Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ying Li, David Lawrence - When the going gets tough, get TUF going

Ying Li, David Lawrence - When the going gets tough, get TUF going

The Update Framework (TUF) helps developers secure new or existing software update systems by providing integrity and freshness guarantees over package distribution. Integrate TUF into your deployment pipelines to provide integrity and version guarantees for build and deployment artifacts.

https://us.pycon.org/2016/schedule/presentation/2187/

PyCon 2016

May 29, 2016
Tweet

More Decks by PyCon 2016

Other Decks in Programming

Transcript

  1. When the going gets tough, Get TUF going! David Lawrence

    - @endophage Ying Li - @cyli Docker Security Team
  2. Keys: { Alice: Bob: } Expiry: ... Targets Metadata A

    B pip: virtualenv: [Alice] [Bob]
  3. pip-8.1.2 : { hashes } pip-8.1.1 : { hashes }

    ... Expiry: ... Delegation Metadata A virtualenv-15.0.1 : { hashes } virtualenv-15.0.0 : { hashes } ... Expiry: ... B
  4. Root : { hashes } Targets : { hashes }

    Alice : { hashes } Bob : { hashes } … Expiry: ... Snapshot Metadata
  5. #

  6. #

  7. #

  8. ?

  9. • “Publish your code so others can use it in

    5 easy steps” Marko Samastur • “Shipping Software To Users With Python” Glyph • “Reliably Distributing Compiled Modules” - Paul Kehrer Python Packaging
  10. Learn More • Read the spec: github.com/theupdateframework/tuf/ (docs/tuf-spec.txt) • Look

    at Notary: github.com/docker/notary • Read the Docker Content Trust docs: docs.docker.com/engine/security/trust/content_trust/