the in-toto python reference implementation, but the specifications, implementations in other languages and cloud-native tooling.

Incubating Stage Criteria

In addition to sandbox requirements, a project must meet the following criteria to become an incubation-stage project:

Document that it is being used successfully in production by at least three independent end users which, in the TOC’s judgment, are of adequate quality and scope

• In general, we document adopters on our website.
• Datadog uses a combination of in-toto and TUF to securely distribute their agent integrations. They have described this in detail here.
• The in-toto specification has inspired the development of Argos Notary by Rabobank.
• Boxboat is integrating SPIFFE, another CNCF project, with in-toto. This integration is documented in ITE-7.
• in-toto is also used by Cloud Native Application Bundles (CNAB), another CNCF project, in Signy.
• rebuilderd can generate in-toto metadata. This project is an orchestrator for rebuilders part of the Reproducible Builds project. Some examples of in-toto links in the wild: wolfpit.net/rebuild r-b.engineering.nyu.edu
• In the current implementations and demonstrations, the in-toto Attestation project is the metadata vehicle of choice for SLSA requirements.
• Tekton Chains is another example of in-toto integration. Chains can generate in-toto metadata, capturing information from the pipeline.
• The Sigstore project also supports in-toto metadata, though a tighter integration is under active development. Google mentioned this interaction in this blog post.
• The Qubes OS project uses in-toto with our apt-transport within their reproducible builds setup.
• IBM is working on a proof-of-concept that combines in-toto and ArgoCD.

Have a healthy number of committers. A committer is defined as someone with the commit bit; i.e., someone who can accept contributions to some or all of the project

• Maintainers of the project are listed in our MAINTAINERS.txt file. There are currently five core maintainers from Purdue University, New York University, and Conda who cut releases.

• Several other people have commit access, but cannot craft releases. They are:

  • Holger Levsen (Debian)
    • Holger helps us with packaging in-toto and the apt-transport for Debian
  • Ofek Lev (Datadog)
    • Ofek helps us maintain the git-specific semantics with in-toto

• We have had contributions from people associated with different organizations. Some of them, listed in no particular order:

  • Trishank Karthik Kuppusamy (Datadog)
  • Joshua Lock (VMWare)
  • Dan Lorenc (Google)
  • Fredrik Skogman (Solar Winds)
  • Christian Rebischke (Arch Linux)

• Maintainers are added and removed from the project as per the policies outlined in the project GOVERNANCE.md file.

• Finally, in-toto participated in Google Summer of Code (GSOC) in 2020 and 2021 through the CNCF.

Demonstrate a substantial ongoing flow of commits and merged contributions

• Releases: There were eight releases scheduled since the sandbox application as defined on our release schedule.

• Roadmap: We have annual roadmaps for the reference implementation and in-toto as a whole. Reviews are released at the end of each evaluation period described in the roadmap, and they can be found in the repositories for the reference implementation and in-toto docs.

• in-toto Enhancements (ITEs): We have a formal process for interested parties to submit new features or describe some aspect or integration of the in-toto specification. Since in-toto was accepted into the CNCF sandbox, the following ITEs have been proposed:

  • ITE-2 by Trishank Karthik Kuppusamy (Datadog), "Draft"
  • ITE-3 by Trishank Karthik Kuppusamy (Datadog), "Accepted"
  • ITE-4 by Santiago Torres-Arias (Purdue University), "Accepted"
  • ITE-5 by Santiago Torres-Arias (Purdue University), "Accepted"
  • ITE-6 by Mark Lodato (Google), "Draft"
  • ITE-7 by Mikhail Swift (Boxboat), discussions ongoing
  • ITE-8 by Furkan Turkal, Erkan Zileti, Batuhan Apaydin, discussions ongoing

• Contributors: https://github.com/in-toto/in-toto/graphs/contributors

• Commit activity: https://github.com/in-toto/in-toto/graphs/commit-activity

• CNCF DevStats: https://intoto.devstats.cncf.io/

  • Last 30 days activity on GitHub
  • Community Stats in-toto-python
  • Community Stats in-toto-golang

Security

Given that in-toto is a security product, in-toto's codebase has been written, designed and tested with security in mind. Some of the actions performed in order to ensure the quality and security of the codebase, as well as in-toto's design and specification include:

• Static analysis is performed using pylint and bandit
• Dependency vulnerability tracking using Dependabot
• Manual code analysis / review by a Maintainer for each included piece of code
• Security assessment by CNCF's SIG-SECURITY
• A peer-reviewed paper describing the threat model, its security properties, was published in USENIX Security '19
• in-toto's implementation has received the CII Silver Criteria Badge for best development practices

A more elaborated description of these security initiatives, as well as a vulnerability report process is included here.