Repository Service for TUF Documentation
Repository Service for TUF is a work in progress. As of June 2023 RSTUF is considered beta - use with caution.
Please reference the The RSTUF ROADMAP for feature and functionality plans.
Repository Service for TUF (RSTUF) is a collection of components that provide services for securing content downloads from tampering between the repository and the client (for example, by an on-path attacker).
RSTUF security properties are achieved by implementing The Update Framework (TUF) as a service.
Repository Service for TUF is platform, artifact, language, and process-flow agnostic.
TUF is easily implemented on the client side utilizing powerful TUF client libraries.
Some RSTUF use case examples include but are not limited to:
An organization has a live “Software Updater”. This “Software Updater” uses TUF to download, install and update software artifacts.
An organization distributes documents. The reader uses TUF to fetch documents submitted by a trusted source.
An organization owns a private container image registry and uses TUF in the CI/CD to deploy computing trusted images at the edge .
An organization with many Operational Technology (OT) devices in different plants uses TUF clients to fetch firmware, software, and projects from a distributed artifact repository.
Web portal, which uses TUF to list all artifacts from a content repository and render as a Web UI, the user to download using a web browser.
What is TUF?
RSTUF simplifies the adoption of TUF by removing the need to design a repository integration – RSTUF encapsulates that design.
Repository Service for TUF (RSTUF) is designed to be integrated with existing content delivery solutions – at the edge or in public/private clouds – alongside current artifact production systems, such as build systems, including; Jenkins, GitHub Actions, GitLab, CircleCI, etc. RSTUF protects downloading, installing, and updating content from arbitrary content repositories, such as a web server, JFrog Artifactory, GitHub packages, etc.
If a user wants to integrate RSTUF into an existing CI/CD pipeline the only requirement is to make a REST API request to RSTUF:
The same can be said when a user wants to integrate RSTUF into an existing distribution platform:
Thanks to the REST API, integrating RSTUF into existing content delivery solutions is straightforward. Furthermore, RSTUF is designed for scalability and can support active repositories with multiple repository workers.
At present, RSTUF implements a streamlined variant of the Python Package Index (PyPI)’s PEP 458 – Secure PyPI downloads with signed repository metadata. In the future, RSTUF will grow to provide additional protections through supporting the end-to-end signing of packages, comparable to PyPI’s PEP 480 – Surviving a Compromise of PyPI: End-to-end signing of packages.
Talks, Posts and Mentions about RSTUF
KubeCon 2023: “Maintaining TUF, a Talk” by Joshua Lock and Lukas Pühringer
Open Source Summit NA 2023 : Toto-Ally TUF: Simple Tools for a Secure Software Supply Chain by Marina Moore & Aditya Sirish A Yelgundhalli
Background and motivation
TUF provides a flexible framework and specification that developers can adopt and an excellent Python Library (python-tuf) that provides two APIs for low-level Metadata management and client implementation.
Due to combined experience with the complexity and fragility of deep integration into an intricate platform, the designing of how to implement a flexible, reusable TUF platform to integrate into different flows and infrastructures began.
Repository Service for TUF aims to be an easy-to-use tool for Developers, DevOps, and DevOpsSec teams working on the delivery process.
How to get involved
RSTUF mailing list
Join the mail list https://lists.openssf.org/g/RSTUF