I recently had a chat with Kairo about a project he maintains called Repository Service for TUF (RSTUF). We explain why TUF is tough (har har har), what RSTUF can do, and some of the challenges around securing repositories.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

The Update Framework (TUF) Fundamentals

TUF has been around for a long time now, starting out as research at New York University. At its core, TUF has a goal of letting clients securely fetch artifacts from package repositories. This sounds simple, or at least not super hard, but it’s actually a really hard problem. TUF provides a framework for signing packages that enables much stronger security guarantees than the traditional approach of curl piped to bash.

The foundation of TUF is its metadata structure with delegations. The root metadata serves as the central source of trust containing cryptographic keys that sign other metadata and itself. Then you can delegate that trust. What makes TUF particularly powerful is its approach to key management. As Kairo discussed, a common issue with traditional signing methods is what happens when you lose a key. With conventional approaches, you generate a new key pair, resign the artifact, and publish the signature along with the public key. But this creates a trust problem - how does a client know the new public key actually belongs to you?

TUF solves this elegantly through its distribution of trust. The framework clearly defines which keys clients should trust and which ones they shouldn’t, making key rotation and management much more secure. This is probably more important in open source projects where maintainers change over time. With TUF, when a releasing manager changes, clients automatically know which keys to trust without requiring heroic actions.

What is RSTUF?

RSTUF, or Repository Service for TUF, is now an incubating project under the Open Source Security Foundation (OpenSSF). RSTUF emerged from a practical challenge Kairo faced while trying to implement TUF for PyPI. There’s a Python Enhancement Proposal (PEP 458) for adding TUF to PyPI that’s been around for over a decade but hasn’t been implemented (yet).

This experience led Kairo to develop RSTUF - a service that handles many of the TUF repository management complexities, exposing them through a simple API. The goal was to make TUF easier, allowing the repository maintainers to focus on their primary responsibilities while still benefiting from TUF’s security guarantees.

Integrating RSTUF into an Artifact Repository Ecosystem

Something clever RSTUF is doing is that it isn’t trying to be a complete repository itself. Rather, it’s designed to function as a specialized service within a broader artifact strategy. This modular approach allows organizations to leverage their existing infrastructure while adding TUF’s security guarantees.

The interaction model is API-based. Your build pipeline sends metadata about artifacts to RSTUF, which then handles all the TUF specific operations. The actual artifacts remain in your existing storage solution, whether that’s an S3 bucket or any other repository system.

This separation of concerns is useful because it means you don’t need to change where or how you store artifacts. RSTUF simply adds a security layer on top of your existing infrastructure. The API-driven approach also means you can integrate RSTUF into your CI/CD pipelines, automating the security aspects of your release process.

Adopting RSTUF

For organizations looking to use RSTUF, Kairo mentioned that they recently released the first release candidate for version 1.0.0, with the final release expected this summer. The docs have a getting started section for anyone looking to give this a try.

A use case I found clever was using RSTUF to verify and trust upstream dependencies. Organizations can use RSTUF to maintain their own trusted list of external dependencies after verifying them for whatever things they care about: CVEs, acceptable licenses, and valid signatures. This creates an additional layer of security for organizations concerned about supply chain attacks.

RSTUF can be integrated into CI/CD pipelines where, after building a package in a trusted environment, the pipeline automatically registers the artifact with RSTUF. This creates a seamless security layer that doesn’t add a ton of operational overhead.

Concluding Thoughts

The complexity of TUF implementation for the open source ecosystem is certainly a problem, but now tools like RSTUF make strong security practices accessible to a much wider audience.

As software supply chain security continues to garner attention, RSTUF helps raise the security baseline across the open source ecosystem. As Kairo put it, TUF is tough, but RSTUF makes it significantly more approachable. That’s exactly the kind of tool I like to see.