TUF Community Meetings

Call information

First Friday of the month 10am ET (7am PT)
https://meet.google.com/jhk-cvuf-icd

March 7, 2025

Attendees

Marvin Drees
Justin Cappos
Christopher Gervais
Kairo De Araujo
Marina Moore

Agenda

TAP-21 update: Christopher will gather and share more data. Expects to connect with some folks from Packagist at an upcoming conference. No other work on TAP-21 is planned for the time-being, mostly due to lack of time to focus on it.
Discussion came up in go-tuf to handle HTTP 403 and 404 differently, currently behavior matches python-tuf but reporting them equally should be changed
- https://github.com/theupdateframework/go-tuf/issues/673
- Spec only says "if metadata is not available"
- A 403 should be an error and not be reported as "no new update"
- AI: Create PR on spec to have public discussion visible at least for future reference even if no change is done
- Verdict: Potentially create spec change but otherwise not too bad if implementations divert slightly

February 7, 2025

Attendees

Kairo de Araujo
Marina Moore
Marvin Drees
John Kjell
Jussi Kukkonen
Victor Lu
Justin Cappos

Agenda

Expand hash algorithms commonly supported in ecosystem?
- go-tuf feature request for blake2b support https://github.com/theupdateframework/go-tuf/issues/668
- Should "recommended hash algorithms" be documented somewhere (TAP?) or should we just add algorithms like blake2b to tuf-conformance test suite and wait for feedback/results?
- AI: Implement in go-tuf the same way it was done in python-tuf (make sure naming is matching to avoid confusion and make sure the different blake2b variants are properly seperated both in naming and usage)
caching root metadata on the client
- Spec curently says that any new cached root metadata should be considered the "trusted root metadata" in future. This is what most clients do: next client startup uses the cached root as the starting point
- Best case however would be to always start from the original "out-of-band updated" root since it may be more secure than cached roots (as it may be part of OS image or Debian package and not writable by the user or application like the cached roots are) but to still cache all root versions to avoid unnecessary downloads
- Should spec make this clear?
  - Ideally yes, PR welcome
- Does the python-tuf implementation seem reasonable (see PR description)?
- python-tuf issue https://github.com/theupdateframework/python-tuf/issues/1168
- python-tuf PR https://github.com/theupdateframework/python-tuf/pull/2767
RSTUF Security Audit ongoing

January 10, 2025 Meeting

Attendees

Justin Cappos (NYU)
Christopher Gervais (Consensus)
Dan Friedman (Consensus)
Kairo de Araujo (TestifySec)
Jussi Kukkonen (Google)
Derek Laventure (Consensus)

Agenda

General updates
TAP 21 questions / discussion
- We will have a follow on meeting next week
better specs / implementation notes on caching root metadata and using the cached root metadata in the client
- python-tuf issue https://github.com/theupdateframework/python-tuf/issues/1168

December 6, 2024 Meeting

Attendees

Justin Cappos (NYU)
Kairo de Araujo (TestifySec)
John Kjell (TestifySec)
Marina Moore (Edera)
Marvin Drees (9elements)
Trishank Karthik Kuppusamy (Datadog)
Aditya Sirish (NYU)
Victor Lu

Agenda

[Kairo] RSTUF Security Audit
- RSTUF issue
[Marina] KubeCon EU project opportunities
- maintainer summit
[Victor] K8s certification exam for TUF
- CKS is one of the specialist exams
- There is a section on supply chain security
- TUF and in-toto not part of it
- So Victor suggested that to k8s Security SIG
- Question came up about how TUF and in-toto are low-level protocols, so how do we test that?
- SBOMs are already part of exam
- Victor is interested to contribute
- Please reach out to Trishank on Slack
[Trishank] Drupal/Packagist/Composer
- DRAFT: TAP-21 - Scale-out Architecture for High-volume Repositories #189
[Justin] X.509 interactions w/ TUF in cases where you want the repo to tell you what package(s) to install

November 1, 2024 Meeting

Attendees

Marina Moore
Victor Lu
Dan Friedman (Consensus Enterprises)
Derek Laventure (Consensus Enterprises)
Christopher Gervais (Consensus Enterprises)
John Kjell

Agenda

scalability proposal
KubeCon project updates

October 4, 2024 Meeting

Attendees

Justin Cappos
Marvin Drees (9elements)
Jussi Kukkonen
Aditya Sirish A Yelgundhalli
James Carnegie (Docker)
John Kjell

