mirror of https://github.com/theupdateframework/python-tuf synced 2026-05-24 10:08:28 +00:00

Python reference implementation of The Update Framework (TUF)

Find a file

Jussi Kukkonen f005825955 workflows: Stop pinning actions that are not security relevant These workflows have no real security relevance (runtime build or test) in the sense that a compromise in the dependencies could compromise python-tuf security: * scorecards * dependency-review * codeql-analysis Stop pinning the actions used in them (except the common actions that are used everyewhere like actions/checkout: use the same version of those everywhere). The benefit here is fewer Dependabot PRs: If we had done this from the start we'd have skipped ~70 PRs by now. The interesting permissions used in these workflows are * security-events: write This can add things onto the "Security" tab in GitHub * id-token: write This allows OIDC authentication, but only as this specific workflow These permissions look completely acceptable to me. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>		2023-10-02 13:34:24 +03:00
.github	workflows: Stop pinning actions that are not security relevant	2023-10-02 13:34:24 +03:00
docs	Merge pull request #2392 from joshuagl/joshuagl/affiliation	2023-05-15 09:24:43 +02:00
examples	Metadata API: make new verify_delegate unaware of Metadata	2023-08-01 15:31:59 +02:00
requirements	Merge pull request #2474 from lukpueh/rm-obsolete-comments	2023-09-28 13:36:27 +03:00
tests	Drop support for Python 3.7	2023-09-07 15:52:36 +03:00
tuf	Merge pull request #2378 from jku/move-verify-delegate-v2	2023-08-21 13:27:01 +02:00
.gitattributes	Update gitattributes for test data	2022-07-26 17:37:55 +01:00
.gitignore	gitignore: fix directory patterns	2022-03-09 11:54:15 +00:00
.readthedocs.yaml	readthedocs: Specify build image	2023-05-05 10:55:21 +03:00
LICENSE	Move license files to root directory	2018-02-05 10:27:04 -05:00
LICENSE-MIT	Remove license from Thandy files that are no longer present	2021-06-29 12:15:07 -04:00
pyproject.toml	Drop support for Python 3.7	2023-09-07 15:52:36 +03:00
README.md	README: Update repository mention	2023-03-06 11:34:52 +02:00
tox.ini	Adopt securesystemslib branch rename master-> main	2023-03-02 09:35:14 +01:00
verify_release	verify_release: PEP 484 compliant annotations	2022-11-21 06:41:17 +00:00

README.md

A Framework for Securing Software Update Systems

The Update Framework (TUF) is a framework for secure content delivery and updates. It protects against various types of supply chain attacks and provides resilience to compromise. This repository is a reference implementation written in Python. It is intended to conform to version 1.0 of the TUF specification.

Python-TUF provides the following APIs:

tuf.api.metadata, a "low-level" API, designed to provide easy and safe access to TUF metadata and to handle (de)serialization from/to files.
tuf.ngclient, a client implementation built on top of the metadata API.
tuf.repository, a repository library also built on top of the metadata API. This module is currently not considered part of python-tuf stable API.

The reference implementation strives to be a readable guide and demonstration for those working on implementing TUF in their own languages, environments, or update systems.

About The Update Framework

The Update Framework (TUF) design helps developers maintain the security of a software update system, even against attackers that compromise the repository or signing keys. TUF provides a flexible specification defining functionality that developers can use in any software update system or re-implement to fit their needs.

TUF is hosted by the Linux Foundation as part of the Cloud Native Computing Foundation (CNCF) and its design is used in production by various tech companies and open source organizations. A variant of TUF called Uptane is used to secure over-the-air updates in automobiles.

Please see TUF's website for more information about TUF!

Documentation

Introduction to TUF's Design
The TUF Specification
Developer documentation, including API reference
Usage examples
Governance and Maintainers for the reference implementation
Miscellaneous Docs
Python-TUF development blog

Contact

Questions, feedback, and suggestions are welcomed on our low volume mailing list or the #tuf channel on CNCF Slack.

We strive to make the specification easy to implement, so if you come across any inconsistencies or experience any difficulty, do let us know by sending an email, or by reporting an issue in the GitHub specification repo.

Security Issues and Bugs

See SECURITY.md

License

This work is dual-licensed and distributed under the (1) MIT License and (2) Apache License, Version 2.0. Please see LICENSE-MIT and LICENSE.

Acknowledgements

This project is hosted by the Linux Foundation under the Cloud Native Computing Foundation. TUF's early development was managed by members of the Secure Systems Lab at New York University. We appreciate the efforts of all maintainers and emeritus maintainers, as well as the contributors Konstantin Andrianov, Kairo de Araujo, Ivana Atanasova, Geremy Condra, Zane Fisher, Pankhuri Goyal, Justin Samuel, Tian Tian, Martin Vrachev and Yuyu Zheng who are among those who helped significantly with TUF's reference implementation. Maintainers and Contributors are governed by the CNCF Community Code of Conduct.

This material is based upon work supported by the National Science Foundation under Grant Nos. CNS-1345049 and CNS-0959138. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.