In-toto

Latest version: v3.0.0

Safety actively analyzes 630169 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 4 of 5

0.4.0

Not secure
* Add REQUIRE artifact rule support (269, 280)
* Enhance OpenPGP key export and provide key expiration verification (266, 288)
* Make transitive dependency PyNaCl optional for in-toto (291)
* Improve automatic testing and code coverage measurement (295) as well
as static analysis with pylint (279, 296)
* Update repository metadata
- Add initial 1-year roadmap (268)
- Revise dependency handling for monitoring and library compatibility (294)
- Update maintainers and contributor information (283, 274, 297)
- Enhance source distribution configs and include tests and other metadata,
relevant to downstream packagers, with future source distributions (290)

0.3.0

Not secure
* Re-factor rule verification engine and fix for a false-reject on very specific layouts (262)
* Add support for duplicate standard streams (252)
* Enhance support for Summary link naming (i.e., better sublayout verification, 256)
* Improve rule verification messages (243)
* Small fixes for OpenPGP parsing functions (255)
* Properly verify self-signature and signature binding signatures upon export (257)
* Add lstrip-paths parameter (as an enhancement/replacement for basepath) (250)
* Fix a bug where multiple PGP subkeys could count towards the threshold (251)
* Fix a bug where RSA signatures wouldn't be sufficiently padded and a signature would be erroneously-rejected 170
* Change license to Apache

0.2.3

Not secure
* Add common interface for Python's subprocess module
* Add Python 3.7 support
* Drop Python 3.3 support
* Add windows support
* Add AppVeyor testing (windows)
* Add optional line ending normalization when hashing artifacts (windows)
* Add optional compact json representation for metadata
* Make exclude filter behavior match gitignore when recording artifacts
* Make cwd recording optional when creating link metadata
* Add a substitution layer to support parameter substitution upon verification
* Improve gpg support
* Add full support for ed25519 keys and add optional key type parameter
* Fix bug in rule verification (https://github.com/in-toto/in-toto/pull/204)

0.2.2

Not secure
* Add support for gpg signing subkeys.
* Drop strict requirement on securesystemslib 0.10.
* Command line tool changes:
- Add a --base-path parameter to in-toto record and in-toto run
- in-toto-record now follows symbolic links
* Fixed typo in exception messages
* Adds support for sublayout namespacing (for in-toto spec 0.9 compliance)
* Path prefix is normalized during in-toto verification:
- Paths such as foo//bar match with foo/bar.
* Dropped obsolete SettingsError

0.2.1

Not secure
* Model changes
- Add metablock validators
- Add abstract class for layout steps and inspections
- Disallow passing command string to step and inspection constructor
- Add custom `__repr__` for step and inspection objects
- Add layout creation convenience methods
* Command Line tool changes
- Add missing shebangs
- Enhance help messages
- Fix argparse bug for required subcommand in in-toto-record
- Rename short option to record streams in in-toto-run
* Fix gpg hashing algorithm name
* Add layout creation example document
* Refactor logging and user feedback
* Rename artifact_rules module to rulelib and add convenience methods

0.2.0

Not secure
* Fix link metadata bug in in_toto_mock
* Add support for GPG signing and verification of layout and link metadata
* Add support for Python 3.4, 3.5 and 3.6
* Refactor signature and threshold verification in final product verification
so that not every signature on a given layout needs to be valid, as long as
every signature for which a key is passed is valid, and at least one key is
passed. Furthermore, not all imported links need need to carry an authorized
and valid signature, as as long as there are enough links with an authorized
and valid signature for any given step. Links with unauthorized signatures or
invalid signatures are ignored
* Remove canonicaljson dependency and use securesystemslib's canonicaljson
encoding
* Refactor order of positional arguments in in-toto-record command line tool
* Add linters (pylint and bandit) and fix linting errors (e.g.: indentation
and unused variables and imports)
* Add schemas for in-toto specific crypto-related metadata formats
* Improve testing code coverage to 100%
* Add debian directory required to create a debian package
* Add .editorconfig and GitHub issue and pull request templates,
ACKNOWLEDGEMENTS.md, CODE-OF-CONDUCT.md, GOVERNANCE.md, MAINTAINERS.txt and
passing core infrastructure best practice badge, add "Security Issues and
Bugs" and "Instructions for Contributors" section in README.md

Page 4 of 5

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.