in-toto | News

June 5, 2023

in-toto’s specification reached v1.0! Find it here.

March 10, 2022

in-toto has moved from the Cloud Native Computing Foundation (CNCF) Sandbox to the Incubator! Read the full announcement here.

September 11, 2021

Our Google Summer of Code 2021 intern Qijia “Joy” Liu shares her story about the in-toto Rust implementation

June 8, 2021

The Google security team mentions in-toto in their blog article Verifiable Supply Chain Metadata for Tekton

February 2, 2021

Peter Elkind and Jack Gillum published an article SolarWinds about in-toto in ProPublica

December 15, 2020

Tech Xplore released an article warning about software supply chain attacks and describing in-toto.

December 12, 2020

The Linux Foundation received support to help advance several projects, including in-toto!

October 7, 2020

Our Google Summer of Code 2020 intern Christian Rebischke shares his story about the in-toto Go implementation

October 14, 2019

Tobias Furuholm presented in-toto at the CASTOR Software Days and shared a video recording and his slides with us.

October 2, 2019

Adrian Colyer wrote an article about in-toto in “the morning paper”.

July 9, 2019

in-toto was featured in the blog post “33(+) Kubernetes Security Tools”.

June 8, 2019

We demonstrated how reproducible builds can be verified on “apt install” using in-toto at MiniDebConf Hamburg. You can watch it online.

June 3, 2019

Datadog has deployed TUF and in-toto into their pipeline! Read more here.

June 1, 2019

Our paper “in-toto: providing farm-to-table security properties for bits and bytes” was accepted into USENIX ‘19. More information here.

February 13, 2019

We’ve worked alongside with Control Plane to make a test deployment of Kubesec using in-toto.

January 7, 2019

We released the first version of the official in-toto Jenkins plugin. This provenance Agent will help you track and sign link metadata for any step within your pipeline in a secure and distributed way.

October 19, 2018

Colin Domoney gave a talk on this year’s DevSecCon London. He covered some of the fundamentals of in-toto to protect your cloud native deployment, as well as some other good supply-chain security practices.

May 29, 2018

Pacman 5.1 has been released! This new version adds support for reproducible builds, and includes a security check for tampered git tag metadata.

May 17, 2018

A LWN article has been published, covering various supply chain security issues and their solutions, including grafeas, the update framework, and in-toto.

May 2, 2018

We presented in-toto along with Grafeas at Kubecon 2018.

April 12, 2018

Grafeas mentioned in-toto integration plans on the Google Cloud platform blog.

March 3, 2018

Our le-git-imate paper on improving the security of web-based Git repositories has been accepted at ASIACCS 2018!

February 20, 2019

We will present an integration of in-toto and Grafeas at KubeCon + CloudNativeCon Europe 2018 on May 2 in Copenhagen, Denmark.

October 17, 2017

A fix to our git tag metadata tampering attack paper (USENIX ‘16) has been included in the master branch of the pacman package manager and will be included in the next release.

August 10, 2017

Lukas presented in-toto at Debian’s Debconf 2017. You can watch the video of the talk here.

February 6, 2017

We presented a demo of in-toto at Dockercon 2017. You can watch the video here.

January 17, 2017

A fix to our git tag metadata tampering vulnerability was merged into git’s master branch and will be available starting from git v2.12. You can read more about it in our USENIX ‘16 paper.

October 14, 2016

We presented a demo of in-toto in the Docker Distributed System Summit. You can watch the video here.

October 7, 2016

We are live! please check back soon for more updates.