Debian Package Tracker
Register | Log in
Subscribe

in-toto

software supply chain security framework

Choose email to subscribe with

general
  • source: in-toto (main)
  • version: 1.3.1-1
  • maintainer: in-toto developers (DMD)
  • uploaders: Holger Levsen [DMD] – Santiago Torres-Arias [DMD] – Lukas Puehringer [DMD] – Justin Cappos [DMD]
  • arch: all
  • std-ver: 4.6.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • stable: 1.0.1-1
  • testing: 1.3.1-1
  • unstable: 1.3.1-1
versioned links
  • 1.0.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.3.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • in-toto
action needed
1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:
  • CVE-2023-32076: in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings. RC files are widely used in other systems and security issues have been discovered in their implementations as well. Maintainers found in their conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or CLI arguments, the maintainers decided to drop support for `in_totorc`. in-toto's `user_settings` module has been dropped altogether in commit 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandbox functionary code as a security measure.
Created: 2023-05-11 Last update: 2023-05-23 21:06
Fails to build during reproducibility testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2023-03-20 Last update: 2023-06-02 23:08
lintian reports 6 warnings normal
Lintian reports 6 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2023-02-10 Last update: 2023-02-10 15:37
1 low-priority security issue in bullseye low

There is 1 open security issue in bullseye.

1 issue left for the package maintainer to handle:
  • CVE-2023-32076: (needs triaging) in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings. RC files are widely used in other systems and security issues have been discovered in their implementations as well. Maintainers found in their conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or CLI arguments, the maintainers decided to drop support for `in_totorc`. in-toto's `user_settings` module has been dropped altogether in commit 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandbox functionary code as a security measure.

You can find information about how to handle this issue in the security team's documentation.

Created: 2023-05-11 Last update: 2023-05-23 21:06
news
[rss feed]
  • [2023-02-08] in-toto 1.3.1-1 MIGRATED to testing (Debian testing watch)
  • [2023-02-03] Accepted in-toto 1.3.1-1 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
  • [2022-03-10] in-toto 1.2.0-1 MIGRATED to testing (Debian testing watch)
  • [2022-03-04] Accepted in-toto 1.2.0-1 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
  • [2021-03-12] in-toto 1.0.1-1 MIGRATED to testing (Debian testing watch)
  • [2021-03-02] Accepted in-toto 1.0.1-1 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
  • [2021-02-08] in-toto 1.0.0-3 MIGRATED to testing (Debian testing watch)
  • [2021-02-08] in-toto 1.0.0-3 MIGRATED to testing (Debian testing watch)
  • [2021-02-03] Accepted in-toto 1.0.0-3 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
  • [2021-01-27] in-toto 1.0.0-2 MIGRATED to testing (Debian testing watch)
  • [2021-01-22] Accepted in-toto 1.0.0-2 (source) into unstable (Holger Levsen)
  • [2020-09-08] in-toto 0.5.0-1 MIGRATED to testing (Debian testing watch)
  • [2020-09-02] Accepted in-toto 0.5.0-1 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
  • [2019-10-24] in-toto 0.4.0-2 MIGRATED to testing (Debian testing watch)
  • [2019-10-18] Accepted in-toto 0.4.0-2 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
  • [2019-10-13] Accepted in-toto 0.4.0-1 (source all) into unstable, unstable (Lukas Puehringer) (signed by: Holger Levsen)
bugs [bug history graph]
  • all: 1
  • RC: 0
  • I&N: 1
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 6)
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debian patches
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.3.1-1

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing