Evaluate The Update Framework

[philips]

Yesterday @titanous told me we should take a second look at The Update Framework (TUF) for addressing a number of things around the signing that we have wanted including: prevention of downgrade (#168), multiple signers, and key revocation.

There is a go implementation that we can look at over here: https://github.com/flynn/go-tuf

Things that need to be explored:

• [ ] how do we support this as an alternative to GPG signing which is super simple and easy for developers to use?
• [ ] how do we make it easy for a user to maintain a repo of images?
• [ ] how does this impact the current SPEC around discovery?

Helpful blog series to explain the basics:

• http://corner.squareup.com/2013/12/securing-rubygems-with-tuf-part-1.html
• http://corner.squareup.com/2013/12/securing-rubygems-with-tuf-part-2.html
• http://corner.squareup.com/2013/12/securing-rubygems-with-tuf-part-3.html

[titanous]

Let me know if you have specific implementation questions.

go-tuf includes a simple CLI for creating and managing repos, but it could be improved quite a bit (we currently just wrap it in release scripts, happy to accept PRs).

[vladimir-v-diaz]

Hi @philips We (the TUF team) are available to help answer some of those questions. You may contact us at our mailing list (theupdateframework@googlegroups.com) or we can talk over voice chat if you prefer.

There is an excellent 30-minute presentation of the RubyGems integration that also covers the basics. The RubyGems + TUF presentation is made by the same author of the blog series you've listed.

Another document that you may review is the PyPI proposal. You might have come across the proposal on our website (thanks again for the pull request), but an up-to-date version of the proposal is available here: https://github.com/pypa/interoperability-peps/blob/master/pep-0458-tuf-online-keys.rst. The proposal goes over some of the questions you will explore, such as the impact on the SPEC discovery process (e.g., the current Container Runtime and Image manifests can be treated as TUF targets, and once they are downloaded the discovery process can proceed as normal), downgrade attacks (and others!), and management of the images + metadata available on the repository.

Feel free to contact us with any questions as you evaluate the framework. And thanks for the interest in our work.

[philips]

For a status update on this I hacked together something that works. I need to give some more thought to what makes it into the "custom" field though: https://github.com/philips/go-tuf/commit/90193e044f1e98a4c99cb634f53442baf1aa25dc

[philips]

@vladimir-v-diaz I need posting rights.

[jonboulle]

Capturing a note from elsewhere: we should ensure that the ACI filesize is part of the TUF metadata.