Skip to main content

It’s happening: TUF joins PyPI (Warehouse)

South Hall 2B
11:55 on 12 July 2024
30 minutes


The Update Framework (TUF) has been a prime reference for secure package delivery and updates for many years. Despite its popularity, integrating with existing package managers remains challenging.

PEP 458 is a very good example of some of the related challenges. Authored a decade ago, it aims to protect the freshness, consistency, and integrity of packages in the Python Packaging Index (PyPI) and provide compromise resilience. Even though these goals remain largely unaddressed, PEP 458 has not made its way into production yet!

With Repository Service For TUF (RSTUF), a new tool has emerged, which makes implementing and maintaining a TUF-powered package repository a black box to the repository maintainers and which has become mature enough to kick off an incremental integration in Warehouse and RubyGems.

In this talk, Kairo, RSTUF’s tech lead, and Lukas, TUF project maintainer, will show how RSTUF has evolved and allowed us to take a big leap towards adopting TUF in Warehouse and elsewhere. Primers on TUF, PEP 458, and Warehouse will be included.

The speakers

Kairo de Araujo

Kairo is a new Senior Open Source Engineer at TestifySec. He contributed to python-tuf and is the author of Repository Service for TUF (RSTUF). Prior roles include Senior Open Source Software Engineer at VMware Open Source Program Office (OSPO), Senior Software Engineer at IBM, ING, and Forescout.

Lukas Pühringer

Lukas Pühringer is a research engineer at the NYU Center for Cyber Security (CCS), where he leads the development of The Update Framework (TUF), and has been co-maintaining several of Prof. Justin Cappos’ software projects, most notably the supply chain security framework in-toto. Lukas also supervises students and gives talks about TUF and in-toto.