Agenda

Conformance test update (Jussi)
- https://github.com/theupdateframework/tuf-conformance
- Consensus is that many adopters will need all TUF functionality so don't split out "mini-spec"
- Guidance for client implementers: "Test what you support"
go-tuf security fixes (one found via conformance test suite)
sigstore plans to drop using go-tuf and bring their own client
- go-tuf still maintains dependency on sigstore, unlikely to factor out required code to securesystemslib due to repository governance there
- UPDATE: sigstore/sigstore-go contains a wrapper client around go-tuf, so not dropping go-tuf completely but removing it from sigstore/sigstore as far as we can tell
Documentation update. Need reviewers!

September 6, 2024 Meeting

No Meeting

August 2, 2024 Meeting

Attendees

Justin Cappos
Marvin Drees (9elements)
John Kjell
Kairo de Araujo (TestifySec)

Agenda

Discussion go-tuf testing framework update
Discussion about TUF client proxying
- Remote proxying ends up meaning you trust the proxy and are reliant on what is likely TLS
- Could do local connection proxying, using the OS as a way to validate you're talking to the right party
  - Github tag version for packages is a good signal if the software is good
  - DNS, AS, etc. are also decent signals
SOSS EU Kairo will talk about RSTUF
RSTUF Updates
- New RSTUF release support offline signing with Sigstore
- Kairo is working in a feature (not in current Roadmap) that allows creating delegated Targets that uses offline singing (Sigstore for example) and specific paths, an alternative of using RSTUF with Bins (PEP 458 design)
- Kairo shared RSTUF is looking for contributors
PyPI PEP 458: Working in Progres has one PR still in review state, contribution on the review by Datadog

July 12, 2024 Meeting

Meeting date moved so it's not right after July 4th

Attendees

Marina Moore
Jussi Kukkonen
John Kjell (TestifySec)
Radoslav Dimitrov
Jonny Stoten
Adam Korczynski
Trishank Karthik Kuppusamy (Datadog)

Agenda

Introductions
- Adam (working with Jussi on conformance suite)
Project Updates
- (Jussi and Adam) tuf-conformance: https://github.com/theupdateframework/tuf-conformance
- Could have avoided some issues in Sigstore with basic conformance testing
- Efficiency multiplier that makes it available to all clients
- Call for action: client implementors should look at CLI usage to see if it works for them, too
- Works by checking client state (using a specified client interface to talk to the test suite)
- Great idea: testing repositories in the future
- Call for action: suggests new tests in the repo!
Demo: Docker Image Tag Freshness (Jonny Stoten & James Carnegie - Docker)
- Background: https://docs.google.com/document/d/1PoZpb8R-kK26MsEGWbSMofCBjbVTUcgTS2eahaqBME4/edit#heading=h.987zn8xcl6tm
KubeCon NA project opportunities (Marina)

June 7, 2024 Meeting

Attendees

Justin Cappos (NYU)
Kairo de Araujo (TestifySec)
Marina Moore (NYU)
John Kjell (TestifySec)
Ayush Gupta (Open Source Contributor)
Marvin Drees (9elements)
Trishank Karthik Kuppusamy (Datadog)

Agenda

Introductions
Project Updates
- documentation contributors – ~30-40 applications. Many solid students
- gittuf teams integration
- go-tuf now has MAINTAINERS/CODEOWNERS files for more/better review activity
- RSTUF now OpenSSF incubating level
Decide on go-tuf release schedule/pipeline?
- Take offline with Frederik and Radoslav
Update meeting link on CNCF calendar to match meeting minutes one

May 3, 2024 Meeting

Attendees

Justin Cappos (NYU)
Kairo de Araujo (TestifySec)
Aditya Sirish (NYU)
John Kjell (TestifySec)
Joel Kamp (Docker)
Matthias Glastra (Mendix)
Marvin Drees (9elements)

Agenda

Introductions
Project Updates
go-tuf project question
- Adding MAINTAINERS file to repo
- Planning new release as previous one is already quite far back
RSTUF project

