News
June 5, 2023
in-toto’s specification reached v1.0! Find it here.
March 10, 2022
in-toto has moved from the Cloud Native Computing Foundation (CNCF) Sandbox to the Incubator! Read the full announcement here.
September 11, 2021
Our Google Summer of Code 2021 intern Qijia “Joy” Liu shares her story about the in-toto Rust implementation
June 8, 2021
The Google security team mentions in-toto in their blog article Verifiable Supply Chain Metadata for Tekton
February 2, 2021
Peter Elkind and Jack Gillum published an article SolarWinds about in-toto in ProPublica
December 15, 2020
Tech Xplore released an article warning about software supply chain attacks and describing in-toto.
December 12, 2020
The Linux Foundation received support to help advance several projects, including in-toto!
October 7, 2020
Our Google Summer of Code 2020 intern Christian Rebischke shares his story about the in-toto Go implementation
October 14, 2019
Tobias Furuholm presented in-toto at the CASTOR Software Days and shared a video recording and his slides with us.
October 2, 2019
Adrian Colyer wrote an article about in-toto in “the morning paper”.
July 9, 2019
in-toto was featured in the blog post “33(+) Kubernetes Security Tools”.
June 8, 2019
We demonstrated how reproducible builds can be verified on “apt install” using in-toto at MiniDebConf Hamburg. You can watch it online.
June 3, 2019
Datadog has deployed TUF and in-toto into their pipeline! Read more here.
June 1, 2019
Our paper “in-toto: providing farm-to-table security properties for bits and bytes” was accepted into USENIX ‘19. More information here.
February 13, 2019
We’ve worked alongside with Control Plane to make a test deployment of Kubesec using in-toto.
January 7, 2019
We released the first version of the official in-toto Jenkins plugin. This provenance Agent will help you track and sign link metadata for any step within your pipeline in a secure and distributed way.
October 19, 2018
Colin Domoney gave a talk on this year’s DevSecCon London. He covered some of the fundamentals of in-toto to protect your cloud native deployment, as well as some other good supply-chain security practices.
May 29, 2018
Pacman 5.1 has been released! This new version adds support for reproducible builds, and includes a security check for tampered git tag metadata.
May 17, 2018
A LWN article has been published, covering various supply chain security issues and their solutions, including grafeas, the update framework, and in-toto.
May 2, 2018
We presented in-toto along with Grafeas at Kubecon 2018.
April 12, 2018
Grafeas mentioned in-toto integration plans on the Google Cloud platform blog.
March 3, 2018
Our le-git-imate paper on improving the security of web-based Git repositories has been accepted at ASIACCS 2018!
February 20, 2019
We will present an integration of in-toto and Grafeas at KubeCon + CloudNativeCon Europe 2018 on May 2 in Copenhagen, Denmark.
October 17, 2017
A fix to our git tag metadata tampering attack paper (USENIX ‘16) has been included in the master branch of the pacman package manager and will be included in the next release.
August 10, 2017
Lukas presented in-toto at Debian’s Debconf 2017. You can watch the video of the talk here.
February 6, 2017
We presented a demo of in-toto at Dockercon 2017. You can watch the video here.
January 17, 2017
A fix to our git tag metadata tampering vulnerability was merged into git’s master branch and will be available starting from git v2.12. You can read more about it in our USENIX ‘16 paper.
October 14, 2016
We presented a demo of in-toto in the Docker Distributed System Summit. You can watch the video here.
October 7, 2016
We are live! please check back soon for more updates.