In my last post, I described the TUF open source framework for software update security. TUF is unusual in tightly integrating its framework with a specification that developers can adopt to add security to any software update system.
Our community’s current focus is supporting the integration of TUF into the Python Package Index (PyPI) software repository. In this post, I want to talk a little about what necessitates that integration and the challenges we’re dealing with in making it happen, and then look ahead to where TUF is headed and how I think it fits into the overall software security landscape.
Developing open source projects in parallel
Most Python software is hosted on PyPI, so its security is very important to a large number of people. The TUF integration aims to ensure that PyPI’s contents have TUF’s key attributes of integrity, consistency and freshness. The work on PyPI’s end is being funded by a grant from Facebook to the Python Software Foundation. I’m part of the TUF community’s effort to ensure that the TUF implementation has the features PyPI users need and that everything works as seamlessly as possible.
This integration has actually been under discussion since 2014. For a long time, though, no one had the bandwidth to take on the work and then an initial proposal from the TUF community had to be reworked to accommodate feedback from Python developers concerned about its impact on developer workflows.
But this February PyPI began work on a model where a central repository manages package signing on upload. That’s not quite as good as being able to attest that any individual package is the one that the original developer signed (instead we’re attesting that is what the repository received), but it allows the TUF integration to move forward and offers a pathway towards a more complete solution in our next iteration. It also simply reflects the realities of moving two complex and intertwined open source software projects forward in parallel.
Feedback from the PyPI community pointed to a number of ways in which TUF itself needed to evolve in order to properly support PyPI. It became clear that the TUF reference implementation, for example, didn’t scale well enough to support integration into the PyPI codebase (called Warehouse). PyPI contains hundreds of thousands of packages. But the TUF reference implementation makes some assumptions that inhibit it from scaling easily to those levels. That led us to devise performance improvements that will allow the reference implementation to support much larger loads.
To me, all this highlights the versatility of TUF. It’s able to handle a negotiation between different interests and move at a pace that carries everyone along – while also making sure that we leave a pathway for ensuring that the ecosystems we are developing for will grow more secure.
In the previous post I described how initiatives that are drawing on the TUF framework for programming languages other than Python are informing TUFs evolution. In the same way, I anticipate that we’ll want to make changes to the TUF specification in order to get to the next iteration of PyPI integration approved.
We might, for example, make some aspects of the specification optional – developing a “cookbook” model for people who want to integrate it in different situations. That would also help projects keep accessing the benefits of TUF as they grow.
The road ahead
Building this added flexibility into TUF should help extend its utility and make it an even more interesting project to be involved with over the next few years.
I also think the TUF community has a role to play in raising awareness about the need for the open source community to adopt a more security-centric mentality. One of the reasons I became interested in the TUF/PyPI integration was its potential for advancing what people are calling “Software Supply Chain Security.” We definitely need more awareness around this topic across the entire open source ecosystem – and a unified effort to build more tools like TUF that can keep the open source software supply chain secure.
On that front, I’m encouraged by the recent launch of a new Linux Foundation forum on securing the open source software ecosystem called the Open Source Security Foundation, of which VMware is a founding member. My next post will talk more about the Foundation and how I’m hoping it will help the community achieve the security it needs.
