Does the Alpine package manager pass the TUF Threat Model?
3 views
Skip to first unread message
No Name
Jan 21, 2026, 1:37:45 AMJan 21
to The Update Framework (TUF)
I'm down a rabbit hole on choosing a secure, trustworthy linux distro. I'm looking for an OS that passes either SLSA L3 or TUF
Alpine reps as "Alpine Linux was designed with security in mind. All userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities." https://alpinelinux.ru/about/
https://www.whonix.org/wiki/Dev/Operating_System#Alpine_Linux mentions: "One can ask the TUF developers, who are generally very friendly and helpful, for their opinion via their mailing list: https://groups.google.com/g/theupdateframework "
I searched the list but didn't see any discussion in this direction yet
It seems like it would be very easy to upgrade alpine to TUF..
https://forums.whonix.org/t/ask-about-alpine-linux-package-manager-security/19188 states:
"Alpine apk:
If I remember right…
only packages are signed
package metadata is not signed
package metadata does not expire (no Valid-Until field) (Valid-Until field in Release files | Ganneff’s Little Blog)"
"Alpine apk:
If I remember right…
only packages are signed
package metadata is not signed
package metadata does not expire (no Valid-Until field) (Valid-Until field in Release files | Ganneff’s Little Blog)"
One very interesting possibility I noticed with alpine is a read-only mode https://wiki.alpinelinux.org/wiki/Immutable_root_with_atomic_upgrades but sorry if this is irrelevant
Curious what you think?
No Name
Justin Cappos
Jan 21, 2026, 11:47:39 AMJan 21
to No Name, The Update Framework (TUF)
I haven't dug deeply, but TUF really focuses on making sure you install what the software developers would intend you to install even in the face of repository compromises, MITM, key compromises, etc. This requires signed metadata to be structured in a certain way.
The things mentioned here with Alpine are mostly about protecting code from attack after it is installed. This is something that is outside the scope of TUF.
So, it seems like they're taking very sensible security precautions, but are doing it in a different part of the attack surface.
Thanks,
Justin
--
You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/theupdateframework/817fdc46-116b-43e6-a221-9697456a4482n%40googlegroups.com.
santiago torres
Jan 22, 2026, 11:19:05 AMJan 22
to The Update Framework (TUF)
Hey,
>Alpine reps as "Alpine Linux was designed with security in mind. All userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities." https://alpinelinux.ru/about/
This is nowadays true for most Linux distros. E.g., Arch Linux[1]
> This page describes security packaging guidelines for Arch Linux packages. For C/C++ projects the compiler and linker can apply security hardening options. Arch Linux applies PIE, FORTIFY_SOURCE, stack protector, nx and relro by default.
In debian[2]:
> Debian enables several hardening options by default (see dpkg-buildflags --dump for a list) but you can enable more by adding [...snip...] For example, this includes "PIE" and "BINDNOW", which should be used when building programs that handle untrusted data (parsers, network listeners, etc.), or run with elevated privileges (PAM, X, etc.)."
Though I admit there's a bit of a spread regarding PIE/hardening prevalence in their case, as these decisions are up to the maintainers. I'll add that I did some large scale analysis of hardening prevalence on Linux distros but I found way less diversity of hardening flags than one would expect (at least from the major ones).
Regarding this:
>It seems like it would be very easy to upgrade alpine to TUF..
[1] https://wiki.archlinux.org/title/Arch_package_guidelines/Security
[2] https://wiki.debian.org/Hardening#Hardening_options_in_Debian
>Alpine reps as "Alpine Linux was designed with security in mind. All userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities." https://alpinelinux.ru/about/
This is nowadays true for most Linux distros. E.g., Arch Linux[1]
> This page describes security packaging guidelines for Arch Linux packages. For C/C++ projects the compiler and linker can apply security hardening options. Arch Linux applies PIE, FORTIFY_SOURCE, stack protector, nx and relro by default.
In debian[2]:
> Debian enables several hardening options by default (see dpkg-buildflags --dump for a list) but you can enable more by adding [...snip...] For example, this includes "PIE" and "BINDNOW", which should be used when building programs that handle untrusted data (parsers, network listeners, etc.), or run with elevated privileges (PAM, X, etc.)."
Though I admit there's a bit of a spread regarding PIE/hardening prevalence in their case, as these decisions are up to the maintainers. I'll add that I did some large scale analysis of hardening prevalence on Linux distros but I found way less diversity of hardening flags than one would expect (at least from the major ones).
Regarding this:
>It seems like it would be very easy to upgrade alpine to TUF..
Well, at a conceptual level, yeah it should be possible to upgrade alpine to TUF (though I'm not an alpine dev). In practice that'd require somebody willing to steward such a development effort :)
Cheers!
-Santiago
-Santiago
[1] https://wiki.archlinux.org/title/Arch_package_guidelines/Security
[2] https://wiki.debian.org/Hardening#Hardening_options_in_Debian
No Name
Feb 2, 2026, 7:39:44 PM (6 days ago) Feb 2
to santiago torres, The Update Framework (TUF)
Justin, Santiago
I really appreciate both of your input!
Thanks for letting me know, thanks for your time.
No Name
You received this message because you are subscribed to a topic in the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/theupdateframework/ocfyhvBQJq8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to theupdateframew...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/theupdateframework/d44723d9-79ad-4c7a-9a3c-c3e0d4035d18n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages