Repository Service for TUF Documentation

Note

Repository Service for TUF is a work in progress. As of June 2023 RSTUF is considered beta - use with caution.

Please reference the The RSTUF ROADMAP for feature and functionality plans.

OpenSSF Best Practices

Repository Service for TUF (RSTUF) is a collection of components that provide services for securing content downloads from tampering between the repository and the client (for example, by an on-path attacker).

RSTUF security properties are achieved by implementing The Update Framework (TUF) as a service.

Repository Service for TUF is platform, artifact, language, and process-flow agnostic.

TUF is easily implemented on the client side utilizing powerful TUF client libraries.

Use cases

Some RSTUF use case examples include but are not limited to:

  • An organization has a live “Software Updater”. This “Software Updater” uses TUF to download, install and update software artifacts.

  • An organization distributes documents. The reader uses TUF to fetch documents submitted by a trusted source.

  • An organization owns a private container image registry and uses TUF in the CI/CD to deploy computing trusted images at the edge .

  • An organization with many Operational Technology (OT) devices in different plants uses TUF clients to fetch firmware, software, and projects from a distributed artifact repository.

  • Web portal, which uses TUF to list all artifacts from a content repository and render as a Web UI, the user to download using a web browser.

What is TUF?

The Update Framework is a software framework designed to protect mechanisms that automatically identify and download updates to software. TUF uses a series of roles and keys to provide a means to retain security, even when some keys or servers are compromised. [1] TUF

Design/Solution

RSTUF simplifies the adoption of TUF by removing the need to design a repository integration – RSTUF encapsulates that design.

Repository Service for TUF (RSTUF) is designed to be integrated with existing content delivery solutions – at the edge or in public/private clouds – alongside current artifact production systems, such as build systems, including; Jenkins, GitHub Actions, GitLab, CircleCI, etc. RSTUF protects downloading, installing, and updating content from arbitrary content repositories, such as a web server, JFrog Artifactory, GitHub packages, etc.

If a user wants to integrate RSTUF into an existing CI/CD pipeline the only requirement is to make a REST API request to RSTUF:

_images/rstuf_api_ci_cd_integration.png

The same can be said when a user wants to integrate RSTUF into an existing distribution platform:

_images/rstuf_api_distribution_platfrom_integration.png

Thanks to the REST API, integrating RSTUF into existing content delivery solutions is straightforward. Furthermore, RSTUF is designed for scalability and can support active repositories with multiple repository workers.

At present, RSTUF implements a streamlined variant of the Python Package Index (PyPI)’s PEP 458 – Secure PyPI downloads with signed repository metadata. In the future, RSTUF will grow to provide additional protections through supporting the end-to-end signing of packages, comparable to PyPI’s PEP 480 – Surviving a Compromise of PyPI: End-to-end signing of packages.

Talks, Posts and Mentions about RSTUF

Talks

Posts

Mentions

Background and motivation

TUF provides a flexible framework and specification that developers can adopt and an excellent Python Library (python-tuf) that provides two APIs for low-level Metadata management and client implementation.

Implementing TUF requires sufficient knowledge of TUF to design how to integrate the framework into a repository and hours of engineering work to implement.

RSTUF was born as a consequence of working on implementing PEP 458 in the Warehouse project, which powers the [2] Python Package Index (PyPI).

Due to combined experience with the complexity and fragility of deep integration into an intricate platform, the designing of how to implement a flexible, reusable TUF platform to integrate into different flows and infrastructures began.

Repository Service for TUF aims to be an easy-to-use tool for Developers, DevOps, and DevOpsSec teams working on the delivery process.

How to get involved

Slack channel

#repository-service-for-tuf channel on OpenSSF Slack.

Meetings

RSTUF mailing list

Join the mail list https://lists.openssf.org/g/RSTUF

email: RSTUF@lists.openssf.org

Documentation List