# TUF Community Meetings ## Call information * First Friday of the month 10am ET (7am PT) * https://meet.google.com/jhk-cvuf-icd ## Sept 5, 2025 ### Attendees * Justin Cappos [NYU] * Kairo De Araujo [Eclipse Foundation] * Trishank Karthik Kuppusamy [Datadog] * Srinjoy Dutta * James Carnegie [Datadog] * Mark Bestavros [Datadog] * Camila Vilarinho * Om Biradar ### Agenda * Intros/welcome - James - Mark - Srinjoy * RSTUF v1.0.0 - OpenSSF Mentorship Summer 2025 - v1.1.0 * Srinjoy presented his work on custom delegations * Children's book - Meeting at 2pm ET * DSSE / TAP 17 - Also seeking new contributors to help! * Transparency messaging - How to use transparency logs with TUF - [Prior art](https://ssl.engineering.nyu.edu/blog/2020-02-03-transparent-logs) - Seeking more to add to website, spec, TAP, etc * Om presented his work on monitoring RSTUF performance * Camila presented her work on improving the RSTUF developer experience * Srinjoy Q about how to optimise maintaining a large number (tens of thousands) of bins - Stagger expiration times - Concurrently process tasks - What about empty bins? - Maybe an adaptive number of bins over time? ## August 1, 2025 ### Attendees * Justin Cappos * Marina Moore * James Carnegie ### Agenda * Should we improve our messaging around transparency logs? * Do we want to have a transparency log TAP? * Could we do a better TL solution and make it available to the community at PyPI, Sigstore, etc.? * TAF is gaining adoption! Maryland is ready for production * It would be good to have more securesystemslib and DSSE maintainers ## April 4, 2025 No meeting due to KubeCon/CloudNativeCon Europe ## March 7, 2025 ### Attendees * Marvin Drees * Justin Cappos * Christopher Gervais * Kairo De Araujo * Marina Moore ### Agenda * TAP-21 update: Christopher will gather and share more data. Expects to connect with some folks from Packagist at an upcoming conference. No other work on TAP-21 is planned for the time-being, mostly due to lack of time to focus on it. * Discussion came up in go-tuf to handle HTTP 403 and 404 differently, currently behavior matches python-tuf but reporting them equally should be changed * https://github.com/theupdateframework/go-tuf/issues/673 * Spec only says "if metadata is not available" * A 403 should be an error and not be reported as "no new update" * **AI**: Create PR on spec to have public discussion visible at least for future reference even if no change is done * Verdict: Potentially create spec change but otherwise not too bad if implementations divert slightly ## February 7, 2025 ### Attendees * Kairo de Araujo * Marina Moore * Marvin Drees * John Kjell * Jussi Kukkonen * Victor Lu * Justin Cappos ### Agenda * Expand hash algorithms commonly supported in ecosystem? * go-tuf feature request for blake2b support https://github.com/theupdateframework/go-tuf/issues/668 * Should "recommended hash algorithms" be documented somewhere (TAP?) or should we just add algorithms like blake2b to tuf-conformance test suite and wait for feedback/results? * **AI**: Implement in go-tuf the same way it was done in python-tuf (make sure naming is matching to avoid confusion and make sure the different blake2b variants are properly seperated both in naming and usage) * caching root metadata on the client * Spec curently says that any new cached root metadata should be considered the "trusted root metadata" in future. This is what most clients do: next client startup uses the cached root as the starting point * Best case however would be to always start from the original "out-of-band updated" root since it may be more secure than cached roots (as it may be part of OS image or Debian package and not writable by the user or application like the cached roots are) but to still cache all root versions to avoid