|
| 1 | +A Framework for Securing Software Update Systems |
| 2 | +------------------------------------------------ |
| 3 | + |
| 4 | +[](https://travis-ci.org/theupdateframework/tuf) |
| 5 | +[](https://coveralls.io/r/theupdateframework/tuf?branch=develop) |
| 6 | +[](https://pyup.io/repos/github/theupdateframework/tuf/) |
| 7 | +[](https://pyup.io/repos/github/theupdateframework/tuf/) |
| 8 | +[](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Ftuf?ref=badge_shield) |
| 9 | +[](https://bestpractices.coreinfrastructure.org/projects/1351) |
| 10 | + |
| 11 | +# <img src="https://cdn.rawgit.com/theupdateframework/artwork/3a649fa6/tuf-logo.svg" height="100" valign="middle" alt="TUF"/> |
| 12 | + |
| 13 | +The Update Framework (TUF) helps developers maintain the security of a software |
| 14 | +update system, even against attackers that compromise the repository or signing |
| 15 | +keys. TUF provides a flexible framework and specification that developers can |
| 16 | +adopt into any software update system. |
| 17 | + |
| 18 | +TUF is hosted by the [Linux Foundation](https://www.linuxfoundation.org/) as |
| 19 | +part of the [Cloud Native Computing Foundation](https://www.cncf.io/) (CNCF) |
| 20 | +and is used [in production](docs/ADOPTERS.md) by companies such as Docker, |
| 21 | +DigitalOcean, Flynn, LEAP, Kolide, Cloudflare, and VMware. A variant of TUF |
| 22 | +called [Uptane](https://uptane.github.io/) is widely used to secure |
| 23 | +over-the-air updates in automobiles. |
| 24 | + |
| 25 | + |
| 26 | +Documentation |
| 27 | +------------- |
| 28 | +* [Overview](docs/OVERVIEW.rst) |
| 29 | +* [Specification](https://github.com/theupdateframework/specification/blob/master/tuf-spec.md) |
| 30 | +* [Getting Started](docs/GETTING_STARTED.rst) |
| 31 | +* [Governance](docs/GOVERNANCE.md) and [Maintainers](docs/MAINTAINERS.txt) |
| 32 | +* [Miscellaneous Docs](docs/) |
| 33 | + |
| 34 | + |
| 35 | +Contact |
| 36 | +------- |
| 37 | +Please contact us via our [mailing |
| 38 | +list](https://groups.google.com/forum/?fromgroups#!forum/theupdateframework). |
| 39 | +Questions, feedback, and suggestions are welcomed on this low volume mailing |
| 40 | +list. |
| 41 | + |
| 42 | +We strive to make the specification easy to implement, so if you come across |
| 43 | +any inconsistencies or experience any difficulty, do let us know by sending an |
| 44 | +email, or by reporting an issue in the GitHub [specification |
| 45 | +repo](https://github.com/theupdateframework/specification/issues). |
| 46 | + |
| 47 | +Security Issues and Bugs |
| 48 | +------------------------ |
| 49 | + |
| 50 | +Security issues can be reported by emailing [email protected]. |
| 51 | + |
| 52 | +At a minimum, the report must contain the following: |
| 53 | + |
| 54 | +* Description of the vulnerability. |
| 55 | +* Steps to reproduce the issue. |
| 56 | + |
| 57 | +Optionally, reports that are emailed can be encrypted with PGP. You should use |
| 58 | +PGP key fingerprint **E9C0 59EC 0D32 64FA B35F 94AD 465B F9F6 F8EB 475A**. |
| 59 | + |
| 60 | +Please do not use the GitHub issue tracker to submit vulnerability reports. |
| 61 | +The issue tracker is intended for bug reports and to make feature requests. |
| 62 | +Major feature requests, such as design changes to the specification, should |
| 63 | +be proposed via a [TUF Augmentation Proposal](docs/TAP.rst) (TAP). |
| 64 | + |
| 65 | +License |
| 66 | +------- |
| 67 | + |
| 68 | +This work is [dual-licensed](https://en.wikipedia.org/wiki/Multi-licensing) and |
| 69 | +distributed under the (1) MIT License and (2) Apache License, Version 2.0. |
| 70 | +Please see [LICENSE-MIT](LICENSE-MIT) and [LICENSE](LICENSE). |
| 71 | + |
| 72 | + |
| 73 | +Acknowledgements |
| 74 | +---------------- |
| 75 | + |
| 76 | +This project is managed by Prof. [Justin |
| 77 | +Cappos](https://ssl.engineering.nyu.edu/personalpages/jcappos/) and other |
| 78 | +members of the [Secure Systems Lab](https://ssl.engineering.nyu.edu/) at [New |
| 79 | +York University](https://engineering.nyu.edu/). |
| 80 | +[Contributors](https://github.com/theupdateframework/tuf/blob/develop/docs/AUTHORS.txt) |
| 81 | +and |
| 82 | +[maintainers](https://github.com/theupdateframework/tuf/blob/develop/docs/MAINTAINERS.txt) |
| 83 | +are governed by the [CNCF Community Code of |
| 84 | +Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). |
| 85 | + |
| 86 | +This material is based upon work supported by the National Science Foundation |
| 87 | +under Grant Nos. CNS-1345049 and CNS-0959138. Any opinions, findings, and |
| 88 | +conclusions or recommendations expressed in this material are those of the |
| 89 | +author(s) and do not necessarily reflect the views of the National Science |
| 90 | +Foundation. |
0 commit comments