April 5, 2024 Meeting

Attendees

Zach Steindler (GitHub; OpenSSF TAC)
Marvin Drees (9elements)
Aditya Sirish A Yelgundhalli
Daniel Krook
David Dooling
James Carnegie
Joel Kamp
John Kjell (TestifySec)
Jussi Kukkonen
Justin Cappos
Marina Moore
Noel Cortes
Victor Lu
Kairo De Araujo (TestifySec)
Radoslav Dimitrov (Stacklok)
Konstantinos Papadopoulos

Agenda

Introductions
Project Updates
- TUF-on-CI v0.9.0
- Python TUF v4.0.0
LFX insights
TAPs 8 and 20 (rotation and revocation)
TAP 16 (snapshot Merkle trees)
Questions about TUF at GitHub? https://github.com/github/roadmap/issues/943
Question about circular import go-tuf->sigstore->go-tuf->…

Mar 01, 2024 Meeting

Attendees

Marina Moore (NYU)
Marvin Drees (9elements)
James Carnegie (docker)
John Kjell (TestifySec)
Trishank Karthik Kuppusamy (Datadog)
Kairo de Araujo (TestifySec)
Victor Lu
David Dooling (Docker)
Justin Cappos (NYU)
Joel Kamp (Docker)

Agenda

Introductions
Project updates
- [Kairo] RSTUF updates for PyPI and RubyGems
  - https://github.com/pypi/warehouse/pull/15484
  - Lukas has been helping a lot with refactoring
KubeCon EU
- kiosk
- talks
[Victor] What is TUF?
- How does it relate to in-toto or gittuf?
- We really should write a blog post about this subject
- https://ssl.engineering.nyu.edu/blog/2021-07-26-signature-verification
TAP 8 discussion
Role name in signatures discussion (likely minor change for TUF 2.0)
TAP 19 status

Feb 2, 2024 Meeting

Agenda

Introductions
Project updates
- go-tuf v2 is out! [Marina, Radoslav, Fredrik]
- TAF [Justin]
  - Surviving companies and even governments tampering with the history of the law
  - Still in whiteboard stage, but reach out to Justin if interested
- RS-TUF [John, Kairo]
  - Being adopted by PyPI and RubyGems!
  - Integrating with Archivista (demo at Kubecon EU and community call)
SWUpdate [Toshiba]
- Currently we are using SWUPdate to update the SW of our embedded devices.
- There are security issues that SWUpdate alone cannot prevent. -> So we are considering using TUF.
- We are creating a server to manage the metadata using python-tuf / FastAPI. -> TUF was flexible and easy to use.
- Qs:
  - However, if there is a good OSS repository for managing metadata, we would like to consider using and contributing to it.
    - We was considering Notary, but it uses OCI instead of TUF in v2. For example, RSTUF?
  - Since this is not a case of a package or library, should we consider using Uptane instead of TUF itself?
Talk on TUF / comparison with Notary given in Notary Community meeting: https://www.youtube.com/watch?v=IevD00hDChg
Should we occasionally have this meeting on another day of the week?

Attendees

Marina Moore (NYU)
Justin Cappos (NYU)
John Kjell (TestifySec)
Trishank Karthik Kuppusamy (Datadog)
James Carnegie (Docker)
David Dooling (Docker)
Dinesh Mishra (Toshiba)
Shivanand Kunijadar (Toshiba)
Radoslav Dimitrov (Stacklok)
Kazuhiro Hayashi (Toshiba)
[Onuki Koshiro] (Toshiba)

Jan 12, 2024 Meeting

Attendees

Marina Moore (NYU)
Justin Cappos (NYU)
John Kjell (TestifySec)
Kairo De Araujo (TestifySec)
Marcos Paulo Caetano
Trishank Karthik Kuppusamy (Datadog)
Aditya Sirish (NYU)

Agenda

Introductions
Project updates
- [Kairo] TUFie
  - What is that?
  - What problem it solves? (real case)
- RSTUF
  - Rubgems about to deploy to staging
  - Trishank to coordinate Rust/Crates/OSSF SSR WG
  - Alpha-Omega announced that they are willing to sponsor projects: we just need to apply
[John] go-securesystemslib work for in-toto-golang consolidation effort
KubeCon EU
- Talk about a joint booth for TUF and in-toto
- Someone (ideally attending) just has to talk to CNCF about it

Previous meeting notes

https://hackmd.io/RYTuHyj3SB6uzVF5-Qj00A# TUF Community Meetings

Call information

First Friday of the month 10am ET (7am PT)
https://meet.google.com/tng-zdus-yhn?authuser=0