unnecessary downloads * Should spec make this clear? * Ideally yes, PR welcome * Does the python-tuf implementation seem reasonable (see PR description)? * python-tuf issue https://github.com/theupdateframework/python-tuf/issues/1168 * python-tuf PR https://github.com/theupdateframework/python-tuf/pull/2767 * RSTUF Security Audit ongoing ## January 10, 2025 Meeting ### Attendees * Justin Cappos (NYU) * Christopher Gervais (Consensus) * Dan Friedman (Consensus) * Kairo de Araujo (TestifySec) * Jussi Kukkonen (Google) * Derek Laventure (Consensus) ### Agenda * General updates * TAP 21 questions / discussion * We will have a follow on meeting next week * better specs / implementation notes on caching root metadata and using the cached root metadata in the client * python-tuf issue https://github.com/theupdateframework/python-tuf/issues/1168 ## December 6, 2024 Meeting ### Attendees * Justin Cappos (NYU) * Kairo de Araujo (TestifySec) * John Kjell (TestifySec) * Marina Moore (Edera) * Marvin Drees (9elements) * Trishank Karthik Kuppusamy (Datadog) * Aditya Sirish (NYU) * Victor Lu ### Agenda * [Kairo] RSTUF Security Audit * [RSTUF issue](https://github.com/repository-service-tuf/repository-service-tuf/issues/833) * [Marina] [KubeCon EU project opportunities](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/features-add-ons/project-opportunities/#description-of-opportunities) * [maintainer summit](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/features-add-ons/maintainer-summit/) * [Victor] K8s certification exam for TUF * CKS is one of the specialist exams * There is a section on supply chain security * TUF and in-toto not part of it * So Victor suggested that to k8s Security SIG * Question came up about how TUF and in-toto are low-level protocols, so how do we test that? * SBOMs are already part of exam * Victor is interested to contribute * Please reach out to Trishank on Slack * [Trishank] Drupal/Packagist/Composer * [DRAFT: TAP-21 - Scale-out Architecture for High-volume Repositories #189](https://github.com/theupdateframework/taps/pull/189) * [Justin] X.509 interactions w/ TUF in cases where you want the repo to tell you what package(s) to install ## November 1, 2024 Meeting ### Attendees * Marina Moore * Victor Lu * Dan Friedman (Consensus Enterprises) * Derek Laventure (Consensus Enterprises) * Christopher Gervais (Consensus Enterprises) * John Kjell ### Agenda * [scalability proposal](https://github.com/theupdateframework/specification/issues/309) * KubeCon project updates ## October 4, 2024 Meeting ### Attendees * Justin Cappos * Marvin Drees (9elements) * Jussi Kukkonen * Aditya Sirish A Yelgundhalli * James Carnegie (Docker) * John Kjell ### Agenda * Conformance test update (Jussi) * https://github.com/theupdateframework/tuf-conformance * Consensus is that many adopters will need all TUF functionality so don't split out "mini-spec" * Guidance for client implementers: "Test what you support" * go-tuf security fixes (one found via conformance test suite) * sigstore plans to drop using go-tuf and bring their own client * go-tuf still maintains dependency on sigstore, unlikely to factor out required code to securesystemslib due to repository governance there * UPDATE: sigstore/sigstore-go contains a wrapper client around go-tuf, so not dropping go-tuf completely but removing it from sigstore/sigstore as far as we can tell * Documentation update. Need reviewers! ## September 6, 2024 Meeting * No Meeting ## August 2, 2024 Meeting ### Attendees * Justin Cappos * Marvin Drees (9elements) * John Kjell * Kairo de Araujo (TestifySec) ### Agenda * Discussion go-tuf testing framework update * Discussion about TUF client proxying * Remote proxying ends up meaning you trust the proxy and are reliant on what is likely TLS * Could