Sender | Message | Time |
---|---|---|
28 Jul 2023 | ||
@dpc:matrix.org |
Maybe there's a reason for it, but in crev there's more results. IIRC "harmful", "terrible, but probably just accidentally", neutral, "good enough", "very good", kind of things. | 21:23:25 |
Aditya Sirish | the idea is that the owner of a supply chain can write an in-toto "layout" that contains supply-chain-specific policies. the in-toto verification workflow applies these policies against attestations captured as the supply chain was executed. In the case of review attestations, I imagine the policy would be along the lines of a) is the review from one of [x,y, z] and b) is the review.rating==positive. Enumerating the one of [x, y, z] part could pull from the crev WoT. This would be one step in the supply chain for the corresponding dependencies, followed by similar checks for other things like "was this source code tested and did the tests pass?" etc. Also, in-toto is entirely developed as an open source project though there are a number of maintainers at various companies in the industry. I'm a student at NYU working on supply chain sec and in-toto first started here before being adopted by the Linux Foundation in the CNCF. While we work with all of these orgs, we're also somewhat active in the linux distro spaces. in-toto metadata can be generated by reproducible builds rebuilders (specifically rebuilderd) for arch linux, debian and so on. Eg: https://reproducible.archlinux.org/api/v0/builds/405065/attestation (Actually I first encountered crev through conversations with the developer of rebuilderd, kpcyrd) | 21:26:46 |
Aditya Sirish |
The original in-toto v1.0 wasn't semantically aware of "this is a code review step" and "this is a test step" | 21:27:18 |
Aditya Sirish | That version has a very generic approach to steps. It's, however, been deployed. | 21:27:34 |
Aditya Sirish | I like to think of all of this work as in-toto 2.0 where attestations have use-case specific schemas that policies can leverage. | 21:27:59 |
Aditya Sirish | So we're still working towards aggregating attestations of different types and enforcing policies. | 21:28:18 |
Aditya Sirish | I'm actively working on a prototype for the new verifier: https://github.com/adityasaky/in-toto-attestation-verifier/blob/main/layout.yml | 21:28:51 |
Aditya Sirish | in there you'll see a generic "link" that wraps any step, a test result predicate, a build provenance predicate. | 21:29:26 |
Aditya Sirish |
I was trying to enumerate as enums the different possible values, happy to add these as well. | 21:30:34 |
@dpc:matrix.org | I guess I understand what you're saying, but still feel somewhat lost. But anyway - I usually have my Matrix client opened, so feel free to ping me. :) | 21:32:23 |
Aditya Sirish | Happy to answer more questions too! I really would love to see crev flourish so I'm trying to support the project rather than not with how in-toto approaches review attestations. I appreciate all the work you and others in this community do! | 21:35:05 |
9 Aug 2023 | ||
Remram | Disregarding the compatibility side, is there any overlap between crev and in-toto? E.g. can I use it to answer the basic question of "is this software version approved by someone I know"? Your repository is pretty hard to parse, talking of "attestations", "policies", "predicates". That language probably makes a lot of sense to folks who focus on compliance, but from my own perspective I don't know what it does | 21:11:50 |
Aditya Sirish | That’s the intent, re using crev. With support for crev, you’d be able to write a policy saying “I want this dependency to be reviewed by n of A, B, C, with a positive rating”. Success in that case would ne when we have n positive rated crev attestations signed by the specified people | 23:40:49 |
11 Aug 2023 | ||
@tao_oat:matrix.org left the room. | 09:07:58 | |
Remram | What's the "policy" part of this though? | 15:33:50 |
Remram | git-appraise was posted to hackernews today: https://news.ycombinator.com/item?id=37084575 | 15:38:26 |
Aditya Sirish | @Remram I think I’m missing the question. Do you mean what rules can be set? Or where they are set and enforced? | 15:41:13 |
Remram | I mean what's "policy" even mean in this context | 15:41:42 |
Remram | if I decide to only use dependencies that crev approves of, that's my policy. What does your software provide at all? | 15:42:17 |
Remram | The in-toto docs mention it's about "attestation". Who attests what in this situation? | 15:45:07 |
Aditya Sirish | Okay I think I better understand the question now, thanks for clarifying. in-toto doesn't tell you specific policies. It provides the mechanisms to define the policies you want to enforce and a standardized framework for the claims you want to enforce the policy on. These claims are what's captured as attestations. Taking a step back, if the only policy you want to apply is crev dependency reviews, you don't need in-toto. in-toto shines when you have more than dependency reviews and you want to consider a variety of claims.An attestation can be of several types. It can record various aspects of your build process (https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md), capture the results of test runs (https://github.com/in-toto/attestation/blob/main/spec/predicates/test-result.md), or as I'm now trying, it can capture a crev review of some dependency.
