This week, The Update Framework (TUF) graduated the Cloud Native Computing Foundation’s (CNCF) project development process, joining the ranks of Kubernetes, Prometheus, Envoy, CoreDNS, containerd, Fluentd, Jaeger, and Vitess. While it was the ninth project to reach a graduated status with the CNCF, it was the first security-focused project, as well as the first specification, to do so.
TUF is, as the name implies, a framework for handling software updates that works to secure software update systems and prevent bad actors from injecting malicious or outdated and susceptible software into updates.
“We designed TUF so that an organization does not need to be perfect in their operational security,” said TUF co-creator and “consensus builder” Justin Cappos, in a statement. “If a company accidentally makes a signing key public, has a hacker break into their software repository, or if a disgruntled employee goes rogue, the damage they can cause is limited. Defense in depth is key to security, and the security of the software update infrastructure is among the most critical concerns in practice.”
TUF was first built in 2009 and joined the CNCF in 2017, but Cappos says that, despite its technical maturity upon joining the CNCF, the project benefited from the process in many ways.
“We got a lot clearer about things like governance. The mechanisms behind a lot of those processes were clarified. We had already done a lot of this very early on, and we’ve tried to be very proactive in this area,” said Cappos in an interview with The New Stack.
At the same time, TUF presented some challenges for the CNCF graduation process, as it didn’t have access to the same usage statistics that a standard project would.
“We don’t fit into the normal mold of what a project is. Most people who TUF are not people that have ever necessarily even talked to us or downloaded our code. When you have an implementation and people use your implementation, they give you bug reports and they talk to you about what’s happening and so on. Because we’re a specification, we’re a level removed from all that,” explained Cappos. “We have some blog posts that people wrote that talk about the fact that they’re using it, but where they’re using it and how they’re using it, we don’t really know.”
Regardless of easily accessible statistics, TUF can claim many big-name companies, such as Amazon, Microsoft, Google, Cloudflare, Datadog, DigitalOcean, Docker, IBM, RedHat, and VMware, among its users. TUF also serves as the specification for Docker’s Notary, which is also a CNCF project, and a project called Uptane, which is an automotive application of TUF that is widely used. Cappos said that TUF gained this strong adoption over the years by being seen as a “common updater that’s open source, unencumbered, and free for everyone to use”.
Now, having met all the graduation criteria, TUF can add CNCF graduation to its list of accomplishments, which Cappos pointed out also includes the first silver CII Best Practices badge among CNCF projects.
“I’m really excited that TUF is the first security project to make it to this level of maturity. I think it shows that security is something that happens as technologies mature,” said Cappos. “It’s a great sign for the CNCF. We’re really happy to be a part of this process and we hope that more security projects will join us at this level.”
The Cloud Native Computing Foundation, Red Hat and VMware are sponsors of The New Stack.