2 posts tagged with "cilock"

I've spent a decade on this problem. I helped build Witness, we donated it to the CNCF and in-toto, and I helped write the reference architecture people point at when they talk about securing the software supply chain. The good news is the rest of the industry is converging on the premise: provenance and attestation are where software trust is heading. The harder part is getting there. So when I tell you the tooling still wasn't good enough, I'm including my own.

In March, two attacks landed within days of each other.

Most write-ups about supply-chain hardening are composed weeks after the fact, by someone who was not in the terminal when it happened. This one was written in the terminal, while it happened. The screenshots are timestamped from the build. If that sounds like a strong claim, good, because the entire point of attestation is that claims should be checkable. So here is the clock.