The what depends on the type of attestation (and transitively the type of operation being performed). The who depends on the specific instance. Your CI system may be creating the build-specific attestation, the crev attestation may be signed by humans you work with who reviewed the attestation. So what in-toto allows is unifying all of these different types of attestations for a software supply chain. Your policy would specify not just the set of users who you trust for crev attestations but also which keys can sign your build attestations, etc. in-toto defines a format for multi-step policies called a layout. The layout lets you enumerate the steps in your supply chain and the attestations / signers expected for each. Other policy efforts / engines also support verifying certain attestation types (eg: | 17:00:19 |
Aditya Sirish | * Okay I think I better understand the question now, thanks for clarifying. in-toto doesn't tell you specific policies. It provides the mechanisms to define the policies you want to enforce and a standardized framework for the claims you want to enforce the policy on. These claims are what's captured as attestations. Taking a step back, if the only policy you want to apply is crev dependency reviews, you don't need in-toto. in-toto shines when you have more than dependency reviews and you want to consider a variety of claims. An attestation can be of several types. It can record various aspects of your build process (https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md), capture the results of test runs (https://github.com/in-toto/attestation/blob/main/spec/predicates/test-result.md), or as I'm now trying, it can capture a crev review of some dependency.
The what depends on the type of attestation (and transitively the type of operation being performed). The who depends on the specific instance. Your CI system may be creating the build-specific attestation, the crev attestation may be signed by humans you work with who reviewed the attestation. So what in-toto allows is unifying all of these different types of attestations for a software supply chain. Your policy would specify not just the set of users who you trust for crev attestations but also which keys can sign your build attestations, etc. in-toto defines a format for multi-step policies called a layout. The layout lets you enumerate the steps in your supply chain and the attestations / signers expected for each. Other policy efforts / engines also support verifying certain attestation types (eg: | 17:00:20 |
Aditya Sirish | * Okay I think I better understand the question now, thanks for clarifying. in-toto doesn't tell you specific policies. It provides the mechanisms to define the policies you want to enforce and a standardized framework for the claims you want to enforce the policy on. These claims are what's captured as attestations. Taking a step back, if the only policy you want to apply is crev dependency reviews, you don't need in-toto. in-toto shines when you have more than dependency reviews and you want to consider a variety of claims. An attestation can be of several types. It can record various aspects of your build process (https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md), capture the results of test runs (https://github.com/in-toto/attestation/blob/main/spec/predicates/test-result.md), or as I'm now trying, it can capture a crev review of some dependency.
The what depends on the type of attestation (and transitively the type of operation being performed). The who depends on the specific instance. Your CI system may be creating the build-specific attestation, the crev attestation may be signed by humans you work with who reviewed the attestation. So what in-toto allows is unifying all of these different types of attestations for a software supply chain. Your policy would specify not just the set of users who you trust for crev attestations but also which keys can sign your build attestations, etc. in-toto defines a format for multi-step policies called a layout. The layout lets you enumerate the steps in your supply chain and the attestations / signers expected for each. Other policy efforts / engines also support verifying certain attestation types (eg: https://github.com/sigstore/policy-controller, https://docs.seedwing.io/seedwing/index.html, https://github.com/enterprise-contract). | 17:00:40 |
Remram | So there is a tool somewhere into which you feed:
and then the tool checks whether the artifact is valid as per your policy? | 23:38:29 |
Remram | You're missing some overview of what your thing does, or at a fundamental level, is. "A framework" is not very descriptive, is it a legal framework? A community framework? The fact that everything is split between repositories like "in-toto" (is that the tool? The language spec?), "attestation" (doesn't the tool make attestations? Why does the "attestation" repo README describes it as "framework"?) doesn't help with getting oriented | 23:43:31 |
Remram | maybe this is really clear to the SLSA crowd but as an outsider, I can read all your READMEs and have no idea of what any of this provides | 23:43:59 |
@dpc:matrix.org | ☝️I had the same impression. Had no idea what in-toto actually do until you explained it to me here. :D | 23:44:49 |
Remram | Compare with the cargo-crev "Getting Started" guide: https://github.com/crev-dev/cargo-crev/blob/master/cargo-crev/src/doc/getting_started.md It shows how to get and run the tool, making a review, and showing the output of the verification | 23:45:10 |
Aditya Sirish | Yeah, the in-toto spec’s been developed in parallel and it’s a bit hard to pull all of those concepts together. That’s something we’ve wanted to improve, but bandwidth’s been an issue :/ | 23:57:02 |
15 Aug 2023 | ||
Danilo changed their display name from Danilo to Danilo (2525). | 11:30:12 |