Share
Explore

icon picker
To The Summer Of Code (And Many After) - My GSoC Story with in-toto

JL
Joy Liu

Introduction

Hello! My name is
Qijia “Joy” Liu
, and I’m an incoming freshman at the University of Pennsylvania in the Jerome Fisher Program in Management and Technology (B.S.E. Computer Science, B.S. Economics from the Wharton School of Business).
This summer, I contributed to an open source project called in-toto as a student developer for the 2021 Google Summer of Code program. I had a blast and I want to share my experience, insights, and advice with you!

Acknowledgements & Thank You

In the following section, I will be describing my project and the GSoC experience in detail. But, before I do so, I would like to thank the following people who transformed my GSoC experience.
My mentors
Santiago Torres-Arias
and
Aditya Sirish
, for supporting me throughout the GSoC developmental process while leaving plenty of room for growth.
Rebuilderd creator
kpcyrd
for their incredibly helpful and quick responses to my questions regarding the repository.
GSoC 2020 student developer
Christian Rebischke
for kindly introducing me to the vibrant in-toto community.
Thank you so much! GSoC would not be GSoC without you: it would be “Gee, this socs.” 😆

Roadmap

This article is pretty lengthy, so feel free to jump to the bit you’re most interested in! Here’s an outline of what I will be talking about:
What is Google Summer of Code? - For those curious about the program.

About in-toto - Background for the open source project I contributed to, in-toto, for those interested in learning more or getting involved!

My project: Develop in-toto-rs (Rust) for integration with rebuilderd - See the details of my Google Summer of Code project, and pull requests I created.

How I got into GSoC (and why you should, too!) - My GSoC story, told as a figma comic strip :D

What is Google Summer of Code?

According to the official GSoC website,
Google Summer of Code (GSoC) is a global program focused on bringing more student developers into open source software development. Students work with an open source organization on a 10 week programming project during their break from school. (
Google Summer of Code
)
What does this mean? As a GSoC student, you get to work with cool people on an open source project that you’re interested in learning more about. Instead of picking up miscellaneous GitHub issues, GSoC students have their own independent projects to contribute to. This means that your learning experience is customizable and your contributions are concrete!
This year’s GSoC community included
1,286 student developers
, and the experience is undoubtedly unique and special to every one of us. To me, Google Summer of Code was an incredible opportunity where I had the opportunity to learn more about the open source community, apply my knowledge in a meaningful project, and interact with my amazing mentors.

About in-toto

In GSoC 2021, the open source project I am contributing to is called
in-toto
, under the Cloud Native Computing Foundation (CNCF). The Cloud Native Computing Foundation is one of the most senior community partners in the Google Summer of Code, with many graduated projects including The Update Framework (TUF), Kubernetes, and etcd.

So, what is in-toto?

With the development and increased complexity in software supply chains, there is a rising need to protect not only the stages in the software development process but also the chain itself.
The in-toto framework was made to address the rising need to combat software supply chain compromises, holistically preventing attacks/vulnerabilities and affecting all the population down the pipeline.
in-toto ensures security by not only increasing both the control and transparency of the steps (layout, assigned functionaries), but also creating and comparing the “expected” and “observed” outcome for the steps in software development.

My project: Develop in-toto-rs (Rust) for integration with rebuilderd

Prior to my development, in-toto-rs had been a work-in-progress repository that members of the in-toto team briefly spun off in May 2020, referencing the
Rust implementation of The Update Framework (TUF)
.
My in-toto GSoC project was to develop in-toto-rs capabilities to support rebuilderd (
Github Issue
). It is focused on developing the Rust implementation of in-toto, in-toto-rs, with the purpose of integrating in-toto functions with rebuilderd, a crate for creating instances of package rebuilders.

Why is this project important?

With a project such as in-toto, accessibility is crucial for it to be effective in protecting the community (as listed in specification
1.5.1. Goals for Implementation
). While implementations of this framework in Python and Go already exist, its Rust implementation was still in development.
My GSoC project adds the core module of in-toto (runlib) to its Rust implementation and creates the first use case for the Rust repository (the rebuilderd crate), making the Rust project—and by extension, in-toto— more complete and open for use.

GSoC Project Details: in-toto-rs

Accepted Project Abstract:

https://summerofcode.withgoogle.com/projects/#6372466982649856

My project included 2 main parts and 5 pull requests:

Add the runlib module to in-toto-rs that implemented signed link generation using in_toto_run:
Restructure repository, remove TUF remnants, and add tests
Add CI workflow
Main Pull Request:
implement in-toto-run
Fast-follow:
make CI pass, add documentation
Integrate runlib and link generation within the rebuilderd crate:
Main Pull Request

How I got into GSoC (and why you should, too!)

At this point, we’re probably on the same page that GSoC is awesome, and in-toto is very epic as well. However, you may still have some hesitations.
Originally, I wanted to give you a longer and more illustrative background on how I got involved with GSoC, with bullet points, insight, and lots of anecdotes. If I can do GSoC, you can too!
However, as I was writing, I realized that a picture is worth a thousand words...
So, let me tell you a story.
Screen Shot 2021-08-19 at 2.00.25 PM.png
Screen Shot 2021-08-18 at 7.09.50 PM.png
Screen Shot 2021-08-18 at 6.31.00 PM.png
Screen Shot 2021-08-18 at 6.25.04 PM.png
Screen Shot 2021-08-18 at 6.25.18 PM.png

Thanks for reading!

If you have any questions, feel free to reach me through
LinkedIn
.
Want to follow in-toto? You can find in-toto through their
website
,
Github
, and email (
in-toto-dev@googlegroups.com
)!

Introduction
Acknowledgements & Thank You
Roadmap
What is Google Summer of Code?
About in-toto
So, what is in-toto?
My project: Develop in-toto-rs (Rust) for integration with rebuilderd
Why is this project important?
GSoC Project Details: in-toto-rs
Accepted Project Abstract:
My project included 2 main parts and 5 pull requests:
How I got into GSoC (and why you should, too!)
Thanks for reading!
Gallery
Share
 
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.