Source: witness
Section: golang
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Uploaders:
 Simon Josefsson <simon@josefsson.org>,
Build-Depends:
 debhelper-compat (= 13),
 dh-sequence-golang,
 golang-any,
 golang-github-gobwas-glob-dev,
 golang-github-in-toto-go-witness-dev,
 golang-github-invopop-jsonschema-dev,
 golang-github-olekukonko-tablewriter-dev,
 golang-github-open-policy-agent-opa-dev,
 golang-github-sigstore-fulcio-dev,
 golang-github-sirupsen-logrus-dev,
 golang-github-spf13-cobra-dev,
 golang-github-spf13-pflag-dev,
 golang-github-spf13-viper-dev,
 golang-github-stretchr-testify-dev,
 golang-k8s-apimachinery-dev,
 help2man <!nodoc>,
Testsuite: autopkgtest-pkg-go
Standards-Version: 4.7.4
Vcs-Browser: https://salsa.debian.org/go-team/packages/witness
Vcs-Git: https://salsa.debian.org/go-team/packages/witness.git
Homepage: https://github.com/in-toto/witness
XS-Go-Import-Path: github.com/in-toto/witness

Package: witness
Section: devel
Architecture: any
Depends:
 ${misc:Depends},
 ${shlibs:Depends},
Built-Using:
 ${misc:Built-Using},
Static-Built-Using:
 ${misc:Static-Built-Using},
Description: software supply chain risk management framework (program)
 What does Witness do?
 .
 ✏️ **Attests** - Witness is a dynamic CLI tool that integrates into
 pipelines and infrastructure to create an audit trail for your
 software's entire journey through the software development lifecycle
 (SDLC) using the in-toto specification.
 .
 **🧐 Verifies** - Witness also features its own policy engine with
 embedded support for OPA Rego, so you can ensure that your software was
 handled safely from source to deployment.
 .
 What can you do with Witness?
 .
  * Verify how your software was produced and what tools were used
  * Ensure that each step of the supply chain was completed by authorized
    users and machines
  * Detect potential tampering or malicious activity
  * Distribute attestations and policy across air gaps
 .
 Key Features
 .
  * Integrations with GitLab, GitHub, AWS, and GCP.
  * Designed to run in both containerized and non-containerized
    environments **without** elevated privileges.
  * Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7)
  * An embedded OPA Rego policy engine for policy enforcement
  * Keyless signing with Sigstore and SPIFFE/SPIRE
  * Integration with RFC3161 compatible timestamp authorities
  * Process tracing and process tampering prevention (Experimental)
  * Attestation storage with Archivista (https://github.com/in-
    toto/archivista)
 .
 This package contains the binaries.

Package: golang-github-in-toto-witness-dev
Architecture: all
Multi-Arch: foreign
Depends:
 ${misc:Depends},
Description: software supply chain risk management framework (library)
 What does Witness do?
 .
 ✏️ **Attests** - Witness is a dynamic CLI tool that integrates into
 pipelines and infrastructure to create an audit trail for your
 software's entire journey through the software development lifecycle
 (SDLC) using the in-toto specification.
 .
 **🧐 Verifies** - Witness also features its own policy engine with
 embedded support for OPA Rego, so you can ensure that your software was
 handled safely from source to deployment.
 .
 What can you do with Witness?
 .
  * Verify how your software was produced and what tools were used
  * Ensure that each step of the supply chain was completed by authorized
    users and machines
  * Detect potential tampering or malicious activity
  * Distribute attestations and policy across air gaps
 .
 Key Features
 .
  * Integrations with GitLab, GitHub, AWS, and GCP.
  * Designed to run in both containerized and non-containerized
    environments **without** elevated privileges.
  * Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7)
  * An embedded OPA Rego policy engine for policy enforcement
  * Keyless signing with Sigstore and SPIFFE/SPIRE
  * Integration with RFC3161 compatible timestamp authorities
  * Process tracing and process tampering prevention (Experimental)
  * Attestation storage with Archivista (https://github.com/in-
    toto/archivista)
 .
 This package contains the Go library.
