Overcoming the challenging issue of supply chain security demands the collective efforts of both industry and the open source communities. A multi-pronged ecosystem approach is crucial to advancing the state of art.
Introducing Repository Service for TUF
Repository Service for TUF is part of VMware’s broader investment to help improve security across the industry’s software supply chain.
It all started when we decided to help secure one of the Python language community’s most critical infrastructure components, the Python Package Index (PyPI), by implementing The Update Framework (TUF). TUF is a specification that describes a secure content update / delivery system. The aim of implementing it within PyPI was to ensure that users get valid packages from PyPI. This is a critical threat vector for supply chain attacks against nearly all Python applications.
We began developing changes in Warehouse, the project that powers PyPI, to deliver PEP 458 – Secure PyPI downloads with signed repository metadata, focusing on providing PEP 458-like repository signing functionality.
Implementing TUF directly within the codebase however proved to be too complex and potentially too disruptive for the community to feel comfortable.
We needed to make it easier for repositories to integrate the features of TUF without requiring TUF expertise or deep changes to the repository service implementation.
What the project does already
This is how the Repository Service for TUF idea was born, aiming to become an easy-to-use tool for developers, DevOps, and DevOpsSec teams working on the delivery process.
Repository Service for TUF provides repository signing functionality with a simple REST API for integration into any repository offering. Based on python-tuf, it is:
- Platform agnostic – it’s containerized and can run everywhere
- Artifact agnostic – targets can be anything from container images to configuration files
- Process-flow agnostic – it can be integrated into any distribution platform (i.e. Warehouse) or CI/CD solution (i.e. Github, Gitlab, Jenkins, etc.)
- Language agnostic – it works with any language through REST API calls
Repository Service for TUF implements the microservices pattern and enables scalability for high-traffic repositories and reliability in different deployment scenarios.
Plans for the future
The Repository Service for TUF will develop to support other TUF architecture patterns, including PEP 480 – Surviving a Compromise of PyPI: End-to-end signing of packages and PEP 480-like developer signing, and more.
Repository Service for TUF and OpenSSF
By creating a stand-alone service, we’ve made both the future integration into PyPI much easier and opened the door to securing other critical package distribution points from other language ecosystems.
The growing interest from other package repository owners led us to donating the project to OpenSSF under the Securing Software Repositories Working Group. That’s where you can find us now – in the OpenSSF sandbox!
Growing community and doing wonders together
Give the Repository Service for TUF a try with a repository you manage and let us know where it works and where it falls short so we can continue iterating on the project to best meet needs.
Join our growing community to make securing a repository easier and more trustworthy together.
Stay tuned to the Open Source Blog and follow us on Twitter for more deep dives into the world of open source contributing.
