Package: wnpp Severity: wishlist Owner: Simon Josefsson <si...@josefsson.org>
* Package name : gittuf Version : 0.8.0-1 Upstream Author : gittuf * URL : https://github.com/gittuf/gittuf * License : Apache-2.0 Programming Lang: Go Description : A security layer for Git repositories gittuf is a security layer for Git repositories. With gittuf, any developer who can pull from a Git repository can independently verify that the repository's security policies were followed. gittuf's policy, inspired by The Update Framework (TUF) (https://theupdateframework.io/), handles key management for all trusted developers in a repository, allows for setting permissions for repository branches, tags, files, etc., protects against other attacks (https://ssl.engineering.nyu.edu/papers/torres_toto_usenixsec-2016.pdf) Git is vulnerable to, and more — all while being backwards compatible with forges such as GitHub and GitLab. . gittuf is a sandbox project at the Open Source Security Foundation (OpenSSF) (https://openssf.org/) as part of the Supply Chain Integrity Working Group (https://github.com/ossf/wg-supply-chain-integrity). . Current Status . gittuf is currently in alpha. gittuf's metadata may have breaking changes, meaning a repository's gittuf policy may have to be reinitialized from time to time. As such, gittuf is currently not intended to be the primary mechanism for enforcing a repository's security. . That said, we're actively seeking feedback from users. Take a look at the get started guide (/docs/get-started.md) to learn how to install and try gittuf out! Additionally, contributions are welcome, please refer to the contributing guide (/CONTRIBUTING.md), our roadmap (/docs/roadmap.md), and the issue tracker for ways to get involved. https://salsa.debian.org/go-team/packages/gittuf https://salsa.debian.org/jas/gittuf/-/pipelines/ /Simon
signature.asc
Description: PGP signature
