Skip to content

Add in-toto metadata to python-tuf releases #529

New issue
New issue
Open
#2000
Open
Add in-toto metadata to python-tuf releases#529
#2000
Labels
enhancement
@vladimir-v-diaz

Description

@vladimir-v-diaz
vladimir-v-diaz
opened on Nov 10, 2017

Description of issue or feature request:
Project releases should include in-toto metadata that can be used to validate the integrity of the release's software supply chain.

Current behavior:
Developer signatures can be provided for each release of the project, both on GitHub and PyPI. However, these signatures do not guarantee that some part of the source->release process was
not compromised.

Expected behavior:
The packaged release should include metadata and a way to verify that the project was packaged as intended. All steps of the source->release procedure should be properly signed and confirmed to be valid, as defined by the project developers.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions