logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Cole Kennedy
2022-10-24

tldr - powered by Generative AI

Witness is an open-source project that allows software producers to make and verify attestations about the software they produce, making it easy to produce verifiable evidence for software builds. Archivist is a platform that stores these attestations. The goal is to automate pipeline compliance and ensure that the build materials that are expected to go into the build actually do go into that build.
  • Witness implements the internal specifications and allows software producers to make and verify attestations about the software they produce
  • It has integrations with open-source projects such as Sig store, Inspire, GitHub, and GitLab
  • Witness makes it easy to produce verifiable evidence for software builds
  • It supports both containerized and non-containerized workloads
  • Archivist stores these attestations
  • The goal is to automate pipeline compliance and ensure that the build materials that are expected to go into the build actually do go into that build
Authors: Mikhail Swift
2022-10-24

tldr - powered by Generative AI

Archivist is a graph database and service that indexes Toto attestations to find and discover relevant attestations using a GraphQL API.
  • Archivist is designed to archive more data and make finding relevant attestations easier
  • Archivist uses Toto attestations as graph edges and indexes them onto a graph using Dgraph
  • Archivist exposes a GraphQL API for users to query and refine their searches over time
  • Archivist pulls out specific information such as what attestations were in the Toto attestation and the signatures before pulling the attestation
  • Archivist uses in Toto subjects as graph edges and the statement itself as arbitrary data
  • Archivist can be used to find code review attestations and other relevant attestations to prove policy enforcement