in-toto
v3.1.0Securityin-toto v3.1.0 migrates away from sslib's hash functions, switches to ruff for code style, and refreshes Debian packaging — mostly maintenance, but the sslib change has dependency implications.
breakingAudit your sslib dependency if you use it alongside in-toto
in-toto has internalized sslib's hash functions because sslib is being deprecated. If your project independently depends on sslib for other functionality, start planning a migration now — don't assume sslib will remain maintained. Check your dependency tree for anything that transitively pulls in sslib and evaluate whether those paths need updating.
enhancementUse the new `in-toto-run` return code passthrough in CI pipelines
Previously, `in-toto-run` would swallow the wrapped command's exit code, which could mask failures in CI. With passthrough now enabled, the return code of the wrapped command propagates correctly. If you have shell scripts or CI steps that check exit codes after `in-toto-run`, verify your error handling still works as intended — behavior has changed and some pipelines may now surface previously hidden failures.
enhancementIf you contribute to or package in-toto, update your dev tooling to ruff
The codebase now enforces ruff-based style rules. If you maintain a fork, downstream package, or contribute PRs, your existing flake8/pylint setup will likely flag false conflicts. Align your local dev environment with ruff before opening PRs against this version or later.
Key changes (5)
- sslib hash functions ported directly into in-toto due to sslib deprecation — reduces external dependency
- Code style tooling switched from existing linter to ruff (PEP 8 enforcement updated across codebase)
- Debian dependencies and build rules refreshed for current packaging compatibility
- CLI: `in-toto-run` now passes through the wrapped command's return code
- Documentation updates covering pipeline configuration and general content improvements