Skip to content

Commit

Permalink
Merge pull request #35 from jkjell/main
Browse files Browse the repository at this point in the history
Move 2023 roadmap to archive and update 2024 roadmap
  • Loading branch information
SantiagoTorres authored Nov 1, 2024
2 parents 69d51d1 + 84d6e2d commit 6aae28c
Show file tree
Hide file tree
Showing 2 changed files with 276 additions and 162 deletions.
274 changes: 112 additions & 162 deletions ROADMAP.md
Original file line number Diff line number Diff line change
@@ -1,164 +1,114 @@
Roadmap
=======
# Roadmap

_Note: Previous roadmaps can be found with the roadmap reviews for that period.
[Link to Roadmap 2022](/roadmap-reviews/2022/ROADMAP.md)_

This document spans the Roadmap for the in-toto project for the 2023 calendar
year. As before, the theme of this year's efforts are focused on extending
in-toto through new and existing ITEs, and adding support for them in the
implementations we maintain.

## in-toto v1.0

The last tagged release of the in-toto specification was v0.9. We are gearing
up to tag v1.0 of the specification. This process entails addressing some long
standing discussions and issues, and several rounds of reviews to catch any
inconsistencies and errors that may require breaking changes to fix later.
Apart from these processes, there aren't any major blockers to the
specification reaching the 1.0 milestone -- it has been stable for a significant
amount of time and much of in-toto's development happens through in-toto
Enhancements (ITEs). We expect the v1.0 release to happen in the first review
period of this roadmap.

Note that this planned v1.0 release checkpoints in-toto at its pre-attestation
stage. As the attestation framework matures and reaches stability, it is likely
to have its own tagged releases, either as a standalone specification or as part
of the main specification's future releases.

## ITEs

Several important ITEs were introduced in the last few years.
[ITE-2](https://github.com/in-toto/ITE/blob/master/ITE/2) and
[ITE-3](https://github.com/in-toto/ITE/blob/master/ITE/3)
discussed how to use TUF as a root of trust for in-toto metadata.
[ITE-4](https://github.com/in-toto/ITE/blob/master/ITE/4)
introduced the notion of non-file artifacts in in-toto, a semantic that is very
useful in capturing attestations about abstract artifacts and processes such as
GitHub pull requests and reviews that are prevalent in real world software
supply chains. [ITE-5](https://github.com/in-toto/ITE/blob/master/ITE/5)
disassociated the signature wrapper from the in-toto specification and
recommended a switch to DSSE.
[ITE-6](https://github.com/in-toto/ITE/blob/master/ITE/6) perhaps had the most
impact of all the ITEs, introducing the in-toto Attestation framework. This was
paired with [ITE-9](https://github.com/in-toto/ITE/blob/master/ITE/9) that
described a process for the in-toto community to introduce new attestation
types, and established the in-toto attestation maintainers, a group of industry
stakeholders who review and provide feedback about new attestation types.
[ITE-7](https://github.com/in-toto/ITE/blob/master/ITE/7) added support for
creating and verifying signatures using X.509 certificates.

### ITE-6, ITE-9, and Policies for in-toto Attestations

This year, we are working towards having ITE-6 and ITE-9 accepted. ITE-6 is
already used in a number of applications, most notably by the SLSA
specification. We believe it's time to accept ITE-6 and continue to develop the
attestation framework. Similarly, ITE-9 is still a draft but the process
described in it is already being applied to several new attestation type
proposals. The attestation maintainers have reviewed proposals for runtime
traces and the Software Supply Chain Attribute Integrity (SCAI) specification.
We expect both ITEs to be accepted in the first review period of this roadmap.

Besides these existing ITEs, a key aim for this year is to introduce a new ITE
that proposes modifications to in-toto layouts. As it stands, in-toto layouts
cannot be used to verify ITE-6 attestations. With ITE-6 close to being accepted,
the focus is now on closing this gap so that in-toto attestations can be
verified using our verification workflows. Alongside defining new layout
schemas, we hope to revive the work on ITE-8 to introduce a library of in-toto
policies. Early drafts of the new ITE should be available for the community to
peruse in the first review period, and depending on the capabilities it
introduces, ITE-8 will likely be revived right after.

