News / Technology / Top Stories /

CNCF Brings Security to the Cloud Native Stack with Notary, TUF Adoption

24 Oct 2017 12:01am, by

The Cloud Native Computing Foundation continues to vigorously build its portfolio of open source cloud-native technologies. CNCF’s Technical Oversight Committee voted to accept both the Docker-developed Notary trusted content framework and the specification Notary was built on, TUF, as the 13th and 14th hosted projects, respectively.

The organizations announced the new members at the Open Source Summit Europe, being held this week in Prague.

Notary at a Glance

  • 865 GitHub stars
  • 156 forks
  • 45 contributors
  • 8 maintainers
  • 2600+ commits
  • 34 releases

Released by Docker in 2015, Notary manages the metadata needed to ensure the integrity of container image updates, even those on untrusted networks and linked to compromised registries. The software allows developers to sign applications at every step of development, blocking malicious content from being injected into the workflow.

Notary provides both a client and a pair of server applications to host signed metadata and signing duties. It is included in both the Docker Enterprise Edition and Community Edition and is a component of Docker’s Moby Project.

The interactions between the Notary client, server, and signer.

Huawei, Motorola Solutions, VMWare, LinuxKit, Quay, and Kubernetes also use Notary.

TUF at a Glance

  • 517 GitHub stars
  • 74 forks
  • 27+ contributors
  • 2700+ commits

Notary is based on The Update Framework (TUF) specification, a specification originally designed to secure software updates across distributed systems. TUF provides a design to keep resources secure even when cryptographic keys or servers are compromised. TUF predates the current popularity of containers and was originally developed for any form of software distribution.

The Kolide monitoring platform uses a TUF implementation to securely distribute osquery through an auto-updater.

TUF was originally written in 2009 by New York University Professor Justin Cappos and developed further by Cappos’s Secure Systems Lab at NYU’s Tandon School of Engineering.

Notary and TUF join the following CNCF projects Kubernetes, Prometheus, OpenTracing, Fluentd, linkerd, gRPC, CoreDNS, containerd, rkt, CNI, Envoy, and Jaeger.

The Cloud Native Computing Foundation is a sponsor of The New Stack.

Feature image via Pixabay.


A digest of the week’s most important stories & analyses.

View / Add Comments