do local connection proxying, using the OS as a way to validate you're talking to the right party * Github tag version for packages is a good signal if the software is good * DNS, AS, etc. are also decent signals * SOSS EU Kairo will talk about RSTUF * RSTUF Updates * New RSTUF release support offline signing with Sigstore * Kairo is working in a feature (not in current Roadmap) that allows creating delegated Targets that uses offline singing (Sigstore for example) and specific paths, an alternative of using RSTUF with Bins (PEP 458 design) * Kairo shared RSTUF is looking for contributors * PyPI PEP 458: Working in Progres has one PR still in review state, contribution on the review by Datadog ## July 12, 2024 Meeting Meeting date moved so it's not right after July 4th ### Attendees * Marina Moore * Jussi Kukkonen * John Kjell (TestifySec) * Radoslav Dimitrov * Jonny Stoten * Adam Korczynski * Trishank Karthik Kuppusamy (Datadog) ### Agenda * Introductions * Adam (working with Jussi on conformance suite) * Project Updates * (Jussi and Adam) tuf-conformance: https://github.com/theupdateframework/tuf-conformance * Could have avoided some issues in Sigstore with basic conformance testing * Efficiency multiplier that makes it available to all clients * **Call for action:** client implementors should look at CLI usage to see if it works for them, too * Works by checking client state (using a specified client interface to talk to the test suite) * Great idea: testing *repositories* in the future * **Call for action:** suggests new tests in the repo! * Demo: Docker Image Tag Freshness (Jonny Stoten & James Carnegie - Docker) * Background: https://docs.google.com/document/d/1PoZpb8R-kK26MsEGWbSMofCBjbVTUcgTS2eahaqBME4/edit#heading=h.987zn8xcl6tm * KubeCon NA project opportunities (Marina) ## June 7, 2024 Meeting ### Attendees * Justin Cappos (NYU) * Kairo de Araujo (TestifySec) * Marina Moore (NYU) * John Kjell (TestifySec) * Ayush Gupta (Open Source Contributor) * Marvin Drees (9elements) * Trishank Karthik Kuppusamy (Datadog) ### Agenda * Introductions * Project Updates * documentation contributors -- ~30-40 applications. Many solid students * gittuf teams integration * go-tuf now has MAINTAINERS/CODEOWNERS files for more/better review activity * RSTUF now OpenSSF incubating level * Decide on go-tuf release schedule/pipeline? * Take offline with Frederik and Radoslav * Update meeting link on CNCF calendar to match meeting minutes one ## May 3, 2024 Meeting ### Attendees * Justin Cappos (NYU) * Kairo de Araujo (TestifySec) * Aditya Sirish (NYU) * John Kjell (TestifySec) * Joel Kamp (Docker) * Matthias Glastra (Mendix) * Marvin Drees (9elements) ### Agenda * Introductions * Project Updates * go-tuf project question * Adding MAINTAINERS file to repo * Planning new release as previous one is already quite far back * RSTUF project ## April 5, 2024 Meeting ### Attendees * Zach Steindler (GitHub; OpenSSF TAC) * Marvin Drees (9elements) * Aditya Sirish A Yelgundhalli * Daniel Krook * David Dooling * James Carnegie * Joel Kamp * John Kjell (TestifySec) * Jussi Kukkonen * Justin Cappos * Marina Moore * Noel Cortes * Victor Lu * Kairo De Araujo (TestifySec) * Radoslav Dimitrov (Stacklok) * Konstantinos Papadopoulos ### Agenda * Introductions * Project Updates * TUF-on-CI v0.9.0 * Python TUF v4.0.0 * LFX insights * TAPs 8 and 20 (rotation and revocation) * TAP 16 (snapshot Merkle trees) * Questions about TUF at GitHub? https://github.com/github/roadmap/issues/943 * Question about circular import go-tuf->sigstore->go-tuf->... ## Mar 01, 2024 Meeting ### Attendees * Marina Moore (NYU) * Marvin Drees (9elements) * James Carnegie (docker) * John Kjell (TestifySec) * Trishank Karthik Kuppusamy (Datadog) * Kairo de Araujo (TestifySec) * Victor Lu * David