# RSTUF Community Meetings ## Call info When: Every first Wednesday 03:00 UTC (07:00 PT | 10:00 EST | 16:00CET) Where: https://zoom-lfx.platform.linuxfoundation.org/meeting/94766759441?password=b88b6899-345c-46c2-8d5c-31cf8ad171bc ## September 3 2025 Meeting ### :wave: Attendees * Kairo de Araujo (Eclipse Foundation) * Srinjoy Dutta ### :dart: Agenda * RSTUF v1.0.0 is out! * Mentorship Summer 2025 presentation * RSTUF v1.1.0 roadmap planing * hash bin support on Custom Delegation ### :open_book: Notes ## May 7 2025 Meeting ### :wave: Attendees * Kairo de Araujo * Manit Singh * Trishank Karthik Kuppusamy * Swastik Gour * Camila Vilarinho ### :dart: Agenda * Introductions * Manit (2nd yr student with OSS experience) * Swastik (CNCF Ambassador) * Camila (going from engineering to security, here for OSS) * All applied for mentorship :raised_hands: * KubeCon EU 2025 talks * Marina (Edera) and Kairo talked about TUF and how to use RSTUF to secure containers * John (Control Plane) and Kairo talked about signing identities with RSTUF * Kairo will share links to talks after meeting * Mentees are advised to watch them for more information * Audience was nice and engaged * Helm Chart folks are also interested * RSTUF OpenSSF Mentorship Summer 2025 * [gittuf](https://gittuf.dev/) also a member program * If interested in TUF, it's another cool, adjacent project * Walk thru the three main [projects](https://mentorship.lfx.linuxfoundation.org/project/310e66d9-34db-41f6-8450-a29bf748a99b) * Custom delegations * Enterprise or large repo use case * Hashed bin delegations * Large repo use case * Performance optimizations * Updating thousands of hashed bin delegations at the same time * Improving developer experience * Everyone involved will be doing * Usually missing docs or some small features * Focus here is functional tests to keep RSTUF consistent despite changes * How to make adoption easier * We have enough docs but we want to make them clearer and more accessible to new adopters * Questions * Are all three projects under a single mentorship? * Mentees can choose what they want to work on * Each project overlaps a bit with the others * Should mentees make proposals project-centric? * Not required to do all three * Can choose just one * Recommended to at least mention how to touch all three tho * Any hard limit on number of mentees? * Can choose up to three (which is nice)! * Question about cover letter * Ask the mentorship channel in OSSF * Partial answer is their focus is more on code snippets * Optimization: can we replace some ops with patterns like upsert in upstream cloud services? * How to write tens of thousands of JSON files at the same time atomically in a transaction * Because the snapshot could block on it * (Correction: we no longer need to read JSON just to figure out what is already there) * Interesting problem and can enjoy looking at different solutions * Do we need to be cloud-agnostic? * Right now, yes, we are * If a solution is vendor-locked, we need to discuss with TAC members * RSTUF 1.0.0 RC is out :tada: * Release mainly for workers and API * API is how users interact with RSTUF to manage everything * Can also use CLI which talks to the API anyway * But some ops still require talking directly to API * API encapsulates knowledge about TUF in RSTUF * Released first 1.0 beta for CLI * CLI was initially thought not necessary for a reference implementation * But it has since turned out to be useful for demos and teaching * Once CLI reached enough functionality, we were happy to release v1 ## April 9 2025 Meeting ### :open_book: Notes ### :wave: Attendees * Kairo de Araujo * Martin Vrachev ### :dart: Agenda * Introductions * KubeCon EU 2025 talks * RSTUF and YAMLScript (https://yamlscript.org/) * RSTUF and Helm 4 * RSTUF OpenSSF Mentorship Summer 2025 * RSTUF 1.0.0 ### :open_book: Notes ## April 4 and 9 2025 Meeting **Canceled** KubeCon EU 2025 ## March 5 2025 Meeting ### :wave: Attendees * Kairo de Araujo * Michał Ciepły (Solarwinds) * Trishank K Kuppusamy (Datadog) ### :dart: Agenda * Introductions * RSTUF Audit report * RSTUF 1.0.0 -- Planning * Volunteers for RSTUF OpenSSF baseline? * KubeCon EU 2025 ### :open_book: Notes * Introductions * Michał wants to try RSTUF to make it easier to manage TUF deployments * Must support AWS KMS * There is an RSTUF issue to support more cloud KMS, too * There is currently RSTUF support for YubiKeys * Trishank to work on exposing securesystemslib.signer support to RSTUF * Michał wants both AWS KMS and YubiKeys * Michał explored both tuf-on-ci and RSTUF, and found RSTUF to fit his use case better * Need scalability with S3 buckets not GitHub repositories * RSTUF Audit report * X41 D-Sec audited thanks to OSTIF * Summary of report is quite good * No critical severity findings * Kairo will file issues for all findings * Issues * Outdated Jinja * Outdated Docker Containers * Kairo doesn't fully agree * Containers were for development