Skip to main content

đź“© Stay Updated! Follow us on LinkedIn and join our mailing list for the latest news!

Introducing RSTUF, Repository Service for TUF

By August 31, 2023Blog

By Kairo de Araujo, VMware

We’re thrilled to announce that RSTUF, Repository Service for TUF, has joined the OpenSSF as an OpenSSF Sandbox Project. This is a major step forward in ensuring we can improve secure content distribution.

What does RSTUF do? 

RSTUF helps address a major challenge: securing software repositories, particularly ensuring the integrity of software updates. Securing software repositories is crucial to protect against supply chain attacks and tampering. The Update Framework (TUF) addresses this challenge by providing a robust framework for secure repository management, by protecting against attacks that compromise the repository or signing keys.

Implementing TUF repositories can be complex and time-consuming. That’s where RSTUF comes in. RSTUF simplifies the implementation process for TUF repositories and makes it easier to adopt and benefit from the security advantages offered by TUF. Here are some of the highlights of RSTUF:

  • RSTUF is language agnostic: Integration with external systems is done by REST API calls.
  • RSTUF is artifact agnostic: Any kind of content download can be protected, such as software packages, documents, images, etc.
  • RSTUF is easily deployable: It can be deployed on premises or on public / private clouds. RSTUF resides along your existing content repository and release process, simplifying TUF adoption.

Background 

RSTUF was born from the tentative implementation of TUF on the Python Package Index (PyPI). Similar TUF adoption initiatives also happened in other public repositories, such as RubyGems. These efforts shared one thing in common: they had to deal with the complexity and fragility of deep integration into an intricate platform with high traffic and complex infrastructure.

From these initiatives, RSTUF was born. RSTUF’s goal is to help repositories combine their efforts implementing TUF by working together through a single and neutral project to secure content delivery. After all, “Repositories are more alike than they are different” (Jussi Kukkonen – Google/TUF Maintainer, Open Source EU Summit 2022). Importantly, RSTUF also has contributions from TUF experts and maintainers, which brings users more confidence to the robustness and longevity of the project.

How to get involved

RSTUF is looking for more contributors and early adopters to help us to have a solid roadmap and come out with our first official production release. Check out our documentation, where you can find an RSTUF Guide and our Development Guide. We also have a project GitHub repository.

We are also available in the #repository-service-tuf channel in the OpenSSF Slack. We look forward to working with you!

About the Author

Kairo Francisco de AraujoKairo Francisco de Araujo is a Senior Open Source Software Engineer and a VMware’s Open Source Program Office (OSPO) staff member, working on the Security Supply Chain team. As a Software and System Engineer, he has worked for over two decades in the Infrastructure space. Kairo hails from Brazil and lives in The Netherlands with his wife and son, who love listening to the Beatles and riding his bike. In his spare time, Kairo enjoys collecting Vinyl Records (he has many rare collectibles) and riding his road bike in group rides and with his family.