Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Evaluate The Update Framework #211
Yesterday @titanous told me we should take a second look at The Update Framework (TUF) for addressing a number of things around the signing that we have wanted including: prevention of downgrade (#168), multiple signers, and key revocation.
There is a go implementation that we can look at over here: https://github.com/flynn/go-tuf
Things that need to be explored:
Helpful blog series to explain the basics:
There is an excellent 30-minute presentation of the RubyGems integration that also covers the basics. The RubyGems + TUF presentation is made by the same author of the blog series you've listed.
Another document that you may review is the PyPI proposal. You might have come across the proposal on our website (thanks again for the pull request), but an up-to-date version of the proposal is available here: https://github.com/pypa/interoperability-peps/blob/master/pep-0458-tuf-online-keys.rst. The proposal goes over some of the questions you will explore, such as the impact on the SPEC discovery process (e.g., the current Container Runtime and Image manifests can be treated as TUF targets, and once they are downloaded the discovery process can proceed as normal), downgrade attacks (and others!), and management of the images + metadata available on the repository.
Feel free to contact us with any questions as you evaluate the framework. And thanks for the interest in our work.