theupdateframework / theupdateframework.io Goto Github PK
View Code? Open in Web Editor NEWWebsite assets for TUF
Home Page: https://theupdateframework.io
Website assets for TUF
Home Page: https://theupdateframework.io
Originally posted by @chalin in #68 (comment)
Is there a reasonable workaround? Why do we need this? It's a bad look for a security project to disable security controls, even if they don't matter in this case.
Ok, I'll propose a workaround in a followup PR. Thanks for the feedback @JustinCappos.
As pointed by @joshuagl in #18:
Some of the anchors in the specification have changed since the conversion to bikeshed flavoured markdown.
Note: we will want to make some changes again once the rendered version of the specification is published to GitHub pages (see theupdateframework/specification#148)
As per CNCF assessment To fulfill this criteria we must need Contributing
and Your First Contribution
section on our website. We can give general instructions here as
As an example we can see helm project's Your First Contribution section.
We propose adding a newsletter section to theupdateframework.io to enhance community engagement and communication. This newsletter will serve as a valuable resource for subscribers, providing updates, announcements, and insights related to The Update Framework (TUF).
Benefits:
Improved Communication: A newsletter will facilitate regular communication with the community, keeping them informed about project updates, events, and relevant news.
Community Engagement: Subscribers can stay engaged with TUF developments, contributing to a vibrant and active community.
Information Dissemination: The newsletter will be a platform to share important information, best practices, and resources related to TUF, promoting knowledge sharing.
Outreach and Promotion: The newsletter can also serve as a tool for outreach and promotion, attracting new contributors, users, and supporters to the TUF ecosystem.
The website links to raw versions of static test metadata files in the repository, but those may be removed/moved/changed (i.e. theupdateframework/python-tuf#1806).
We should at least update these to blob references (and to the new repository name), so they aren't affected by changes to python-tuf.
It might be even better to include sample metadata file contents directly in the web page, perhaps behind a toggle which defaults to collapsed.
On the overview page we reference Secunia_RSA_Software_Portfolio_Security_Exposure.pdf
to support the claim that "an average Windows user probably contains about two dozen different software updaters".
The link does not resolve to the corresponding paper anymore, and a paper that I found under this name is from 2010 (I wonder if the claim is still true in 2022?)
Let's either update the link or remove it altogether.
Enhance the website footer by adding social media icons and links for improved engagement and community interaction.
Icons to Add:
GitHub Icon: Linked to your GitHub profile or repository.
Slack Icon: Linked to the CNCF Slack workspace or your project's Slack channel.
Twitter Icon: Linked to your Twitter profile.
Mailing List Icon: Linked to your project's mailing list signup page.
Benefits:
Improved Visibility: Icons make it easier for visitors to connect with your project on different platforms.
Enhanced Engagement: Direct links encourage visitors to explore and engage with your project's community and updates.
Description:
The current README on theupdateframework.io is outdated and does not have any content. This can lead to confusion and misalignment for users and contributors who rely on accurate documentation.
To enhance the contribution process and provide clear guidelines for new and existing contributors, we need to add a CONTRIBUTING.md file to the theupdateframework.io repository. This file will outline the steps for contributing, the code of conduct, how to report issues, and how to submit pull requests.
Blog posts about TUF need to be added to the homepage. Went through the first five pages of a Google search and found quite a few blog posts; some of them are really good. Title and links to the blog posts below (mine included):
Securing RubyGems with TUF, Part 1
https://developer.squareup.com/blog/securing-rubygems-with-tuf-part-1/
Securing RubyGems with TUF, Part 2
https://developer.squareup.com/blog/securing-rubygems-with-tuf-part-2/
Securing RubyGems with TUF, Part 3
https://developer.squareup.com/blog/securing-rubygems-with-tuf-part-3/
How TUF can secure software systems from update vulnerabilities
https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/How-TUF-can-secure-software-systems-from-update-vulnerabilities
How we securely autoupdate Osquery at Kolide
https://blog.kolide.com/how-we-securely-autoupdate-osquery-at-kolide-b0eda6ad05f6
CNCF Graduates TUF Project to Secure Software Updates
https://devops.com/cncf-graduates-tuf-project-to-secure-software-updates/
Exploring Docker Security – Part 3: Docker Content Trust
https://blog.mi.hdm-stuttgart.de/index.php/2016/09/13/exploring-docker-security-part-3-docker-content-trust/
Fuchsia Friday: Amber keeps Fuchsia up to date and secure
https://9to5google.com/2018/03/09/fuchsia-friday-amber-keeps-fuchsia-up-to-date-and-secure/
Secure Software Updates via TUF — Part 1
https://medium.com/@mulgundmath/secure-software-updates-via-tuf-part-1-f9bbb34bcbbc
Secure Software Updates via TUF — Part 2
https://medium.com/@mulgundmath/secure-software-updates-via-tuf-part-2-412c6a2b10ab
The Slack channel #tuf isn't very discoverable at the moment, it may be good to mention it on the website as a place for collaborators and implementers to engage in discussion.