October 4, 2024 Meeting

Attendees

Justin Cappos
Marvin Drees (9elements)
Jussi Kukkonen
Aditya Sirish A Yelgundhalli
James Carnegie (Docker)
John Kjell

Agenda

Conformance test update (Jussi)
- https://github.com/theupdateframework/tuf-conformance
- Consensus is that many adopters will need all TUF functionality so don't split out "mini-spec"
- Guidance for client implementers: "Test what you support"
go-tuf security fixes (one found via conformance test suite)
sigstore plans to drop using go-tuf and bring their own client
- go-tuf still maintains dependency on sigstore, unlikely to factor out required code to securesystemslib due to repository governance there
- UPDATE: sigstore/sigstore-go contains a wrapper client around go-tuf, so not dropping go-tuf completely but removing it from sigstore/sigstore as far as we can tell
Documentation update. Need reviewers!

September 6, 2024 Meeting

No Meeting

August 2, 2024 Meeting

Attendees

Justin Cappos
Marvin Drees (9elements)
John Kjell
Kairo de Araujo (TestifySec)

Agenda

Discussion go-tuf testing framework update
Discussion about TUF client proxying
- Remote proxying ends up meaning you trust the proxy and are reliant on what is likely TLS
- Could do local connection proxying, using the OS as a way to validate you're talking to the right party
  - Github tag version for packages is a good signal if the software is good
  - DNS, AS, etc. are also decent signals
SOSS EU Kairo will talk about RSTUF
RSTUF Updates
- New RSTUF release support offline signing with Sigstore
- Kairo is working in a feature (not in current Roadmap) that allows creating delegated Targets that uses offline singing (Sigstore for example) and specific paths, an alternative of using RSTUF with Bins (PEP 458 design)
- Kairo shared RSTUF is looking for contributors
PyPI PEP 458: Working in Progres has one PR still in review state, contribution on the review by Datadog

July 12, 2024 Meeting

Meeting date moved so it's not right after July 4th

Attendees

Marina Moore
Jussi Kukkonen
John Kjell (TestifySec)
Radoslav Dimitrov
Jonny Stoten
Adam Korczynski
Trishank Karthik Kuppusamy (Datadog)

Agenda

Introductions
- Adam (working with Jussi on conformance suite)
Project Updates
- (Jussi and Adam) tuf-conformance: https://github.com/theupdateframework/tuf-conformance
- Could have avoided some issues in Sigstore with basic conformance testing
- Efficiency multiplier that makes it available to all clients
- Call for action: client implementors should look at CLI usage to see if it works for them, too
- Works by checking client state (using a specified client interface to talk to the test suite)
- Great idea: testing repositories in the future
- Call for action: suggests new tests in the repo!
Demo: Docker Image Tag Freshness (Jonny Stoten & James Carnegie - Docker)
- Background: https://docs.google.com/document/d/1PoZpb8R-kK26MsEGWbSMofCBjbVTUcgTS2eahaqBME4/edit#heading=h.987zn8xcl6tm
KubeCon NA project opportunities (Marina)

June 7, 2024 Meeting

Attendees

Justin Cappos (NYU)
Kairo de Araujo (TestifySec)
Marina Moore (NYU)
John Kjell (TestifySec)
Ayush Gupta (Open Source Contributor)
Marvin Drees (9elements)
Trishank Karthik Kuppusamy (Datadog)

Agenda

Introductions
Project Updates
- documentation contributors – ~30-40 applications. Many solid students
- gittuf teams integration
- go-tuf now has MAINTAINERS/CODEOWNERS files for more/better review activity
- RSTUF now OpenSSF incubating level
Decide on go-tuf release schedule/pipeline?
- Take offline with Frederik and Radoslav
Update meeting link on CNCF calendar to match meeting minutes one

May 3, 2024 Meeting

Attendees

Justin Cappos (NYU)
Kairo de Araujo (TestifySec)
Aditya Sirish (NYU)
John Kjell (TestifySec)
Joel Kamp (Docker)
Matthias Glastra (Mendix)
Marvin Drees (9elements)

Agenda

Introductions
Project Updates
go-tuf project question
- Adding MAINTAINERS file to repo
- Planning new release as previous one is already quite far back
RSTUF project

