The TUF-variant Uptane is an extremely important technology in the automotive space, providing a secure way for software errors in automobiles to be securely fixed in the field. TUF provides the back-end security for Uptane and is essential to making the system work in a secure way so that even if an attacker compromises a server or a key, there will not be a loss of life. With at least one major OEM adopter in the US, Japan, and Europe, in a few years Uptane will be on about a third of new cars on US roads and is quickly on its way to becoming the de facto industry standard.

Looks good to me.

To reiterate @iramcdonald and @abecherer, TUF has been deployed to protect diverse environments ranging from the cloud (Datadog, Docker, IBM, Microsoft, Red Hat) to automotives.

I am heavily involved with the project, but this should not discount the conclusion that it is high time for TUF to graduate on the CNCF. Please let us know if anything is blocking it, and what we can do to fix it. Thanks very much.

As the tech-lead for IBM Cloud Container Registry I'd just like to chime in and confirm that we run the TUF based Notary in production, as a public service and fully support TUF's graduation.

How has this changed over time while the project has been in incubation? How has the project matured since incubation?

At the time of CNCF adoption into incubation, the only cloud native production use was in Docker and AppContainer. We had some footprint outside of the CNCF in LEAP and a few smaller projects.

While in incubation, we have had adoption by Microsoft, Datadog, Google, IBM, RedHat, Cloudflare, DigitalOcean, VMware and many other companies. The TUF variant Uptane has also been adopted widely outside of the cloud native space, especially in the automotive space where it is an IEEE/ISTO standard and is hosted under the Linux Foundation's Joint Development Foundation.

I've added text to this effect in this PR ( 4ed9c8b ).

Project and context
Many of the technical questions don't really apply to a spec project, but we should have some discussion > of context. What are the alternatives? Are there any competing specs in this space?

I've added text to help address this in the PR ( b969c7b ).

Is there a write-up of DD at the incubation stage? That might be helpful.

We didn't do a DD writeup when entering the CNCF because that wasn't part of the process then. Here is the PR w/ documentation which may have helpful information. #38

I hope this helps to clarify things. Just ask if you need more from us!

We're using slack and mailing lists from resources in my lab which is across many non-CNCF / LF projects as well. We've added external participants as needed. @caniszczyk, would the CNCF perhaps be willing to fund paid slack so we can bridge? (Sorry, we just don't have funds for this now.) We can also try to move the conversation over, but since many of the members are otherwise non-CNCF participants, it isn't obvious to us what to do. We're open to changes in how we would do this and how to document it better in the DD.

I don't particularly think it matters who or where the community is gathering, so long as there is a community, it's open to people to join, and people can find it. Is the mailing list in the NYU lab the same as what's listed on the README?

I also think it would be OK in the Graduation PR to document the current levels of activity but to acknowledge that since the spec is stable, community activity levels are currently low. But IMO it should be documented so that when TOC members read this PR document to make a judgement on their vote, they know what the situation is.

The Governance documentation defines a Consensus Builder and refers to a CB term, but I couldn't find where that term was defined?

Thanks @JustinCappos and TUF team for the revisions on this proposal. I believe TUF meets the graduation requirements so I’d like to call for a vote @caniszczyk @amye

+1 binding TOC votes (6/9):
Liz Rice: https://lists.cncf.io/g/cncf-toc/message/3777
Jeff Brewer: https://lists.cncf.io/g/cncf-toc/message/3780
Michelle Noorali: https://lists.cncf.io/g/cncf-toc/message/3830
Xiang Li: https://lists.cncf.io/g/cncf-toc/message/3831
Brendan Burns: https://lists.cncf.io/g/cncf-toc/message/3834
Joe Beda: https://lists.cncf.io/g/cncf-toc/message/3872