Bug#1093252: marked as done (ITP: witness -- pluggable framework for software supply chain risk management)

Fri, 20 Mar 2026 10:01:25 -0700 

Your message dated Fri, 20 Mar 2026 17:00:36 +0000
with message-id <[email protected]>
and subject line Bug#1093252: fixed in witness 0.10.2-1
has caused the Debian Bug report #1093252,
regarding ITP: witness -- pluggable framework for software supply chain risk 
management
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1093252: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093252
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: wnpp
Severity: wishlist
Owner: Simon Josefsson <[email protected]>

* Package name    : witness
  Version         : 0.7.0-1
  Upstream Author : in-toto
* URL             : https://witness.dev/
                    https://github.com/in-toto/witness
* License         : Apache-2.0
  Programming Lang: Go
  Description     : pluggable framework for software supply chain risk 
management

 What does Witness do?
 .
 ✏️ **Attests** - Witness is a dynamic CLI tool that integrates into
 pipelines and infrastructure to create an audit trail for your
 software's entire journey through the software development lifecycle
 (SDLC) using the in-toto specification.
 .
 **🧐 Verifies** - Witness also features its own policy engine with
 embedded support for OPA Rego, so you can ensure that your software was
 handled safely from source to deployment.
 .
 What can you do with Witness?
 .
  * Verify how your software was produced and what tools were used
  * Ensure that each step of the supply chain was completed by authorized
    users and machines
  * Detect potential tampering or malicious activity
  * Distribute attestations and policy across air gaps
 .
 Key Features
 .
  * Integrations with GitLab, GitHub, AWS, and GCP.
  * Designed to run in both containerized and non-containerized
    environments **without** elevated privileges.
  * Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7)
  * An embedded OPA Rego policy engine for policy enforcement
  * Keyless signing with Sigstore and SPIFFE/SPIRE
  * Integration with RFC3161 compatible timestamp authorities
  * Process tracing and process tampering prevention (Experimental)
  * Attestation storage with Archivista (https://github.com/in-
    toto/archivista)

https://salsa.debian.org/go-team/packages/witness
https://salsa.debian.org/jas/witness/-/pipelines

/Simon

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: witness
Source-Version: 0.10.2-1
Done: Simon Josefsson <[email protected]>

We believe that the bug you reported is fixed in the latest version of
witness, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated witness package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 19 Mar 2026 17:32:24 +0100
Source: witness
Binary: golang-github-in-toto-witness-dev witness witness-dbgsym
Architecture: source all amd64
Version: 0.10.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Description:
 golang-github-in-toto-witness-dev - software supply chain risk management 
framework (library)
 witness    - software supply chain risk management framework (program)
Closes: 1093252
Changes:
 witness (0.10.2-1) unstable; urgency=medium
 .
   * Initial release (Closes: #1093252)
Checksums-Sha1:
 3d8dfd9e302a29be038b7fb272841599efcc539e 3076 witness_0.10.2-1.dsc
 d5515dfa3ffee195a659a0f076777d2eb369a8cd 14187092 witness_0.10.2.orig.tar.gz
 f6291f0430884f36acb0b1e6e10e64f8608accc4 3172 witness_0.10.2-1.debian.tar.xz
 8579e18666d25d897c53d1039a3aa8ac268ed94a 720244 
golang-github-in-toto-witness-dev_0.10.2-1_all.deb
 3685bdb757e7b4ac80035be50acc27a0cb56eb20 17435696 
witness-dbgsym_0.10.2-1_amd64.deb
 d89830d175a852cf5c8a863622bc35184a9f9be2 40079 witness_0.10.2-1_amd64.buildinfo
 1faf3782eb1f68838a0548dd9ae8a64e132d6bc4 14463184 witness_0.10.2-1_amd64.deb
Checksums-Sha256:
 32e949fd8eeb7aaa8904f53b206be2222eb80f3acd7acda560998c8db9c43903 3076 
witness_0.10.2-1.dsc
 b6853a9ddb506edc9ac020168aeb1e46b2371304d1a7e5ce4b566d5fc5415183 14187092 
witness_0.10.2.orig.tar.gz
 c232f1db800f182c5f2d37e59d5efb7bbeccbd0662ec627b903f1fd7de993f0a 3172 
witness_0.10.2-1.debian.tar.xz
 d7c0d6320d7c88b9f08928a30fb364908b6419b47c31efece2007dd80a5f8e67 720244 
golang-github-in-toto-witness-dev_0.10.2-1_all.deb
 cd317b7c6eebdf6604e65140bc1f28e3e4e6a3f39cfc9a768d412d1d7050ae1d 17435696 
witness-dbgsym_0.10.2-1_amd64.deb
 de9804a7c97b81a118dca1b2200b6ded0b7f02bb4d6cded129f2bc637f66084b 40079 
witness_0.10.2-1_amd64.buildinfo
 f67af195d7eea22c9438b4a58d7d0ae0873620b866a20a25c52daa4df9bbb19f 14463184 
witness_0.10.2-1_amd64.deb
Files:
 4db70a80420379b61e510cd8124bcd46 3076 golang optional witness_0.10.2-1.dsc
 9dd7812590996eb66df05e3b091b2166 14187092 golang optional 
witness_0.10.2.orig.tar.gz
 c8f7f9c2ad2a18d6b28679c667949c95 3172 golang optional 
witness_0.10.2-1.debian.tar.xz
 02978f80ef08fc5c5e45d1d938c7ea06 720244 golang optional 
golang-github-in-toto-witness-dev_0.10.2-1_all.deb
 a4c81e54bbb6504947382d6786b9f033 17435696 debug optional 
witness-dbgsym_0.10.2-1_amd64.deb
 c2697581eba63a98a0165b33a82d3d3e 40079 golang optional 
witness_0.10.2-1_amd64.buildinfo
 c8d776bc78a4ef18276848a23da1fedc 14463184 devel optional 
witness_0.10.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCgMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmm8JnkUHHNpbW9uQGpv
c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f
V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z
ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh
BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA
/iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx
+3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx
I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0
+MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R
cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE
8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J
ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6
qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB
BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA
JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF
PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh
is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFoltHAPwJ/BQUlTIE
2CKIKM2tpY/ci1zexCTPDWpODfurRBKfpwD+M65fqQlhY9TrRfl85b4fmXPbk+Cz
28AqK174OspHugs=
=ygxT
-----END PGP SIGNATURE-----

Attachment: pgpM8MfpPsHXP.pgp
Description: PGP signature


--- End Message ---

Reply via email to