April 5, 2024 Meeting

Attendees

Zach Steindler (GitHub; OpenSSF TAC)
Marvin Drees (9elements)
Aditya Sirish A Yelgundhalli
Daniel Krook
David Dooling
James Carnegie
Joel Kamp
John Kjell (TestifySec)
Jussi Kukkonen
Justin Cappos
Marina Moore
Noel Cortes
Victor Lu
Kairo De Araujo (TestifySec)
Radoslav Dimitrov (Stacklok)
Konstantinos Papadopoulos

Agenda

Introductions
Project Updates
- TUF-on-CI v0.9.0
- Python TUF v4.0.0
LFX insights
TAPs 8 and 20 (rotation and revocation)
TAP 16 (snapshot Merkle trees)
Questions about TUF at GitHub? https://github.com/github/roadmap/issues/943
Question about circular import go-tuf->sigstore->go-tuf->…

Mar 01, 2024 Meeting

Attendees

Marina Moore (NYU)
Marvin Drees (9elements)
James Carnegie (docker)
John Kjell (TestifySec)
Trishank Karthik Kuppusamy (Datadog)
Kairo de Araujo (TestifySec)
Victor Lu
David Dooling (Docker)
Justin Cappos (NYU)
Joel Kamp (Docker)

Agenda

Introductions
Project updates
- [Kairo] RSTUF updates for PyPI and RubyGems
  - https://github.com/pypi/warehouse/pull/15484
  - Lukas has been helping a lot with refactoring
KubeCon EU
- kiosk
- talks
[Victor] What is TUF?
- How does it relate to in-toto or gittuf?
- We really should write a blog post about this subject
- https://ssl.engineering.nyu.edu/blog/2021-07-26-signature-verification
TAP 8 discussion
Role name in signatures discussion (likely minor change for TUF 2.0)
TAP 19 status

Feb 2, 2024 Meeting

Agenda

Introductions
Project updates
- go-tuf v2 is out! [Marina, Radoslav, Fredrik]
- TAF [Justin]
  - Surviving companies and even governments tampering with the history of the law
  - Still in whiteboard stage, but reach out to Justin if interested
- RS-TUF [John, Kairo]
  - Being adopted by PyPI and RubyGems!
  - Integrating with Archivista (demo at Kubecon EU and community call)
SWUpdate [Toshiba]
- Currently we are using SWUPdate to update the SW of our embedded devices.
- There are security issues that SWUpdate alone cannot prevent. -> So we are considering using TUF.
- We are creating a server to manage the metadata using python-tuf / FastAPI. -> TUF was flexible and easy to use.
- Qs:
  - However, if there is a good OSS repository for managing metadata, we would like to consider using and contributing to it.
    - We was considering Notary, but it uses OCI instead of TUF in v2. For example, RSTUF?
  - Since this is not a case of a package or library, should we consider using Uptane instead of TUF itself?
Talk on TUF / comparison with Notary given in Notary Community meeting: https://www.youtube.com/watch?v=IevD00hDChg
Should we occasionally have this meeting on another day of the week?

Attendees

Marina Moore (NYU)
Justin Cappos (NYU)
John Kjell (TestifySec)
Trishank Karthik Kuppusamy (Datadog)
James Carnegie (Docker)
David Dooling (Docker)
Dinesh Mishra (Toshiba)
Shivanand Kunijadar (Toshiba)
Radoslav Dimitrov (Stacklok)
Kazuhiro Hayashi (Toshiba)
[Onuki Koshiro] (Toshiba)

Jan 12, 2024 Meeting

Attendees

Marina Moore (NYU)
Justin Cappos (NYU)
John Kjell (TestifySec)
Kairo De Araujo (TestifySec)
Marcos Paulo Caetano
Trishank Karthik Kuppusamy (Datadog)
Aditya Sirish (NYU)

Agenda

Introductions
Project updates
- [Kairo] TUFie
  - What is that?
  - What problem it solves? (real case)
- RSTUF
  - Rubgems about to deploy to staging
  - Trishank to coordinate Rust/Crates/OSSF SSR WG
  - Alpha-Omega announced that they are willing to sponsor projects: we just need to apply
[John] go-securesystemslib work for in-toto-golang consolidation effort
KubeCon EU
- Talk about a joint booth for TUF and in-toto
- Someone (ideally attending) just has to talk to CNCF about it

Previous meeting notes

https://hackmd.io/RYTuHyj3SB6uzVF5-Qj00A

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.