The Datadog TUF + in-toto implementation is discussed in more detail here[1]. Let me know if you have questions!<p>[1] <a href="https://www.datadoghq.com/blog/engineering/secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto/" rel="nofollow">https://www.datadoghq.com/blog/engineering/secure-publicatio...</a>
Great writeup! The supply chain is one of the weakest links in the software development process today due to the implicit trust developers have in the open source ecosystem, so I'm glad to see more interest in projects like in-toto.