Notes from the TUF Community Meeting--March 2, 2020
Lois A DeLong
Discussion Summary from the TUF Community Meeting
March 2, 2019
Meeting Participants:
Lukas Pühringer, Moderator;
Ernest W. Durbin, Sumana Harihareswara, Trishank Kuppusamy, Joshua Lock, Marina Moore, Teodora Seechkova, William Woodruff, Aditya Sirish A Yelgundhalli, Tieg Zaharia
Below is a brief summary of the topics discussed in our second TUF Community Meeting and any decisions made by the group. Note that because the group on this call was largely connected to Python/PyPi, discussions focused on projects within that community.
Implementing PEP 458
Lukas reported to the group that PEP 458 had been accepted and he invited William Woodruff of Trail of Bits, who is working on its implementation in Warehouse, to talk about his progress. This led to a discussion of what constituted an acceptable hash algorithm for file names. Ernest noted that TUF specifies SHA256, but the new implementation for Warehouse will be using Blake 6.
William noted that his statement of work for PEP 458 does not include fixing upstream TUF and securesystemslib issues. However, he is using TUF functionality where possible in Warehouse. Joshua and Teodora offered to help to resolve issues upstream in TUF and securesystemslib.
Ernest informed the group that hardware delivery was scheduled for this week (3/3) and that the signing ceremony will be done during Pycon, which runs April 15-23.
Specification Issues
We discussed the following open pull request on the TUF specification
Key rotation: rollback attack prevention and fast-forward attack recovery PR#86
https://github.com/theupdateframework/specification/pull/86
This issue addresses recovery from rollback and fast-forward attacks, including resolving ambiguity around rotating keys and deleting metadata. One of the biggest changes here is that the PR proposes moving rollback attack checks to later in the verification process.
Because of the security issues involved, the consensus was that this issue should be the subject of its own dedicated meeting.
Specification versioning- and release procedure PR#87
https//github.com/theupdateframework/specification/pull/87
This PR grew out of discussions at the last community meeting about setting up procedures for specification versioning, and for determining when to release new versions. One proposed procedure was to maintain three versions simultaneously on the repository: one for patch releases that corrected small issues, a second for minor releases, which includes significant additions or changes that are backwards-compatible, and a third for major releases that would break that compatibility. (ISSUE#73) PR#87 proposes a stripped down variant of that procedure with automated checks that the policies are followed.
It was agreed that this PR could be finalized. (Closed on 3/3/2020)
Security vs bandwidth: version, length, hashes in timestamp and snapshot roles
https://github.com/theupdateframework/specification/pull/90
This issue basically boiled down to making lengths and hashes optional in both timestamp.json and snapshot.json under certain circumstances, such as fallback download limit, and no reused version numbers. It had been discussed at length on the repository, so at the meeting a review was requested so it could be closed. (Closed on 3/5/2020)
Scheduling Future Meetings:
Since several of the individuals on the call are based in New York City, the possibility of an in-person meeting was raised. The frequency of our meetings as a community (monthly, twice monthly, etc.) was also discussed. The resolution was that Marina and Trishank may meet up with William for an in-person meeting that will focus only on issues related to the implementation of PEP 458.
The next community meeting will be in approximately five weeks (tentatively the week of April 6).
Please note that we have set up a Google Doc at https://docs.google.com/document/d/1p4i2Bu3I2QbcJgw3w65KX0yy5Aqy_GeOA8INJ63iLLc/edit#heading=h.royzs5d9lwu3 to collect agenda items for our next community meeting. We invite everyone to post any issues you'd like to discuss here.
Thank you.
Lois Anne DeLong
NYU Tandon/TUF
Trishank Kuppusamy
--
You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/f81ff269-c2c2-492f-9ff6-4f3d7d375ce1%40googlegroups.com.