Dooling (Docker) * Justin Cappos (NYU) * Joel Kamp (Docker) ### Agenda * Introductions * Project updates * [Kairo] RSTUF updates for PyPI and RubyGems * https://github.com/pypi/warehouse/pull/15484 * Lukas has been helping a lot with refactoring * KubeCon EU * [kiosk](https://docs.google.com/spreadsheets/d/1e7Z8Qtva7Pl2tMc8gdbQhJCCLm_thFXrsRTG4Iu452A/edit#gid=0) * talks * [Victor] What is TUF? * How does it relate to in-toto or gittuf? * We really should write a blog post about this subject * https://ssl.engineering.nyu.edu/blog/2021-07-26-signature-verification * TAP 8 discussion * Role name in signatures discussion (likely minor change for TUF 2.0) * TAP 19 status ## Feb 2, 2024 Meeting ### Agenda * Introductions * Project updates * go-tuf v2 is out! [Marina, Radoslav, Fredrik] * TAF [Justin] * Surviving companies and even governments tampering with the history of the law * Still in whiteboard stage, but reach out to Justin if interested * RS-TUF [John, Kairo] * Being adopted by PyPI and RubyGems! * Integrating with Archivista (demo at Kubecon EU and community call) * SWUpdate [Toshiba] * Currently we are using SWUPdate to update the SW of our embedded devices. * There are security issues that SWUpdate alone cannot prevent. -> So we are considering using TUF. * We are creating a server to manage the metadata using python-tuf / FastAPI. -> TUF was flexible and easy to use. * Qs: * However, if there is a good OSS repository for managing metadata, we would like to consider using and contributing to it. * We was considering Notary, but it uses OCI instead of TUF in v2. For example, RSTUF? * Since this is not a case of a package or library, should we consider using Uptane instead of TUF itself? * Talk on TUF / comparison with Notary given in Notary Community meeting: https://www.youtube.com/watch?v=IevD00hDChg * Should we occasionally have this meeting on another day of the week? ### Attendees * Marina Moore (NYU) * Justin Cappos (NYU) * John Kjell (TestifySec) * Trishank Karthik Kuppusamy (Datadog) * James Carnegie (Docker) * David Dooling (Docker) * Dinesh Mishra (Toshiba) * Shivanand Kunijadar (Toshiba) * Radoslav Dimitrov (Stacklok) * Kazuhiro Hayashi (Toshiba) * [Onuki Koshiro] (Toshiba) ## Jan 12, 2024 Meeting ### Attendees * Marina Moore (NYU) * Justin Cappos (NYU) * John Kjell (TestifySec) * Kairo De Araujo (TestifySec) * Marcos Paulo Caetano * Trishank Karthik Kuppusamy (Datadog) * Aditya Sirish (NYU) ### Agenda * Introductions * Project updates * [Kairo] [TUFie](https://github.com/repository-service-tuf/repository-service-tuf-worker/pull/437) * What is that? * What problem it solves? (real case) * RSTUF * Rubgems about to deploy to staging * Trishank to coordinate Rust/Crates/OSSF SSR WG * Alpha-Omega announced that they are willing to sponsor projects: we just need to apply * [John] go-securesystemslib work for in-toto-golang consolidation effort * KubeCon EU * Talk about a joint booth for TUF and in-toto * Someone (ideally attending) just has to talk to CNCF about it ## Previous meeting notes https://hackmd.io/RYTuHyj3SB6uzVF5-Qj00A# TUF Community Meetings ## Call information * First Friday of the month 10am ET (7am PT) * https://meet.google.com/tng-zdus-yhn?authuser=0 ## October 4, 2024 Meeting ### Attendees * Justin Cappos * Marvin Drees (9elements) * Jussi Kukkonen * Aditya Sirish A Yelgundhalli * James Carnegie (Docker) * John Kjell ### Agenda * Conformance test update (Jussi) * https://github.com/theupdateframework/tuf-conformance * Consensus is that many adopters will need all TUF functionality so don't split out "mini-spec" * Guidance for client implementers: "Test what you support" * go-tuf security fixes (one found via conformance test suite) * sigstore plans to drop using go-tuf and bring their own client * go-tuf