Conference:  KubeCon + CloudNativeCon Europe 2023

Authors: Lukas Pühringer, Joshua Lock

2023-04-21

The Update Framework (TUF) is a framework for secure content delivery and updates. It protects against various types of supply chain attacks, and, in contrast to many other systems, provides resilience to compromise. TUF’s design has been described in many previous talks at KubeCon and elsewhere. This maintainer track session, for the first time, is indeed all about maintaining TUF. The two core project members, Joshua and Lukas, will share their insights into the organization, which consists of a specification, a standardization process, and a steadily growing number of implementations. They will talk about the different needs of the various subprojects, and show-case these efforts by walking through the recent reference implementation rewrite. Finally, they will point out the many avenues that exist for you to contribute to TUF. Because behind TUF stands a welcoming community, which is constantly looking for new people who are excited about a secure software supply chain.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Marina Moore, Santiago Torres-Arias

2022-10-27

Download the code ahead of time. DCO Required.Join us for some live collaboration on TUF, in-toto, and Sigstore where we will be implementing new features and creating more cohesive integrations between these software supply chain projects.This Contribfest session is designed to provide projects with the space and resources to tackle outstanding technical debt, security issues, or outstanding impactful feature requests. They are intended to provide a place for maintainers to meet contributors and potential contributors and work together on solving a problem.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Justin Cormack

2022-10-27

This talk gives an overview of the status of the Notary project, and the Notary v2 work, and the context in the broader ecosystem. Supply chain security is becoming increasingly critical and its importance has been recognised, but the ecosystem of tools around this is confusing. So this talk will cover the context of the key ideas, including the TUF and in-toto projects and how they relate to the security outcomes people want to achieve.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Justin Cappos, Marina Moore

2022-10-27

Description: As supply chain security has garnered a lot of attention recently, software signing and verification has emerged as a vital step in the process of distributing software. However, a signature alone is insufficient for ensuring the security of a software artifact. Come learn about The Update Framework (TUF), the technology used by sigstore, Notary, Google Fuchsia, and more to not only sign software, but determine which keys should be used and prevent known attacks on software update systems. We will give an overview of TUF that describes its security features and how it has been integrated into fields as diverse as container registries and automobiles. We will also discuss new features we are working on to better support secure software distribution at scale, usability, and some emerging uses of TUF.

Conference:  KubeCon + CloudNativeCon Europe 2022

Authors: Lukas Pühringer, Jussi Kukkonen

2022-05-20

The Update Framework (TUF) is a framework for secure content delivery and updates. It protects against various types of supply chain attacks, and, in contrast to many other systems, provides resilience to compromise. In this talk Jussi and Lukas, both maintainers of the TUF reference implementation and core contributors to the TUF specification, will show why content delivery is such a crucial part of the supply chain, how TUF can be used to protect it, and where TUF is already used in practice. They will talk about how the TUF ecosystem is evolving: what is happening within the various sub projects and how some well-known adoptions and integration projects are proceeding. Finally, some interesting future developments are discussed.Click here to view captioning/translation in the MeetingPlay platform!

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Marina Moore, Joshua Lock

2021-10-14

The Update Framework (TUF) is a framework for secure software updates that protects the integrity, consistency, and freshness of packages while reducing the impact of a compromise and allowing for recovery. It uses cryptographic signatures to protect content and separates responsibilities to reduce the impact of key loss. TUF also allows users to recover when a compromise happens through hierarchical trust delegations.

• TUF protects content using cryptographic signatures over the content, repository, and metadata to ensure integrity, consistency, and freshness.
• TUF reduces the impact of key loss by separating responsibilities and requiring a threshold of keys to sign content.
• TUF allows users to recover from a compromise through hierarchical trust delegations.
• TUF uses a root role that delegates to other roles in the system, including a timestamp role, snapshot role, and targets roles.
• TUF balances trust and responsibility by ensuring that more vulnerable roles have less of an impact when compromised.