TUF-en up Your Software Supply Chain - Marina Moore, Edera & Kairo De Araujo, Independent
Marina Moore, Edera, Kairo De Araujo, Independent
KubeCon + CloudNativeCon Europe 2025 · Session
In an era of increasing software supply chain attacks, ensuring the integrity and authenticity of distributed software is paramount. This talk, "TUF-en up Your Software Supply Chain," delivered by Marina Moore and Kairo De Araujo, delves into **The Update Framework (TUF)**, a robust security framework designed to protect software distribution and updating processes. Moore and De Araujo, both maintainers of the TUF project, highlighted how TUF addresses critical vulnerabilities often overlooked by simpler signing mechanisms, particularly in the context of distributing modern supply chain metadata like SBOMs and attestations.
AI review
This talk provides an exceptionally deep and practical dive into The Update Framework (TUF), presented by its maintainers. It meticulously dissects the critical flaws in traditional software signing, such as rollback and replay attacks, and demonstrates how TUF's layered trust, versioning, and timestamping mechanisms provide robust, compromise-resilient protection for software supply chains and associated metadata like SBOMs. The clear explanation of TUF's architecture and the practical demonstration with `r-tuf` and Sixstore offer highly actionable insights for organizations seeking to…