Is python-tuf production ready?

B. van Lunteren

unread,

Mar 23, 2022, 9:12:54 AM3/23/22

to The Update Framework (TUF)

Hi everyone,

Could someone tell me if the `python-tuf` reference implementation is production ready, in terms of security?

I was hoping to find the answer in the FAQ section, or in the docs, but could not find it.

Thanks for your help.

Best regards,

Ber

Jussi Kukkonen

unread,

Mar 24, 2022, 9:22:57 AM3/24/22

to B. van Lunteren, The Update Framework (TUF)

Hi Ber,

Yes, we made the 1.0 release with the intent that python-tuf is both stable and ready for production. In my expert (and biased) opinion python-tuf implementation quality is high and our security posture is good: This is true both as a Python project and as a TUF implementation.

I'll include two caveats:

This is still fairly recent code: I stand by the quality assessment above but I won't call it battle tested just yet
Client implementation is 100% ready for integration but I would describe the repository (server side) offering in 1.0 as "low level": It works and is of good quality but the user is currently expected to create the higher level functionality themselves (see examples)

Hope that helps,

Jussi

From: theupdate...@googlegroups.com <theupdate...@googlegroups.com> on behalf of B. van Lunteren <berv...@gmail.com>
Sent: Wednesday, 23 March 2022 15.12
To: The Update Framework (TUF) <theupdate...@googlegroups.com>
Subject: [Suspected Spam] [tuf] Is python-tuf production ready?

⚠ External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.

--
You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/4fdc2bb4-6178-4860-bda5-b423074419b9n%40googlegroups.com.

Trishank Kuppusamy

unread,

Mar 24, 2022, 9:24:50 AM3/24/22

to Jussi Kukkonen, Justin Cappos, B. van Lunteren, The Update Framework (TUF)

@Justin Cappos: do we have a budget for an independent security audit?

To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/CY4PR0501MB376263FCC5DF30CC09FE485DD1199%40CY4PR0501MB3762.namprd05.prod.outlook.com.

Justin Cappos

unread,

Mar 24, 2022, 9:51:27 AM3/24/22

to Trishank Kuppusamy, Jussi Kukkonen, B. van Lunteren, The Update Framework (TUF), Marina Moore

We've had a few of these audits in the past. Likely the CNCF will provide another if we ask. Let's bring that up with Chris A. and others the next time we speak.

Justin

Joshua Lock

unread,

Mar 24, 2022, 11:06:49 AM3/24/22

to Justin Cappos, Trishank Kuppusamy, Jussi Kukkonen, B. van Lunteren, The Update Framework (TUF), Marina Moore

The python-tuf maintainers are already engaged with OSTIF, via the CNCF, to get a security audit of the new python-tuf code.

Regards,

Joshua

To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/CAMVss_qSe3WuVmHRJNRYwsRTGQfyupkjFQpqFwuweaqRfepLrg%40mail.gmail.com.

Trishank Kuppusamy

unread,

Mar 24, 2022, 11:20:43 AM3/24/22

to Joshua Lock, Justin Cappos, Jussi Kukkonen, B. van Lunteren, The Update Framework (TUF), Marina Moore

On Thu, Mar 24, 2022 at 11:06 PM Joshua Lock <jl...@vmware.com> wrote:

The python-tuf maintainers are already engaged with OSTIF, via the CNCF, to get a security audit of the new python-tuf code.

I had no idea! Where was this communicated? Also, only the new codebase, I hope?

Reply all

Reply to author

Forward