We are actively working with repeatr to create a cross-compatible metadata format that can be both used for supply-chain step memoization and supply-chain security.
We are participating with the reproducible builds community to improve the security properties of build systems. We are also integrating in-toto into reprotest, so that people can create in-toto metadata to attest for the reproducibility of a step. You can set up your own rebuilder to reproduce debian packages and produce in-toto metadata by following the instructions here.
We are working with the git community to improve the security model of git metadata signing. We have already integrated three series of patches to ensure GPG-signed git tags can’t be spoofed.
We are actively working with the Debian community so that in-toto metadata is generated within Debian’s software supply chain. In addition, we intend to have in-toto metadata be verified when using Debian’s dpkg/apt toolchain. You can take a look and play around with our debian apt-transport here.
The Arch Linux community already included our patches git tag verification. We aim to have an integration similar to Debian’s in the future.
Docker is currently trying out in-toto metadata internally to protect the security properties of their pipelines.
We have a demo deployment of opensuse’s OBS using in-toto. We are working with the opensuse community to generate in-toto link metadata within their OBS services. You can take a look at how this would work today by taking a look at this repo.
We are working actively with Control Plane to secure the software supply chain in cloud native integrations.
Datadog has deployed TUF and in-toto into their pipeline! Read More here.