ENH:proposals: add in-toto graduation proposal

[SantiagoTorres]

This is a formal proposal for the graduation of the in-toto project.

in-toto, an open-source project that joined CNCF as a sandbox project in August 2019, and incubation in March 2022.
Since then, in-toto has experienced a remarkable degree of adoption within various ecosystems and usecases. These include cases such as GitHub's, Gitlab's and Tekton among others. Due to this, we are confident that in-toto is ready to graduate.

Supporting Documents

link to graduation DD document

Incubation Documents

link to incubation PR
incubation DD

P.S. I was holding back on the former proposal because there were going to be changes to the process, but seeing other projects are moving forward as well I'd rather leave a formal paper trail

[lukehinds]

nb +1 !

[adityasaky]

Very excited to see this happen!

[JustinCappos]

nb +1. This is long overdue!!!

[trishankatdatadog]

+1

[mnm678]

nb +1

[tannerjones4075]

It is great to see the progress and see the impact of in-toto thus far. Great things to come!

[evan2645]

nb +1 🎉

[joshuagl]

nb +1 🎓

in-toto is not only a great system, it is also a frequently cited inspiration for other systems, defines standard formats that multiple systems implement, and benefits from multiple quality implementations.

[lukpueh]

nb +1

As one of the original in-toto core team members, I can attest that a lot of thought has gone into the design and development of the system. And I am very excited to see its impact grow in the supply chain security ecosystem. Graduation seems appropriate.

[marcelamelara]

+1 for graduation of in-toto!!

[colek42]

+1

[kommendorkapten]

+1

[idunbarh]

+1 as a relative new comer to the project and I've been really impressed by the maintainers and community. Absolutely supportive of project graduation!

[alanssitis]

+1 ❤️

[06kellyjac]

+1

[matglas]

+1

[linsun]

Hi @SantiagoTorres, I'll be reviewing your proposal soon! Excited to see so much support of in-toto here!

[kairoaraujo]

+1

[linsun]

Some update - met with @SantiagoTorres last week and walked him through the new process along with expected timeline. Raised a few issues with @SantiagoTorres and started working on putting DD doc together. From our discussion, @SantiagoTorres has already setup a review with TAG-security, see cncf/tag-security#1290.

I'm traveling for this and next 2 weeks unfortunately, will have limited bandwidth but will make progress whenever I can.

cc @TheFoxAtWork @nikhita FYI

[anvega]

TAG Security has conducted a thorough review of the in-toto project as part of its consideration for CNCF graduation. Based on our assessment, we find:

in-toto presents as a mature, well designed security project that has made significant strides toward graduation. Key points supporting this include:

• in-toto's value and reliability in real world applications is exhibited by its wide adoption across companies and projects, including Datadog, Solarwinds's Trebuchet, GitHub NPM Package Provenance, OpenVEX, SLSA, Sigstore, Tekton and many more. This demonstrates its value and reliability in real world applications.
• The project underwent a thorough security audit conducted by X41 D-sec, facilitated by OSTIF and funded by CNCF. This audit demonstrated: a) Scope: The audit covered both Python and Go implementations, reviewing all in-scope code. b) Methodology: Manual review was complemented by language-specific static code analyzers, ensuring a comprehensive approach. c) Findings: The audit identified 1 High, 4 Medium, and 3 Low severity vulnerabilities, indicating a thorough examination. d) Critical issue addressed: The most severe vulnerability, which could have compromised the entire security chain, was identified and addressed. e) Transparency: The full audit report is publicly available, demonstrating the project's commitment to openness. f) Proactive improvements: X41's team provided recommendations to enhance the overall security posture beyond just addressing vulnerabilities.
• in-toto has achieved gold status on the OpenSSF Best Practices badge, indicating adherence to security recommended practices.
• The project is very intentional about its design providing a flexible framework for securing software supply chains, allowing for various use cases and integrations. Its design enables detailed tracking and verification of software development processes.
• in-toto has updated its governance structure, formed a technical steering committee with defined roles and duties, and conducted elections, demonstrating a commitment to sustainable community management.
• The project has addressed concerns raised during the incubation review, including conducting a security audit, improving documentation, and enhancing governance.

Opportunities for further development:

• As in-toto subprojects under the larger in-toto organization umbrella continue mature, there may be value in conducting security audits for these components, particularly for newly donated subprojects.
• The project's role in important initiatives like SLSA could be further highlighted to demonstrate its impact on the broader security ecosystem.
• Encouraging and supporting further integrations with other tools and platforms could enhance in-toto's value prop.

In conclusion, in-toto demonstrates the characteristics of a graduated level CNCF project, particularly in terms of security. Its wide adoption, successful response to security audits, and overall mature security posture make it a strong candidate for graduation. The project serves as an exemplar of security design in the ecosystem.

[linsun]

Thank you @anvega for the detailed note, glad the review went very well and in-toto continues to demonstrate the characteristics of a graduated level CNCF project.

Update: @SantiagoTorres is working on getting me interviewer lists and also answering some questions I had while preparing the DD doc.

[linsun]

Still working on @SantiagoTorres on the proposal doc, also have 1 interviewee scheduled this week!