icon picker
To The Summer Of Code (And Many After) - My GSoC Story with in-toto


Hello! My name is , and I’m an incoming freshman at the University of Pennsylvania in the Jerome Fisher Program in Management and Technology (B.S.E. Computer Science, B.S. Economics from the Wharton School of Business).
This summer, I contributed to an open source project called in-toto as a student developer for the 2021 Google Summer of Code program. I had a blast and I want to share my experience, insights, and advice with you!

Acknowledgements & Thank You

In the following section, I will be describing my project and the GSoC experience in detail. But, before I do so, I would like to thank the following people who transformed my GSoC experience.
My mentors and , for supporting me throughout the GSoC developmental process while leaving plenty of room for growth.
Rebuilderd creator for their incredibly helpful and quick responses to my questions regarding the repository.
GSoC 2020 student developer for kindly introducing me to the vibrant in-toto community.
Thank you so much! GSoC would not be GSoC without you: it would be “Gee, this socs.” 😆


This article is pretty lengthy, so feel free to jump to the bit you’re most interested in! Here’s an outline of what I will be talking about:
What is Google Summer of Code? - For those curious about the program.

About in-toto - Background for the open source project I contributed to, in-toto, for those interested in learning more or getting involved!

My project: Develop in-toto-rs (Rust) for integration with rebuilderd - See the details of my Google Summer of Code project, and pull requests I created.

How I got into GSoC (and why you should, too!) - My GSoC story, told as a figma comic strip :D

What is Google Summer of Code?

According to the official GSoC website,
Google Summer of Code (GSoC) is a global program focused on bringing more student developers into open source software development. Students work with an open source organization on a 10 week programming project during their break from school. ()
What does this mean? As a GSoC student, you get to work with cool people on an open source project that you’re interested in learning more about. Instead of picking up miscellaneous GitHub issues, GSoC students have their own independent projects to contribute to. This means that your learning experience is customizable and your contributions are concrete!
This year’s GSoC community included , and the experience is undoubtedly unique and special to every one of us. To me, Google Summer of Code was an incredible opportunity where I had the opportunity to learn more about the open source community, apply my knowledge in a meaningful project, and interact with my amazing mentors.

About in-toto

In GSoC 2021, the open source project I am contributing to is called , under the Cloud Native Computing Foundation (CNCF). The Cloud Native Computing Foundation is one of the most senior community partners in the Google Summer of Code, with many graduated projects including The Update Framework (TUF), Kubernetes, and etcd.

So, what is in-toto?

With the development and increased complexity in software supply chains, there is a rising need to protect not only the stages in the software development process but also the chain itself.
The in-toto framework was made to address the rising need to combat software supply chain compromises, holistically preventing attacks/vulnerabilities and affecting all the population down the pipeline.
in-toto ensures security by not only increasing both the control and transparency of the steps (layout, assigned functionaries), but also creating and comparing the “expected” and “observed” outcome for the steps in software development.

My project: Develop in-toto-rs (Rust) for integration with rebuilderd

Prior to my development, in-toto-rs had been a work-in-progress repository that members of the in-toto team briefly spun off in May 2020, referencing the .
My in-toto GSoC project was to develop in-toto-rs capabilities to support rebuilderd (). It is focused on developing the Rust implementation of in-toto, in-toto-rs, with the purpose of integrating in-toto functions with rebuilderd, a crate for creating instances of package rebuilders.

Why is this project important?

With a project such as in-toto, accessibility is crucial for it to be effective in protecting the community (as listed in specification ). While implementations of this framework in Python and Go already exist, its Rust implementation was still in development.
My GSoC project adds the core module of in-toto (runlib) to its Rust implementation and creates the first use case for the Rust repository (the rebuilderd crate), making the Rust project—and by extension, in-toto— more complete and open for use.

GSoC Project Details: in-toto-rs

Accepted Project Abstract:

My project included 2 main parts and 5 pull requests:

Add the runlib module to in-toto-rs that implemented signed link generation using in_toto_run:
Main Pull Request:
Integrate runlib and link generation within the rebuilderd crate:

How I got into GSoC (and why you should, too!)

At this point, we’re probably on the same page that GSoC is awesome, and in-toto is very epic as well. However, you may still have some hesitations.
Originally, I wanted to give you a longer and more illustrative background on how I got involved with GSoC, with bullet points, insight, and lots of anecdotes. If I can do GSoC, you can too!
However, as I was writing, I realized that a picture is worth a thousand words...
So, let me tell you a story.
Screen Shot 2021-08-19 at 2.00.25 PM.png
Screen Shot 2021-08-18 at 7.09.50 PM.png
Screen Shot 2021-08-18 at 6.31.00 PM.png
Screen Shot 2021-08-18 at 6.25.04 PM.png
Screen Shot 2021-08-18 at 6.25.18 PM.png

Thanks for reading!

If you have any questions, feel free to reach me through .
Want to follow in-toto? You can find in-toto through their , , and email ()!

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
) instead.