### Hierarchy for Attestation Types and the Predicate Dictionary

In the last year, we have discussed at several times if we want to establish a
hierarchy for in-toto attestation types. As more attestations are introduced for
various contexts, some may be derived or may extend others. As such, one of the
aims for this year is to formally study how to handle these scenarios.

Another closely related discussion was about the creation of a "predicate
dictionary". The idea here was to identify how different attestation types
overlap, and when they can be used interchangeably. For example, a SLSA
Provenance attestation contains every information used by in-toto's verification
workflow from in-toto link metadata. We believe that building this out will go a
long way to improving in-toto's usability and a sense of the minimum set of
attestations necessary to secure software supply chains as per current
standards.

### ITE-7

As noted before, this ITE introduced the use of X.509 certificates in in-toto.
This ITE has been implemented in in-toto-golang and other implementations such
as TestifySec's Witness. After another round of reviews at KubeCon late last
year, this ITE is also nearing acceptance. Depending on when implementations
that prototype this ITE get updated, we expect ITE-7 to be accepted either in
the first or second review periods.

## in-toto Attestations

Apart from the task of reviewing and providing feedback for the development of
new attestation types, the attestation maintainers also plan to work on updating
and maintaining the in-toto attestation specification itself. There are several
tasks planned as part of this effort. Some broad plans are:
* addressing ongoing discussions and issues pertaining to the attestation
framework
* improving the discoverability of reviewed (ITE-9) predicates
* creating language-independent definitions of reviewed predicates to streamline
their adoption

## in-toto Implementations

Several of in-toto's implementations were updated with support for various ITEs
in the last year. The Python reference implementation is close to receiving
support for DSSE. in-toto-java and in-toto-rs were updated with support for ITEs
5 and 6. We plan to continue working on our implementations to support new and
existing ITEs. This will greatly aid us as we develop integrations with other
projects and foster adoption in various organizations.

In particular, we plan to work on the Python reference implementation to support
ITE-6 attestations. It is the only implementation that currently has no support
for attestations, and this is because of the stability guarantees we make for
it. The last year has showed us that in-toto attestations are reaching stability
and when ITE-6 is accepted, it will be time to support attestations in the
reference implementation as well.

Our work on in-toto implementations will continue to be in conjunction with the
development of ITEs. Some exciting projects we expect to work on this year are:
* supporting in implementations for the layouts that can verify attestations
* adding ITE-9 reviewed predicates to one or more implementations
* improving usability and simplifying the deployment of in-toto and TUF (ITE-2)
in software supply chains

## Integrations

Over the years, in-toto has been integrated into various other tools and
systems. We plan to continue supporting their development and collaborating with
other software supply chain security stakeholders. We are excited about the work
we're doing with projects like Keylime, GUAC, and Sigstore, and we hope to talk
about it more over the course of this year.

Integrations we maintain ourselves will continue to get new features and
support. Our Jenkins plugin recently received the capability to generate SLSA
Provenance alongside its support for in-toto link metadata.

## Community

One of the efforts that has already started is a revamp of how the in-toto
community is managed. A new starting point for all things in-toto was set up
recently: https://github.com/in-toto/community. We believe this will help
summarize the various in-toto projects and implementations in one place, as well
as describe aspects of the community such as its governance, meeting cadence,
contributing guidelines, and more.

## Roadmap Review Schedule

We have a new release schedule for our reviews as our roadmap now applies to the
calendar year.

- End of April 2023
- End of August 2023
- End of December 2023

We will use these slots to release our roadmap reviews and depending on the
development of various features, reviews may be accompanied by releases of our
implementations.
[Link to Roadmap 2023](/roadmap-reviews/2023/ROADMAP.md)_

## Ongoing Work

Cross-collaboration with many external groups and projects, including:

- OpenSSF and groups
- SBOMit
- gittuf
- Protobom
- IETF
- Supply Chain Integrity, Transparency, and Trust (SCITT) Working Group
- Package Repositories
- PyPI
- RubyGems

## Recently Completed Work

### Ecosystem

Several major products and repositories now have support for in-toto attestations, including:

- [NPM](https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/)
- [Homebrew](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/)
- [GitHub](https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/)

