Originally posted by @chalin in #68 (comment)

Is there a reasonable workaround? Why do we need this? It's a bad look for a security project to disable security controls, even if they don't matter in this case.

Ok, I'll propose a workaround in a followup PR. Thanks for the feedback @JustinCappos.

As pointed by @joshuagl in #18:

Some of the anchors in the specification have changed since the conversion to bikeshed flavoured markdown.

Note: we will want to make some changes again once the rendered version of the specification is published to GitHub pages (see theupdateframework/specification#148)

As per CNCF assessment To fulfill this criteria we must need Contributing and Your First Contribution section on our website. We can give general instructions here as

• Link of Contributing.md
• Ask them to work on existing issue first (e.g. good first issues)
• Report any security related issue here

As an example we can see helm project's Your First Contribution section.

Description:

We propose adding a newsletter section to theupdateframework.io to enhance community engagement and communication. This newsletter will serve as a valuable resource for subscribers, providing updates, announcements, and insights related to The Update Framework (TUF).

Benefits:

• Improved Communication: A newsletter will facilitate regular communication with the community, keeping them informed about project updates, events, and relevant news.

• Community Engagement: Subscribers can stay engaged with TUF developments, contributing to a vibrant and active community.

• Information Dissemination: The newsletter will be a platform to share important information, best practices, and resources related to TUF, promoting knowledge sharing.

• Outreach and Promotion: The newsletter can also serve as a tool for outreach and promotion, attracting new contributors, users, and supporters to the TUF ecosystem.

The website links to raw versions of static test metadata files in the repository, but those may be removed/moved/changed (i.e. theupdateframework/python-tuf#1806).

We should at least update these to blob references (and to the new repository name), so they aren't affected by changes to python-tuf.

It might be even better to include sample metadata file contents directly in the web page, perhaps behind a toggle which defaults to collapsed.

On the overview page we reference Secunia_RSA_Software_Portfolio_Security_Exposure.pdf to support the claim that "an average Windows user probably contains about two dozen different software updaters".

The link does not resolve to the corresponding paper anymore, and a paper that I found under this name is from 2010 (I wonder if the claim is still true in 2022?)

Let's either update the link or remove it altogether.

Description:

Enhance the website footer by adding social media icons and links for improved engagement and community interaction.

Icons to Add:
GitHub Icon: Linked to your GitHub profile or repository.
Slack Icon: Linked to the CNCF Slack workspace or your project's Slack channel.
Twitter Icon: Linked to your Twitter profile.
Mailing List Icon: Linked to your project's mailing list signup page.

Benefits:

Improved Visibility: Icons make it easier for visitors to connect with your project on different platforms.
Enhanced Engagement: Direct links encourage visitors to explore and engage with your project's community and updates.

Screenshot

As suggested by GH:

Description:

The current README on theupdateframework.io is outdated and does not have any content. This can lead to confusion and misalignment for users and contributors who rely on accurate documentation.

Description:

To enhance the contribution process and provide clear guidelines for new and existing contributors, we need to add a CONTRIBUTING.md file to the theupdateframework.io repository. This file will outline the steps for contributing, the code of conduct, how to report issues, and how to submit pull requests.

Blog posts about TUF need to be added to the homepage. Went through the first five pages of a Google search and found quite a few blog posts; some of them are really good. Title and links to the blog posts below (mine included):

• Securing RubyGems with TUF, Part 1
  https://developer.squareup.com/blog/securing-rubygems-with-tuf-part-1/

• Securing RubyGems with TUF, Part 2
  https://developer.squareup.com/blog/securing-rubygems-with-tuf-part-2/

• Securing RubyGems with TUF, Part 3
  https://developer.squareup.com/blog/securing-rubygems-with-tuf-part-3/

• How TUF can secure software systems from update vulnerabilities
  https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/How-TUF-can-secure-software-systems-from-update-vulnerabilities

• How we securely autoupdate Osquery at Kolide
  https://blog.kolide.com/how-we-securely-autoupdate-osquery-at-kolide-b0eda6ad05f6

• CNCF Graduates TUF Project to Secure Software Updates
  https://devops.com/cncf-graduates-tuf-project-to-secure-software-updates/

• Exploring Docker Security – Part 3: Docker Content Trust
  https://blog.mi.hdm-stuttgart.de/index.php/2016/09/13/exploring-docker-security-part-3-docker-content-trust/

• Fuchsia Friday: Amber keeps Fuchsia up to date and secure
  https://9to5google.com/2018/03/09/fuchsia-friday-amber-keeps-fuchsia-up-to-date-and-secure/

• Secure Software Updates via TUF — Part 1
  https://medium.com/@mulgundmath/secure-software-updates-via-tuf-part-1-f9bbb34bcbbc

• Secure Software Updates via TUF — Part 2
  https://medium.com/@mulgundmath/secure-software-updates-via-tuf-part-2-412c6a2b10ab

The Slack channel #tuf isn't very discoverable at the moment, it may be good to mention it on the website as a place for collaborators and implementers to engage in discussion.

