Hi, On 2017-07-17 15:53:10 -0400, Shikher Verma wrote:

I am Shikher Verma, I'm working on the in-toto project[2] under the guidance of Professor Cappos. in-toto is a tool which provides secure auditable trail of development. We want to integrate in-toto in Open Build Service, osc & zypper.

I have put together a demo[1] to showcase how in-toto could be integrated with the Open Build Service and zypper.

Hmm maybe I missed something, but the demo does not really answer what you exactly want to achieve/integrate. For instance, what do you want to integrate into osc? From what I see, both, in-toto and osc, keep track of source files: do you want to "unify" this, for instance, into a single osc command? E.g., osc in-toto add <file1> <file2> ... <fileN> in order to instruct in-toto and osc to keep track of the passed files? If so, you could use osc's plugin mechanism to add custom commands to osc. However, I'm not sure if this really helps, because, if I understand in-toto correctly, you might end up with different sets of "osc in-toto" commands per "software project/layout"... (maybe it is the other way around and you actually want to integrate "osc" into "in-toto"?:) ) A conceptual question: why should an end-user (or "client" in the in-toto spec parlance) verify all the source files etc. that were used to create the package? Wouldn't it be sufficient, if she just checks if the package, which she is going to install, was signed with a known/trusted key? (The obs can be used to sign packages and the package manager usually checks the signatures before the installation).

The demo does not include making and accepting Submit Requests since I was unable to deploy OBS in a docker (systemd/openrc got in the way).

Hmm what would/should happen in case of a submit request?

I have already discussed this with Bernhard Wiedemann. He suggested that we discussed with the community about how to integrating in-toto with these tools.

You can read more about the project and take a look at the specification on our website[2]. We are still shy of our 1.0 release, so some things may move around a little bit. How would you guys suggest we start taking a look at a task that seems so daunting?

Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org