in-toto - Debian Package Tracker

general

source: in-toto (main)
version: 2.0.0-1
maintainer: in-toto developers (DMD)
uploaders: Holger Levsen [DMD] – Santiago Torres-Arias [DMD] – Lukas Puehringer [DMD] – Justin Cappos [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.0.1-1
stable: 1.3.1-1
testing: 2.0.0-1
unstable: 2.0.0-1

versioned links

1.0.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.0.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

in-toto

action needed

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2023-32076: in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings. RC files are widely used in other systems and security issues have been discovered in their implementations as well. Maintainers found in their conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or CLI arguments, the maintainers decided to drop support for `in_totorc`. in-toto's `user_settings` module has been dropped altogether in commit 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandbox functionary code as a security measure.

Created: 2023-06-11 Last update: 2024-08-15 08:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2023-32076: in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings. RC files are widely used in other systems and security issues have been discovered in their implementations as well. Maintainers found in their conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or CLI arguments, the maintainers decided to drop support for `in_totorc`. in-toto's `user_settings` module has been dropped altogether in commit 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandbox functionary code as a security measure.

Created: 2023-05-11 Last update: 2024-08-15 08:30

3 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit d3d5f846f228ccf4127d7959677ac98e5330a938
Merge: 3467cd9 6fd7836
Author: Lukas Pühringer <lukas.puehringer@nyu.edu>
Date:   Mon Nov 20 14:55:57 2023 +0100

    Merge pull request #646 from lukpueh/debian
    
    Prepare Debian release 2.0.0-1

commit 6fd7836d6eaec57b9c95d4af20b1e6b61efb773a
Author: Lukas Puehringer <lukas.puehringer@nyu.edu>
Date:   Thu May 11 14:30:15 2023 +0200

    Prepare Debian release 2.0.0-1
    
    * Update downstream files
    * Add Dockerfile to make future downstream packaging easier
      See doc header for usage details.
    
    Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>

commit ca1625861acd3bcfe1ca4b4a31e737214d116c99
Author: Lukas Puehringer <lukas.puehringer@nyu.edu>
Date:   Wed Apr 26 19:22:48 2023 +0200

    Prepare Debian 1.4.0-1 release
    
    Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>

Created: 2023-11-17 Last update: 2024-11-17 05:07

lintian reports 7 warnings normal

Lintian reports 7 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-02-10 Last update: 2023-11-17 15:24

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2023-32076: (needs triaging) in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings. RC files are widely used in other systems and security issues have been discovered in their implementations as well. Maintainers found in their conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or CLI arguments, the maintainers decided to drop support for `in_totorc`. in-toto's `user_settings` module has been dropped altogether in commit 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandbox functionary code as a security measure.

You can find information about how to handle this issue in the security team's documentation.

Created: 2023-06-10 Last update: 2024-08-15 08:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.0 instead of 4.6.2).

Created: 2024-04-07 Last update: 2024-04-07 13:15

news

[rss feed]

[2023-11-20] in-toto 2.0.0-1 MIGRATED to testing (Debian testing watch)
[2023-11-15] Accepted in-toto 2.0.0-1 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
[2023-02-08] in-toto 1.3.1-1 MIGRATED to testing (Debian testing watch)
[2023-02-03] Accepted in-toto 1.3.1-1 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
[2022-03-10] in-toto 1.2.0-1 MIGRATED to testing (Debian testing watch)
[2022-03-04] Accepted in-toto 1.2.0-1 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
[2021-03-12] in-toto 1.0.1-1 MIGRATED to testing (Debian testing watch)
[2021-03-02] Accepted in-toto 1.0.1-1 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
[2021-02-08] in-toto 1.0.0-3 MIGRATED to testing (Debian testing watch)
[2021-02-08] in-toto 1.0.0-3 MIGRATED to testing (Debian testing watch)
[2021-02-03] Accepted in-toto 1.0.0-3 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
[2021-01-27] in-toto 1.0.0-2 MIGRATED to testing (Debian testing watch)
[2021-01-22] Accepted in-toto 1.0.0-2 (source) into unstable (Holger Levsen)
[2020-09-08] in-toto 0.5.0-1 MIGRATED to testing (Debian testing watch)
[2020-09-02] Accepted in-toto 0.5.0-1 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
[2019-10-24] in-toto 0.4.0-2 MIGRATED to testing (Debian testing watch)
[2019-10-18] Accepted in-toto 0.4.0-2 (source) into unstable (Lukas Puehringer) (signed by: Holger Levsen)
[2019-10-13] Accepted in-toto 0.4.0-1 (source all) into unstable, unstable (Lukas Puehringer) (signed by: Holger Levsen)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 7)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.0.0-1