still maintains dependency on sigstore, unlikely to factor out required code to securesystemslib due to repository governance there * UPDATE: sigstore/sigstore-go contains a wrapper client around go-tuf, so not dropping go-tuf completely but removing it from sigstore/sigstore as far as we can tell * Documentation update. Need reviewers! ## September 6, 2024 Meeting * No Meeting ## August 2, 2024 Meeting ### Attendees * Justin Cappos * Marvin Drees (9elements) * John Kjell * Kairo de Araujo (TestifySec) ### Agenda * Discussion go-tuf testing framework update * Discussion about TUF client proxying * Remote proxying ends up meaning you trust the proxy and are reliant on what is likely TLS * Could do local connection proxying, using the OS as a way to validate you're talking to the right party * Github tag version for packages is a good signal if the software is good * DNS, AS, etc. are also decent signals * SOSS EU Kairo will talk about RSTUF * RSTUF Updates * New RSTUF release support offline signing with Sigstore * Kairo is working in a feature (not in current Roadmap) that allows creating delegated Targets that uses offline singing (Sigstore for example) and specific paths, an alternative of using RSTUF with Bins (PEP 458 design) * Kairo shared RSTUF is looking for contributors * PyPI PEP 458: Working in Progres has one PR still in review state, contribution on the review by Datadog ## July 12, 2024 Meeting Meeting date moved so it's not right after July 4th ### Attendees * Marina Moore * Jussi Kukkonen * John Kjell (TestifySec) * Radoslav Dimitrov * Jonny Stoten * Adam Korczynski * Trishank Karthik Kuppusamy (Datadog) ### Agenda * Introductions * Adam (working with Jussi on conformance suite) * Project Updates * (Jussi and Adam) tuf-conformance: https://github.com/theupdateframework/tuf-conformance * Could have avoided some issues in Sigstore with basic conformance testing * Efficiency multiplier that makes it available to all clients * **Call for action:** client implementors should look at CLI usage to see if it works for them, too * Works by checking client state (using a specified client interface to talk to the test suite) * Great idea: testing *repositories* in the future * **Call for action:** suggests new tests in the repo! * Demo: Docker Image Tag Freshness (Jonny Stoten & James Carnegie - Docker) * Background: https://docs.google.com/document/d/1PoZpb8R-kK26MsEGWbSMofCBjbVTUcgTS2eahaqBME4/edit#heading=h.987zn8xcl6tm * KubeCon NA project opportunities (Marina) ## June 7, 2024 Meeting ### Attendees * Justin Cappos (NYU) * Kairo de Araujo (TestifySec) * Marina Moore (NYU) * John Kjell (TestifySec) * Ayush Gupta (Open Source Contributor) * Marvin Drees (9elements) * Trishank Karthik Kuppusamy (Datadog) ### Agenda * Introductions * Project Updates * documentation contributors -- ~30-40 applications. Many solid students * gittuf teams integration * go-tuf now has MAINTAINERS/CODEOWNERS files for more/better review activity * RSTUF now OpenSSF incubating level * Decide on go-tuf release schedule/pipeline? * Take offline with Frederik and Radoslav * Update meeting link on CNCF calendar to match meeting minutes one ## May 3, 2024 Meeting ### Attendees * Justin Cappos (NYU) * Kairo de Araujo (TestifySec) * Aditya Sirish (NYU) * John Kjell (TestifySec) * Joel Kamp (Docker) * Matthias Glastra (Mendix) * Marvin Drees (9elements) ### Agenda * Introductions * Project Updates * go-tuf project question * Adding MAINTAINERS file to repo * Planning new release as previous one is already quite far back * RSTUF project ## April 5, 2024 Meeting ### Attendees * Zach Steindler (GitHub; OpenSSF TAC) * Marvin Drees (9elements) * Aditya Sirish A Yelgundhalli * Daniel Krook * David Dooling * James Carnegie * Joel Kamp * John Kjell (TestifySec) * Jussi