### Specification and In-toto Enhancements (ITEs)

- The in-toto v1.0 [Specification](https://github.com/in-toto/specification/blob/v1.0/in-toto-spec.md) was tagged June 5th 2023
- ITEs to support layouts with the attestation framework were merged as `Draft`
- [ITE-10](https://github.com/in-toto/ITE/tree/master/ITE/10): Supporting Contextual in-toto Attestations in Layouts
- [ITE-11](https://github.com/in-toto/ITE/tree/master/ITE/11): Verifying Attributes in in-toto Attestations

### Attestations

- New Predicate Types
- Software Supply Chain Attribute Integrity ([SCAI](https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md))
- [Release](https://github.com/in-toto/attestation/blob/main/spec/predicates/release.md)
- [Reference](https://github.com/in-toto/attestation/blob/main/spec/predicates/reference.md)
- Protobuf Language Bindings available
- [Go](https://github.com/in-toto/attestation/tree/main/go)
- [Java](https://github.com/in-toto/attestation/tree/main/java)
- [Python](https://github.com/in-toto/attestation/tree/main/python)

### Witness

- [Donation](https://github.com/in-toto/community/issues/17) of the project to in-toto during KubeCon '23 - Chicago
- Improvement of [CLO Monitor Scores](https://clomonitor.io/projects/cncf/in-toto#witness) to 99+
- Support for generating new types of attestations:
- [SLSA Attestor](https://witness.dev/docs/docs/attestors/slsa)
- [Link Attestor](https://witness.dev/docs/docs/attestors/link)
- [Jenkins Attestor](https://github.com/in-toto/go-witness/pull/323)
- [SBOM Attestor](https://witness.dev/docs/docs/attestors/sbom)
- [VEX Attestor](https://witness.dev/docs/docs/attestors/vex)
- Support for new Key Management Systems (KMS)
- [AWS KMS](https://witness.dev/docs/docs/signers/kms#aws)
- [GCP KMS](https://witness.dev/docs/docs/signers/kms#gcp)
- New documentation [website](https://witness.dev/)

### Archivista

- [Donation](https://github.com/in-toto/community/issues/18) of the project to in-toto during KubeCon '23 - Chicago
- Improvement of [CLO Monitor Score](https://clomonitor.io/projects/cncf/in-toto#archivista) to 95+
- Helm [charts](https://github.com/in-toto/archivista/tree/main/chart) for deployment
- Support for [eventing](https://github.com/in-toto/archivista/pull/377) on attestation uploads
- Storing of Witness [Policies](https://github.com/in-toto/archivista/pull/251)

### Others

- Docs [assessment](https://github.com/cncf/techdocs/blob/main/analyses/0009-in-toto/README.md) from CNCF Tech Docs group
- [Donation](https://github.com/in-toto/community/issues/14) of [attestation-verifier](https://github.com/in-toto/attestation-verifier)
- [Donation](https://github.com/in-toto/community/issues/11) of [scai-demos](https://github.com/in-toto/scai-demos)

## Near and Mid-term Work

### Specification and In-toto Enhancements (ITEs)

- Formal acceptance of ITE-10 and ITE-11

### Attestations

- Continued work to build out library of common predicate types
- Documentation on best practices and considerations in choosing when to use a specific predicate type when there may be multiple similar options

### Witness

- Support for ITE-10 and ITE-11-style policies
- New attestor types
- OmniTrail: based on the Omnibor project
- Lockfile: Storing contents of common language lock files
- Support for Sigstore bundle format during signing
- Continued documentation updates
- A framework to allow external attestors
- TUF Client to securely receive up-to-date policies from Archivista

### Archivista

- Integration with RSTUF
- Policies: the ability to store, approve, and revoke trust in Witness policies via TUF metadata
- Attestations: the ability to store, approve, and revoke trust in attestations via TUF metadata

### Others

Policy WG continuing collaboration on new policy specification, moving ITE-10 and ITE-11 towards acceptance

## Long-term Work

- Deprecate in-toto golang
- Documentation and Github repository restructuring
- Consolidate cryptographic signing libraries
- Continued collaboration and integration with open source build and security tools
Loading

0 comments on commit 6aae28c

Please sign in to comment.