A framework for securing software update systems.

The Update Framework (TUF) maintains the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.

• The Update Framework specification @ GitHub.
• python-tuf @ GitHub.

Related contents:

• Episode #497: sécurisation de la chaîne d’approvisionnement logicielle (software supply chain) @ NoLimitSecu :fr:.
• Secure publication of Datadog Agent integrations with TUF and in-toto @ Datadog.

Supply-chain Levels for Software Artifacts, or SLSA ("salsa").

SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.

It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It’s how you get from "safe enough" to being as resilient as possible, at any link in the chain.

• SLSA @ GitHub.

Related contents:

• Securing the software supply chain with the SLSA framework @ Trail of Bits Blog.
• Episode #497: sécurisation de la chaîne d’approvisionnement logicielle (software supply chain) @ NoLimitSecu :fr:.
• Kube-Policies BinauthZ: Closing the Supply Chain Gap in Kubernetes @ Block Engineering Blog.