Hi
user
Admin Login:
Username:
Password:
Name:
in-toto -- Securing supply chains as a whole
--client
debian
--show
debconf17
--room buzz 12451 --force
Next: 1 Signing package contents: why and how
show more...
Marks
Author(s):
Lukas Puehringer
Location
Buzz
Date
aug Thu 10
Days Raw Files
Start
10:30
First Raw Start
error-in-template
Duration
00:20:00
Offset
None
End
10:50
Last Raw End
Chapters
Total cuts_time
None min.
https://debconf17.debconf.org/talks/100/
raw-playlist
raw-mp4-playlist
encoded-files-playlist
mp4
svg
png
assets
release.pdf
intoto_Securing_supply_chains_as_a_whole.json
logs
Admin:
episode
episode list
cut list
raw files day
marks day
marks day
image_files
State:
---------
borked
edit
encode
push to queue
post
richard
review 1
email
review 2
make public
tweet
to-miror
conf
done
Locked:
clear this to unlock
Locked by:
user/process that locked.
Start:
initially scheduled time from master, adjusted to match reality
Duration:
length in hh:mm:ss
Name:
Video Title (shows in video search results)
Emails:
email(s) of the presenter(s)
Released:
Unknown
Yes
No
has someone authorised pubication
Normalise:
Channelcopy:
m=mono, 01=copy left to right, 10=right to left, 00=ignore.
Thumbnail:
filename.png
Description:
In order to create their software packages, Debian maintainers perform a series of steps that include cloning of upstream sources, debianization of files, testing, linting, and packaging. Taken together, these steps make up the package’s software supply chain. The security of this supply chain is crucial to the overall security of the software product. An attacker who is able to control a step in that chain, such as the version control system, the build process or the *debianization* steps, can alter the product for malicious intents. By introducing backdoors or including vulnerable libraries in any of these steps, or in between, attackers can target all of Debian's users at once. Although existing point solutions, like VCS signing or reproducible builds, provide integrity and authentication to individual steps in the software supply chain, they provide little security to an already compromised product. Hence, there is a need to verify the integrity and authenticity of a project from inception to the installation on an end user's device. In this talk we present *in-toto*, a set of tools to define, carry out, and verify the integrity and authenticity of any software supply chain as a whole. The presentation will include a live demo.
markdown
Comment:
production notes
Rf filename:
root is .../show/dv/location/, example: 2013-03-13/13:13:30.dv
Sequence:
get this:
check and save to add this
Veyepar
Video Eyeball Processor and Review