The following broken links on the website's News and Press pages need to be replaced or deleted.

News page:

• January 25, 2018
  Airbiquity receives a BIG Award for Business in the 2017 New Product of the Year Award category for its Uptane-based OTAmatic over-the-air software and data management solution.

• October 10, 2016
  Lily Guo and Riyaz Faizullabhoy from Docker gave a talk on TUF and Notary at LinuxCon+ContainerCon Europe 2016. Slides of their talk are available here.

Press page :

• Notary demoed at the DockerCon 2015 keynote

• Forbes-January 2017: Uptane Will Protect your Connected Car from Hackers

• Airbiquity.com-January 2018: Airbiquity OTAmatic Named 2017 New Product Of The Year By Business Intelligence Group

• Airbiquity.com-December 13, 2018: Airbiquity Bolsters OTAmatic™ Security And Data Analytic Features In Latest Over-The-Air (OTA) Software And Data Management Offering For Automotive

• Just Auto-May 30, 2019: HERE and Uptane Team on automotive/IoT security

Drop the (currently) duplicate build config parameters from https://app.netlify.com/sites/theupdateframework/configuration/deploys#build-settings, since they'll be different for the docsy branch, and we want both branches to build properly.

Here are the relevant config parameters:

The maintainers list in the page footer is outdated.

Sync e.g. with up-to-date MAINTAINERS.md from specification repo (i.e. TAP Editors, also see theupdateframework/specification#206), or reference implementation maintainers (?, see theupdateframework/python-tuf#1855).

Originally posted by @chalin in #68 (review):

Note that you'll need to copy over and include the following in this PR

• All of the dot files and folders such as .github, .cspell.yml, etc.
• The LICENSE files
• The updated Makefile
• The updated README.md (keep the current badge)

At the moment, the website can't seem to make its mind up as to whether Snapshot role keys should be online or offline.

Really someone needs to decide once and for all and stick to it, instead of all this conflicting wording.

If we consider the Specification as the ultimate source of truth, then we are told:

All keys, except those for the timestamp and mirrors roles, should be stored securely offline

content/metadata.md seems to agree:

so that the Snapshot role's keys can be kept offline, and thus more secure

So far so good. But the FAQ content/faq.md is where you have the bouncing around. On one page we are told two different things...

Three places state online:

even sharing online keys (e.g., between the Timestamp and Snapshot roles)

In contrast, the Snapshot role is updated often, signed with an online key

The Timestamp and Snapshot roles can use online keys

And then we have a suggestion of offline for Snapshot:

separate keys should be used so that the Snapshot role’s keys can be kept offline, and thus in a more secure manner.

If we assume the Specification reflects the TUF design decision, then the rest of the website should be consistent.

It benefits us in this way: issues with detailed descriptions (new contributors can explain problems in the correct format).

As configured via https://app.netlify.com/sites/theupdateframework/configuration/deploys#dependency-management, the version of Node.js being used was outdated (10.x). Upgrade to the active LTS, 20.x

theupdateframework/python-tuf#1807 removes the unmaintained AUTHORS.txt, because it fits better within the scope of the wider TUF project, that is not all organizations and individuals listed in the document are/were affiliated with python-tuf.

We should re-add an up-to-date TUF authors/contributors document either to the website or to a project-wide repository (e.g. github.com/theupdateframework/community <- does not exist yet) to acknowledge the efforts of our contributors.

@joshuagl suggests to auto-generate the document from git commits (of which repo?).

Sync with #37

For TUF to complete the requirements using https://theupdateframework.io/ for the CII Best Practices Gold badge, it must include certain hardening headers. They are:

• Content Security Policy (CSP)
• HTTP Strict Transport Security (already set)
• X-Content-Type-Options (as "nosniff")
• X-Frame-Options

I'm looking at the headers using https://securityheaders.com/?q=https%3A%2F%2Ftheupdateframework.io&followRedirects=on and the requirements for the gold badge criteria can be found at https://bestpractices.coreinfrastructure.org/en/projects/1351?criteria_level=2#hardened_site.

Currently, some of the hyperlinks in the website refer mostly to the python-tuf reference implementation, but maybe it would be nice to mention some of the other most notable implementations as well.

So far the website lists:

• dtuf
• rust-tuf

under main/adoptions/other, but there are others like php-tuf, go-tuf, tough, etc.

Notice from Netlify

After November 15, 2022, builds for this site will fail unless you update the build image.

It would be useful to have a more explicit link to Github (to the specification repository) on the main panel in the form of a dedicated tab or use Github's logo.

This is following most other CNCF repos. For details see:

• Renaming the default branch from master
• https://inclusivenaming.org
• Cloud Native Computing Foundation’s Inclusive Naming Initiative

We've done so recently for in-toto:

• in-toto/in-toto.io#42

@lukpueh - I'm glad to handle the rename here too if you give a thumbs up.