New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Evaluate The Update Framework #211

philips opened this Issue Feb 19, 2015 · 5 comments


None yet
4 participants

philips commented Feb 19, 2015

Yesterday @titanous told me we should take a second look at The Update Framework (TUF) for addressing a number of things around the signing that we have wanted including: prevention of downgrade (#168), multiple signers, and key revocation.

There is a go implementation that we can look at over here:

Things that need to be explored:

  • how do we support this as an alternative to GPG signing which is super simple and easy for developers to use?
  • how do we make it easy for a user to maintain a repo of images?
  • how does this impact the current SPEC around discovery?

Helpful blog series to explain the basics:


This comment has been minimized.

titanous commented Feb 19, 2015

Let me know if you have specific implementation questions.

go-tuf includes a simple CLI for creating and managing repos, but it could be improved quite a bit (we currently just wrap it in release scripts, happy to accept PRs).


This comment has been minimized.

vladimir-v-diaz commented Feb 24, 2015

Hi @philips
We (the TUF team) are available to help answer some of those questions. You may contact us at our mailing list ( or we can talk over voice chat if you prefer.

There is an excellent 30-minute presentation of the RubyGems integration that also covers the basics. The RubyGems + TUF presentation is made by the same author of the blog series you've listed.

Another document that you may review is the PyPI proposal. You might have come across the proposal on our website (thanks again for the pull request), but an up-to-date version of the proposal is available here: The proposal goes over some of the questions you will explore, such as the impact on the SPEC discovery process (e.g., the current Container Runtime and Image manifests can be treated as TUF targets, and once they are downloaded the discovery process can proceed as normal), downgrade attacks (and others!), and management of the images + metadata available on the repository.

Feel free to contact us with any questions as you evaluate the framework. And thanks for the interest in our work.


This comment has been minimized.


philips commented Mar 18, 2015

For a status update on this I hacked together something that works. I need to give some more thought to what makes it into the "custom" field though: philips/go-tuf@90193e0


This comment has been minimized.


philips commented Mar 23, 2015

@vladimir-v-diaz I need posting rights.


This comment has been minimized.


jonboulle commented Apr 8, 2015

Capturing a note from elsewhere: we should ensure that the ACI filesize is part of the TUF metadata.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment