Note
Repository Service for TUF is a work in progress. As of June 2023 RSTUF is considered beta - use with caution.
Please reference the The RSTUF ROADMAP for feature and functionality plans.
TUF is easily implemented on the client side utilizing powerful TUF client libraries.
Some RSTUF use case examples include but are not limited to:
- An organization has a live "Software Updater". This "Software Updater" uses TUF to download, install and update software artifacts.
- An organization distributes documents. The reader uses TUF to fetch documents submitted by a trusted source.
- An organization owns a private container image registry and uses TUF in the CI/CD to deploy computing trusted images at the edge .
- An organization with many Operational Technology (OT) devices in different plants uses TUF clients to fetch firmware, software, and projects from a distributed artifact repository.
- Web portal, which uses TUF to list all artifacts from a content repository and render as a Web UI, the user to download using a web browser.
The Update Framework is a software framework designed to protect mechanisms that automatically identify and download updates to software. TUF uses a series of roles and keys to provide a means to retain security, even when some keys or servers are compromised.1 TUF
- PackagingCon 2023: “Our stuff” - how to protect users from package compromise with RSTUF.
- EuroPython 2023: "PEP 458 a solution not only for PyPI" (video recoding).
- "Introducing RSTUF, Repository Service for TUF" by OpenSSF.
- "Introducing RSTUF beta release" by VMware.
-
- align
center
- KubeCon 2023: "Maintaining TUF, a Talk" by Joshua Lock and Lukas Pühringer
- KubeCon 2023: CNCF Graduated Project Updates, TUF mentions the RSTUF Project.
- Open Source Summit NA 2023 : Toto-Ally TUF: Simple Tools for a Secure Software Supply Chain by Marina Moore & Aditya Sirish A Yelgundhalli
TUF provides a flexible framework and specification that developers can adopt and an excellent Python Library (python-tuf) that provides two APIs for low-level Metadata management and client implementation.
Implementing TUF requires sufficient knowledge of TUF to design how to integrate the framework into a repository and hours of engineering work to implement.
RSTUF was born as a consequence of working on implementing PEP 458 in the Warehouse project, which powers the2 Python Package Index (PyPI).
Due to combined experience with the complexity and fragility of deep integration into an intricate platform, the designing of how to implement a flexible, reusable TUF platform to integrate into different flows and infrastructures began.
Repository Service for TUF aims to be an easy-to-use tool for Developers, DevOps, and DevOpsSec teams working on the delivery process.
guide/index devel/index