theupdateframework / theupdateframework.io Goto Github PK

Currently, some of the hyperlinks in the website refer mostly to the python-tuf reference implementation, but maybe it would be nice to mention some of the other most notable implementations as well.

So far the website lists:

• dtuf
• rust-tuf

under main/adoptions/other, but there are others like php-tuf, go-tuf, tough, etc.

It benefits us in this way: issues with detailed descriptions (new contributors can explain problems in the correct format).

At the moment, the website can't seem to make its mind up as to whether Snapshot role keys should be online or offline.

Really someone needs to decide once and for all and stick to it, instead of all this conflicting wording.

If we consider the Specification as the ultimate source of truth, then we are told:

All keys, except those for the timestamp and mirrors roles, should be stored securely offline

content/metadata.md seems to agree:

so that the Snapshot role's keys can be kept offline, and thus more secure

So far so good. But the FAQ content/faq.md is where you have the bouncing around. On one page we are told two different things...

Three places state online:

even sharing online keys (e.g., between the Timestamp and Snapshot roles)

In contrast, the Snapshot role is updated often, signed with an online key

The Timestamp and Snapshot roles can use online keys

And then we have a suggestion of offline for Snapshot:

separate keys should be used so that the Snapshot role’s keys can be kept offline, and thus in a more secure manner.

If we assume the Specification reflects the TUF design decision, then the rest of the website should be consistent.

Blog posts about TUF need to be added to the homepage. Went through the first five pages of a Google search and found quite a few blog posts; some of them are really good. Title and links to the blog posts below (mine included):

• Securing RubyGems with TUF, Part 1
  https://developer.squareup.com/blog/securing-rubygems-with-tuf-part-1/

• Securing RubyGems with TUF, Part 2
  https://developer.squareup.com/blog/securing-rubygems-with-tuf-part-2/

• Securing RubyGems with TUF, Part 3
  https://developer.squareup.com/blog/securing-rubygems-with-tuf-part-3/

• How TUF can secure software systems from update vulnerabilities
  https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/How-TUF-can-secure-software-systems-from-update-vulnerabilities

• How we securely autoupdate Osquery at Kolide
  https://blog.kolide.com/how-we-securely-autoupdate-osquery-at-kolide-b0eda6ad05f6

• CNCF Graduates TUF Project to Secure Software Updates
  https://devops.com/cncf-graduates-tuf-project-to-secure-software-updates/

• Exploring Docker Security – Part 3: Docker Content Trust
  https://blog.mi.hdm-stuttgart.de/index.php/2016/09/13/exploring-docker-security-part-3-docker-content-trust/

• Fuchsia Friday: Amber keeps Fuchsia up to date and secure
  https://9to5google.com/2018/03/09/fuchsia-friday-amber-keeps-fuchsia-up-to-date-and-secure/

• Secure Software Updates via TUF — Part 1
  https://medium.com/@mulgundmath/secure-software-updates-via-tuf-part-1-f9bbb34bcbbc

• Secure Software Updates via TUF — Part 2
  https://medium.com/@mulgundmath/secure-software-updates-via-tuf-part-2-412c6a2b10ab

It would be useful to have a more explicit link to Github (to the specification repository) on the main panel in the form of a dedicated tab or use Github's logo.

The Slack channel #tuf isn't very discoverable at the moment, it may be good to mention it on the website as a place for collaborators and implementers to engage in discussion.

For TUF to complete the requirements using https://theupdateframework.io/ for the CII Best Practices Gold badge, it must include certain hardening headers. They are:

• Content Security Policy (CSP)
• HTTP Strict Transport Security (already set)
• X-Content-Type-Options (as "nosniff")
• X-Frame-Options

I'm looking at the headers using https://securityheaders.com/?q=https%3A%2F%2Ftheupdateframework.io&followRedirects=on and the requirements for the gold badge criteria can be found at https://bestpractices.coreinfrastructure.org/en/projects/1351?criteria_level=2#hardened_site.

Description:

To enhance the contribution process and provide clear guidelines for new and existing contributors, we need to add a CONTRIBUTING.md file to the theupdateframework.io repository. This file will outline the steps for contributing, the code of conduct, how to report issues, and how to submit pull requests.

Description:

The current README on theupdateframework.io is outdated and does not have any content. This can lead to confusion and misalignment for users and contributors who rely on accurate documentation.

The website links to raw versions of static test metadata files in the repository, but those may be removed/moved/changed (i.e. theupdateframework/python-tuf#1806).

We should at least update these to blob references (and to the new repository name), so they aren't affected by changes to python-tuf.

It might be even better to include sample metadata file contents directly in the web page, perhaps behind a toggle which defaults to collapsed.

The maintainers list in the page footer is outdated.

Sync e.g. with up-to-date MAINTAINERS.md from specification repo (i.e. TAP Editors, also see theupdateframework/specification#206), or reference implementation maintainers (?, see theupdateframework/python-tuf#1855).

Description:

Enhance the website footer by adding social media icons and links for improved engagement and community interaction.

Icons to Add:
GitHub Icon: Linked to your GitHub profile or repository.
Slack Icon: Linked to the CNCF Slack workspace or your project's Slack channel.
Twitter Icon: Linked to your Twitter profile.
Mailing List Icon: Linked to your project's mailing list signup page.

Benefits:

Improved Visibility: Icons make it easier for visitors to connect with your project on different platforms.
Enhanced Engagement: Direct links encourage visitors to explore and engage with your project's community and updates.

Screenshot

Notice from Netlify

After November 15, 2022, builds for this site will fail unless you update the build image.

As pointed by @joshuagl in #18:

Some of the anchors in the specification have changed since the conversion to bikeshed flavoured markdown.

Note: we will want to make some changes again once the rendered version of the specification is published to GitHub pages (see theupdateframework/specification#148)

As per CNCF assessment To fulfill this criteria we must need Contributing and Your First Contribution section on our website. We can give general instructions here as

• Link of Contributing.md
• Ask them to work on existing issue first (e.g. good first issues)
• Report any security related issue here

As an example we can see helm project's Your First Contribution section.

theupdateframework/python-tuf#1807 removes the unmaintained AUTHORS.txt, because it fits better within the scope of the wider TUF project, that is not all organizations and individuals listed in the document are/were affiliated with python-tuf.

We should re-add an up-to-date TUF authors/contributors document either to the website or to a project-wide repository (e.g. github.com/theupdateframework/community <- does not exist yet) to acknowledge the efforts of our contributors.

@joshuagl suggests to auto-generate the document from git commits (of which repo?).

Sync with #37

Description:

We propose adding a newsletter section to theupdateframework.io to enhance community engagement and communication. This newsletter will serve as a valuable resource for subscribers, providing updates, announcements, and insights related to The Update Framework (TUF).

Benefits:

• Improved Communication: A newsletter will facilitate regular communication with the community, keeping them informed about project updates, events, and relevant news.

• Community Engagement: Subscribers can stay engaged with TUF developments, contributing to a vibrant and active community.

• Information Dissemination: The newsletter will be a platform to share important information, best practices, and resources related to TUF, promoting knowledge sharing.

• Outreach and Promotion: The newsletter can also serve as a tool for outreach and promotion, attracting new contributors, users, and supporters to the TUF ecosystem.

On the overview page we reference Secunia_RSA_Software_Portfolio_Security_Exposure.pdf to support the claim that "an average Windows user probably contains about two dozen different software updaters".

The link does not resolve to the corresponding paper anymore, and a paper that I found under this name is from 2010 (I wonder if the claim is still true in 2022?)

Let's either update the link or remove it altogether.