The following broken links on the website's News and Press pages need to be replaced or deleted.
News page:
January 25, 2018
Airbiquity receives a BIG Award for Business in the 2017 New Product of the Year Award category for its Uptane-based OTAmatic over-the-air software and data management solution.
October 10, 2016
Lily Guo and Riyaz Faizullabhoy from Docker gave a talk on TUF and Notary at LinuxCon+ContainerCon Europe 2016. Slides of their talk are available here.
Press page :
Drop the (currently) duplicate build config parameters from https://app.netlify.com/sites/theupdateframework/configuration/deploys#build-settings, since they'll be different for the docsy
branch, and we want both branches to build properly.
Here are the relevant config parameters:
The maintainers list in the page footer is outdated.
Sync e.g. with up-to-date MAINTAINERS.md from specification repo (i.e. TAP Editors, also see theupdateframework/specification#206), or reference implementation maintainers (?, see theupdateframework/python-tuf#1855).
Originally posted by @chalin in #68 (review):
Note that you'll need to copy over and include the following in this PR
- All of the dot files and folders such as
.github
,.cspell.yml
, etc.- The LICENSE files
- The updated Makefile
- The updated
README.md
(keep the current badge)
At the moment, the website can't seem to make its mind up as to whether Snapshot role keys should be online or offline.
Really someone needs to decide once and for all and stick to it, instead of all this conflicting wording.
If we consider the Specification as the ultimate source of truth, then we are told:
All keys, except those for the timestamp and mirrors roles, should be stored securely offline
content/metadata.md seems to agree:
so that the Snapshot role's keys can be kept offline, and thus more secure
So far so good. But the FAQ content/faq.md is where you have the bouncing around. On one page we are told two different things...
Three places state online:
even sharing online keys (e.g., between the Timestamp and Snapshot roles)
In contrast, the Snapshot role is updated often, signed with an online key
The Timestamp and Snapshot roles can use online keys
And then we have a suggestion of offline for Snapshot:
separate keys should be used so that the Snapshot role’s keys can be kept offline, and thus in a more secure manner.
If we assume the Specification reflects the TUF design decision, then the rest of the website should be consistent.
It benefits us in this way: issues with detailed descriptions (new contributors can explain problems in the correct format).
As configured via https://app.netlify.com/sites/theupdateframework/configuration/deploys#dependency-management, the version of Node.js being used was outdated (10.x). Upgrade to the active LTS, 20.x
theupdateframework/python-tuf#1807 removes the unmaintained AUTHORS.txt, because it fits better within the scope of the wider TUF project, that is not all organizations and individuals listed in the document are/were affiliated with python-tuf
.
We should re-add an up-to-date TUF authors/contributors document either to the website or to a project-wide repository (e.g. github.com/theupdateframework/community
<- does not exist yet) to acknowledge the efforts of our contributors.
@joshuagl suggests to auto-generate the document from git commits (of which repo?).
Sync with #37
For TUF to complete the requirements using https://theupdateframework.io/ for the CII Best Practices Gold badge, it must include certain hardening headers. They are:
I'm looking at the headers using https://securityheaders.com/?q=https%3A%2F%2Ftheupdateframework.io&followRedirects=on and the requirements for the gold badge criteria can be found at https://bestpractices.coreinfrastructure.org/en/projects/1351?criteria_level=2#hardened_site.
Currently, some of the hyperlinks in the website refer mostly to the python-tuf reference implementation, but maybe it would be nice to mention some of the other most notable implementations as well.
So far the website lists:
under main/adoptions/other, but there are others like php-tuf, go-tuf, tough, etc.
Notice from Netlify
After November 15, 2022, builds for this site will fail unless you update the build image.
It would be useful to have a more explicit link to Github (to the specification repository) on the main panel in the form of a dedicated tab or use Github's logo.
This is following most other CNCF repos. For details see:
We've done so recently for in-toto:
@lukpueh - I'm glad to handle the rename here too if you give a thumbs up.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.