Matthew GarrettApr 5, 2023
I want a spec for providing metadata defining which artifacts should go into a build and how to build it, and multiple implementations of that spec, and the ability to deploy different implementations to different cloud vendors using SEV to attest to the boot state, and then verify that all these different implementations in different environments generate identical outputs so we can avoid having to place arbitrary trust in our build systems
Show threadMorten LinderudApr 5, 2023

@mjg59
You could build this under https://in-toto.io/ i think?

Cc @sangy

in-toto | A framework to secure the integrity of software supply chains

Show threadSangy

@Foxboron @mjg59 Yup! there's actually some work to e.g., attest the state of the builder and more using a link type called SCAI: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md

there's already stuff to e.g., cross compare various attestations for agreement by using threshold mechanisms!

attestation/scai.md at main · in-toto/attestation

in-toto Attestation Framework (ITE-6). Contribute to in-toto/attestation development by creating an account on GitHub.

GitHub
Apr 5, 2023 at 7:02pmWeb