Kukkonen * Justin Cappos * Marina Moore * Noel Cortes * Victor Lu * Kairo De Araujo (TestifySec) * Radoslav Dimitrov (Stacklok) * Konstantinos Papadopoulos ### Agenda * Introductions * Project Updates * TUF-on-CI v0.9.0 * Python TUF v4.0.0 * LFX insights * TAPs 8 and 20 (rotation and revocation) * TAP 16 (snapshot Merkle trees) * Questions about TUF at GitHub? https://github.com/github/roadmap/issues/943 * Question about circular import go-tuf->sigstore->go-tuf->... ## Mar 01, 2024 Meeting ### Attendees * Marina Moore (NYU) * Marvin Drees (9elements) * James Carnegie (docker) * John Kjell (TestifySec) * Trishank Karthik Kuppusamy (Datadog) * Kairo de Araujo (TestifySec) * Victor Lu * David Dooling (Docker) * Justin Cappos (NYU) * Joel Kamp (Docker) ### Agenda * Introductions * Project updates * [Kairo] RSTUF updates for PyPI and RubyGems * https://github.com/pypi/warehouse/pull/15484 * Lukas has been helping a lot with refactoring * KubeCon EU * [kiosk](https://docs.google.com/spreadsheets/d/1e7Z8Qtva7Pl2tMc8gdbQhJCCLm_thFXrsRTG4Iu452A/edit#gid=0) * talks * [Victor] What is TUF? * How does it relate to in-toto or gittuf? * We really should write a blog post about this subject * https://ssl.engineering.nyu.edu/blog/2021-07-26-signature-verification * TAP 8 discussion * Role name in signatures discussion (likely minor change for TUF 2.0) * TAP 19 status ## Feb 2, 2024 Meeting ### Agenda * Introductions * Project updates * go-tuf v2 is out! [Marina, Radoslav, Fredrik] * TAF [Justin] * Surviving companies and even governments tampering with the history of the law * Still in whiteboard stage, but reach out to Justin if interested * RS-TUF [John, Kairo] * Being adopted by PyPI and RubyGems! * Integrating with Archivista (demo at Kubecon EU and community call) * SWUpdate [Toshiba] * Currently we are using SWUPdate to update the SW of our embedded devices. * There are security issues that SWUpdate alone cannot prevent. -> So we are considering using TUF. * We are creating a server to manage the metadata using python-tuf / FastAPI. -> TUF was flexible and easy to use. * Qs: * However, if there is a good OSS repository for managing metadata, we would like to consider using and contributing to it. * We was considering Notary, but it uses OCI instead of TUF in v2. For example, RSTUF? * Since this is not a case of a package or library, should we consider using Uptane instead of TUF itself? * Talk on TUF / comparison with Notary given in Notary Community meeting: https://www.youtube.com/watch?v=IevD00hDChg * Should we occasionally have this meeting on another day of the week? ### Attendees * Marina Moore (NYU) * Justin Cappos (NYU) * John Kjell (TestifySec) * Trishank Karthik Kuppusamy (Datadog) * James Carnegie (Docker) * David Dooling (Docker) * Dinesh Mishra (Toshiba) * Shivanand Kunijadar (Toshiba) * Radoslav Dimitrov (Stacklok) * Kazuhiro Hayashi (Toshiba) * [Onuki Koshiro] (Toshiba) ## Jan 12, 2024 Meeting ### Attendees * Marina Moore (NYU) * Justin Cappos (NYU) * John Kjell (TestifySec) * Kairo De Araujo (TestifySec) * Marcos Paulo Caetano * Trishank Karthik Kuppusamy (Datadog) * Aditya Sirish (NYU) ### Agenda * Introductions * Project updates * [Kairo] [TUFie](https://github.com/repository-service-tuf/repository-service-tuf-worker/pull/437) * What is that? * What problem it solves? (real case) * RSTUF * Rubgems about to deploy to staging * Trishank to coordinate Rust/Crates/OSSF SSR WG * Alpha-Omega announced that they are willing to sponsor projects: we just need to apply * [John] go-securesystemslib work for in-toto-golang consolidation effort * KubeCon EU * Talk about a joint booth for TUF and in-toto * Someone (ideally attending) just has to talk to CNCF about it ## Previous meeting notes https://hackmd.io/RYTuHyj3SB6uzVF5-Qj00A