“Our stuff” - how to protect users from package compromise with RSTUF
10-26, 09:30–09:55 (Europe/Berlin), Main stage

For many years the Update Framework (TUF) has been a prime reference for secure package delivery and updates. Despite its popularity, integration with existing package managers remains a challenging task.

Enter RSTUF: This new OpenSSF project has taken on the challenge to provide a generic TUF application, which primarily focuses on ease of adoption.

Secure package distribution is crucial for any operating system, language ecosystem, and framework. It means that a user indeed gets the package they asked for, and that its freshness, consistency and integrity are guaranteed. Signing the package or distribution channel alone is not enough. The user also needs to know which signing keys they can trust – or can no longer trust, in case the key was compromised.

The Update Framework (TUF) provides an excellent, highly flexible solution for this problem. Due to the broad range of use cases TUF can cover, implementing and maintaining a TUF-powered package repository remains a challenging task, which requires deep expert knowledge, as well as a considerable amount of software engineering resources.

Repository Service For TUF (RSTUF) is the first project to implement a generic TUF application with the primary goal of making general TUF adoption easier. It is agnostic to content type, programming language, and release process, and supports large-scale community platforms, as well as simple content repositories.

In this talk Kairo, tech lead of RSTUF, and Lukas, TUF project maintainer, will explain what RSTUF adds on top of TUF and show-case how it can be used to protect a large community repository like PyPI.org, and RubyGems.org.

RSTUF is an OpenSSF sandbox project, sponsored by the OpenSSF Securing Software Repositories Working Group.

Kairo is a Senior Open Source Software Engineer at VMware Open Source Program Office (OSPO) on the Security Supply Chain team. He contributed to python-tuf and is the author of Repository Service for TUF (RSTUF). Prior roles include System Engineer Specialist and Senior Software Engineer at IBM, ING, and Forescout.

Lukas Pühringer is a research scholar and software developer at the NYU Center for Cyber Security (CCS), where he leads the development of The Update Framework (TUF), and has been co-maintaining several of Prof. Justin Cappos’ software projects, most notably the supply chain security framework in-toto. Lukas also supervises students and gives talks about TUF and in-toto.