not deployment * Update docs to clarify this * Docker Hardening * Docker Compose primary for dev not deploy * Again, clarify docs to distinguish the two * Outdated Documentation * Incorrect CSV Parsing * Use a better lib * Setup Issue on Linux OS * Again, docs * No Task Time Limit * Nice, easy improvement * SSL Not Enabled for Broker * RSTUF Ceremony Requests a Password for Unencrypted Keys and Crashes on Input * Trishank to work on improvement * Missing Network Segmentation for Docker Example Setup * Kairo made dev as easy as possible * But we will harden it * Kairo also wants to remove the Docker Compose and k8s deployment docs * Focus only on Helm charts going fwd * Missing Update Mechanism in Example Deployments * Processes Run as Privileged User * We might adopt Chainguard Images to make safe-by-default easier * Internal Server Error on localstack * RSTUF 1.0.0 -- Planning * We don't have blockers that prevent us from releasing v1.0 * Can do continual/iterative improvements * Even refactoring can depend on functional testing * What do users think? * YubiKeys not yet a blocker * Security audit makes it easier to sell to mgmt * Fine for use right now * Kairo will do any auto DB migrations *after* v1.0.0 * Any changes to DB schema *before* v1.0.0? * Today, it will be a breaking change * Kairo will communicate early * File an issue to note and warn about not yet optimising for sufficiently large bin sizes (>2^12) * Users should just choose one size larger for futureproofing * Users can refer to PEP 458 for [metadata scalability](https://peps.python.org/pep-0458/#metadata-scalability) * Volunteers for RSTUF [OpenSSF baseline](https://baseline.openssf.org/)? * Need a volunteer or two to help with looking at RSTUF baseline * Filing issues and closing any gaps * KubeCon EU 2025 * Two talks with mention RSTUF (and TUF in general) * Kairo will be talking with Marina * Will generalise RSTUF to not just packages but also in-toto attestations, SBOMs (which may be either also attestations, or separate document formats altogether), and so on * Second talk from John (TestifySec) for signing with Sigstore, but also PKI management with RSTUF * Two different audiences ## February 5 2025 Meeting ### :wave: Attendees * Kairo de Araujo (TestifySec) * Trishank Karthik Kuppusamy (Datadog) ### :dart: Agenda ### :open_book: Notes * Introduction * [Kairo] RSTUF audit * Kairo spending a lot of time with the auditors (https://x41-dsec.de) and OSTIF * Robusto * Bootstrapping TUF root metadata for PyPI * Mirroring PyPI on a periodic schedule ## December 4 2024 Meeting * Introduction * Welcome new members * General RSTUF Project Updates ### :wave: Attendees * Kairo de Araujo (TestifySec) * Trishank Karthik Kuppusamy (Datadog) * Amir Montazery (OSTIF) ### :open_book: Notes * Intros * Amir * Agenda * OSTIF * Helps to organise the security audit process between OSS projects and security companies * Aiming for **Q1 2025** * Looking at a company with experience auditing go-tuf and python-tuf * Essentially ready to go * Working on their scheduling, too * Can start as early as Feb * Just need approval from community * An audit period where they are solely focused * Kick-off call (an our) * Walkthru for technical onboarding * Like welcoming a new maintainer * A Slack channel for communications (5 hours estimated max burden) * Readout call * Admin stuff in the background (typically no time from community) * Guide auditors for priorities on what to review * CVEs * [Denial of service (DoS) via deformation `multipart/form-data` boundary ](https://github.com/advisories/GHSA-59g5-xgcq-4qw3/dependabot) * Fix coming out soon, if not already * New features * [Trishank] [feat(cli.admin.helpers): users can now interactively select keys on disk](https://github.com/repository-service-tuf/repository-service-tuf-cli/pull/712) * [Kairo] Scaling RSTUF for large number of hashed bin delegations * Not as ideal as Kairo would like, but works for now for PyPI! ### Action items [ ] Kairo to work out with RSTUF and TUF communities which version to test exactly [ ] And get back to Amir for scheduling ## November, 6 2024 Meeting * Introduction * Welcome new members * General RSTUF Project Updates ### :wave: Attendees * Kairo de Araujo (TestifySec) * Matthias Glastra (Mendix) * Elton Rodrigues (Terras App Solutions) * Trishank Karthik Kuppusamy (Datadog) ### :open_book: Notes * Intros * Elton Rodrigues * Updates * Hacktober * Contributions to CLI * Large deployments (e.g., PyPI) * 16K+ hashed bins * Kairo working to reduce the processing time to update all the bins * [Rugged has the same problem](https://github.com/theupdateframework/specification/issues/309) * Kairo will meet the Rugged community this week to discuss * Kairo will present PEP 458 + RSTUF to CPAN/Perl security group on the 15th * [Rust community proposing TUF RFC](https://github.com/rust-lang/rfcs/pull/3724) * Trishank to follow up on a meeting with them * https://ssl.engineering.nyu.edu/blog/2020-02-03-transparent-logs * https://github.com/ossf/wg-securing-software-repos/pull/48 * https://www.youtube.com/watch?v=wPB85ose9k8 * How to attract more contributions and maintenance to RSTUF, especially as a service? ## October, 2 2024 Meeting * Introduction * Welcome new members * General RSTUF Project Updates * RSTUF at Open Source Summit 2024 Europe -- Community Day * API 1.0.0b1 * Worker 1.0.0b1 * RSTUF helm charts * RSTUF demo helm charts! * RSTUF Security Audit * PEP 458 PyPI * in-toto Archivista using RSTUF * [Civil Infrastructure Platform](https://www.cip-project.org) RSTUF POC * RSTUF Security Audit funding ### :wave: Attendees * Kairo de Araujo (TestifySec) * Matthias Glastra * Justin Cappos (NYU) * Trishank Karthik Kuppusamy (Datadog) * Kumaresh Somi * Martin Vrachev (VMware) ### :open_book: Notes * RSTUF * All the features we aimed for MVP * Bootstrap * Import artifacts * Add/remove artifacts * Key revocation/rotation * Delegation of trust * Martin happy with the implementation * Looking for feedback * Matthias has feedback * CLI apparently doesn't support this yet * PyPI wants to call the API from their own Management Interface * Will keep working on CLI as a reference, but it deliberately does not yet support feature-parity with the rest of RSTUF API * Sounds like web apps are more interactive than CLIs * Helm charts * Demo: Ceremony + custom delegation * Multiple KMS backends * Demo: integration with Archivista and Witness * Archivista can use RSTUF to distribute in-toto policies * Deployment using Helm charts from Archivista and RSTUF each * Real-world use: civil infrastructure using RSTUF! * What's next? * Requesting funding from OSSF * Comms with OSTIF also and a potential auditor * PEP 458 / PyPI * Kairo working on finishing https://github.com/pypi/warehouse/pull/15815 * The Archive Framework (TAF) * TUF + git for legal docs * Not sure if RSTUF can be used directly but * Potential knowledge exchange between groups * Kairo and Martin did talk with them last year * Intros * Kumaresh (works as a Security Architect for ING bank) * Trishank and Kairo will be meeting weekly about PEP 458 * How can RSTUF and/or private Sigstore work together for an org? * The importance of offline keys as backups ## September, 4 2004 Meeting #### Canceled :( ## August, 7 2024 Meeting ### :dart: Agenda * Introduction * Welcome new members (Matthias) * General RSTUF Project updates * Can now sign root metadata with Sigstore! * Want a [security Audit](https://github.com/repository-service-tuf/repository-service-tuf/issues/546) * [PEP458: Update TUF repository metadata on project index change](https://github.com/pypi/warehouse/pull/15815) * Demo: Custom Delegation with Offline Key * This feature is not in the v1.0.0 Roadmap but is an working in progress by Kairo. * This feature allows users to create custom delegations and use offline keys for signing. Allows great flexibility desinging the TUF metadata for organizations * Feature requests (Trishank) * Would be nice to point to a KMS URI (ala securesystemslib.Signer) to fetch public keys there * Roadmap review ### :wave: Attendees * Kairo de Araujo (TestifySec) * Matthias Glastra * Justin Cappos (NYU) * Trishank Karthik Kuppusamy (Datadog) * ### :open_book: Notes ## July, 3 2024 Meeting ### :dart: Agenda * Introduction * Welcome new members * General RSTUF Project updates * Roadmap review ### :wave: Attendees * Kairo de Araujo - TestifySec * Martin Vrachev - Broadcom * Justin Cappos - NYU ### :open_book: Notes * General Updates * Reviwed the Roadmap ## June, 6 2024 Meeting ### :dart: Agenda * Introduction * Welcome new members * General RSTUF Project updates * Roadmap review ### :wave: Attendees * Kairo de Araujo - TestifySec * Martin Vrachev - Broadcom * Victor Lu - Independent ### :open_book: Notes * ## March, 6 2024 Meeting ### :dart: Agenda * Introduction * Welcome new members * General RSTUF Project updates * Roadmap review ### :wave: Attendees * Kairo de Araujo - TestifySec * Martin Vrachev - Broadcom * Mike Lieberman - Kusari ### :open_book: Notes * ## February, 7 2024 Meeting ### :dart: Agenda * Introduction * Welcome new members * General RSTUF Project updates * Roadmap review ### :wave: Attendees * Kairo de Araujo (he/him) - TestifySec * Martin Vrachev - Broadcom * Justin Cappos - NYU * Trishank Karthik Kuppusamy (Datadog) ### :open_book: Notes RSTUF updates: - The first pr inside Warehouse is merged which deploys RSTUF. - The next goal is to create a pr which will do initial bootstrap. - The RSTUF contributors did some changes requested by RubyGems - RybyGems are close to merge a pr which will use RSTUF at staging area - Kairo: I am working on integrating RSTUF inside Archivista - Archivista shares the same infrastructure as RSTUF - Lukas started a rewrite of RSTUF CLI and Worker, so RSTUF can utilize latest securesystemslib features which will allow RSTUF to easily add other signers