in-toto.html

---
layout: default
css_id: about
---

<h3>What is in-toto?</h3>
<p>
  A software supply chain is the series of steps performed when writing,
  testing, packaging, and distributing software. A typical software
  supply chain is composed of multiple steps "chained" together that
  transform (e.g., compilation) or verify the state (e.g., linting) of
  the project in order to drive it to a final product.
</p>
<p>
  Supply chain security is crucial to the overall security of a software
  product.  An attacker who is able to control a step in the supply chain
  can alter the product for malicious intents that range from introducing
  backdoors in the source code to including vulnerable libraries in the
  final product. As a result, supply chain breaches are an impactful
  means for an attacker to affect multiple users at once.
<p>
<p>
  Although many frameworks exist to ensure security in the "last mile"
  (e.g., software updaters), they may be providing integrity and
  authentication to a product that is already vulnerable; it is possible
  that, by the time the package makes it to a software update repository,
  it has already been compromised.
</p>
<p>
  in-toto is designed to ensure the integrity of a software product from
  initiation to end-user installation. It does so by making it
  transparent to the user what steps were performed, by whom and in what
  order. As a result, with some guidance from the group creating the
  software, in-toto allows the user to verify if a step in the supply chain
  was intended to be performed, and if the step was performed by the
  right actor.
</p>
<p>
  You can read more about in-toto's internals in our
  <a href="https://github.com/in-toto/docs/raw/master/in-toto-spec.pdf">latest</a>
  or <a href="https://github.com/in-toto/docs/blob/v0.9/in-toto-spec.pdf">stable</a>
  specification.
</p>