The Cloud Native Computing Foundation (CNCF), which builds sustainable ecosystems for cloud native software, announced that The Update Framework (TUF) is the ninth project to graduate, following Kubernetes, Prometheus, Envoy, CoreDNS, containerd, Fluentd, Jaeger, and Vitess. For projects to move from the maturity level of incubation to graduation, they must demonstrate thriving adoption, an open governance process, and a strong commitment to community, sustainability, and inclusivity.
TUF, an open-source technology that secures software update systems, is the first specification and first security-focused project to graduate. Justin Cappos, associate professor of computer science and engineering at NYU Tandon School of Engineering, initially developed the project in 2009. Cappos is also the first academic researcher to lead a graduated project and TUF is the first project born out of a university to graduate.
"We are moving into a new decade where open source software is pervasive and updated seamlessly across our lives through many devices," said Chris Aniszczyk, CTO/COO of the Cloud Native Computing Foundation. "We are thrilled to see TUF secure an important part of the software supply chain and look forward to continue sustaining their community in CNCF."
According to the CNCF, TUF has become an "industry de facto standard for securing software update systems" and is utilized by leading providers of cloud-based services, including Amazon—which recently released a customized open-source version of TUF—Microsoft, Google, Cloudflare, Datadog, DigitalOcean, Docker, IBM, RedHat, VMware, and others.
"We designed TUF so that an organization does not need to be perfect in their operational security," added Cappos. "If a company accidentally makes a signing key public, has a hacker break into their software repository, or if a disgruntled employee goes rogue, the damage they can cause is limited. Defense in depth is key to security, and the security of the software update infrastructure is among the most critical concerns in practice."
For more about TUF, visit theupdateframework.github.io/.