Published Framework release TUF 1.0 (The Update Framework) providing tools for safe checking availability and download updates. The main objective of the project is to protect the client from typical attacks on repositories and infrastructure, including countering the promotion of fictitious updates created after receiving access to the keys to form digital signatures or compromising the repository. The project is developing under the auspices of the Linux Foundation organization and applies to improve the security of the delivery of updates in projects such as Docker, Fuchsia, Automotive Grade Linux, Bottlerocket and Pypi (inclusion verification downloads and metadata in pypi Expected in the near future). The TUF reference implementation code is written in Python and extends under the Apache 2.0 license.
The project develops a series of libraries, file formats and Utilities that can easily integrate into existing application update systems, providing protection in case of compromising keys on the software developers side. To use TUF is enough to add the necessary metadata to the repository, and the client code integrate the procedures provided to TUF to download and verify files.
Framing TUF takes over the tasks of checking the appearance of updates, download updates and verifying its integrity. The update installation system does not directly intersect with additional metadata, check and the loading of which takes on TUF. To integrate with applications and installation systems, updates are offered Low-level API to access the metadata and the sale of high-level Client API ngclient , ready to integrate with applications.
from attack , which can counteract TUF, marked the substitution of old issues under the type of updates in order to block the correction of vulnerabilities in software or roll back Old vulnerable version, as well as the promotion of malicious updates, correctly signed using a compromised key, performing DOS attacks on customers, such as filling the disk by infinite update.