cncf
/
toc
mirror of https://github.com/cncf/toc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update reviews/tuf-graduation.md 

Signed-off-by: Justin Cappos <justincappos@gmail.com>
This commit is contained in:
Justin Cappos 2019-11-11 10:38:49 -05:00 committed by GitHub
parent 16f6383a0e
commit 3363c7a65e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
reviews/tuf-graduation.md
View File

@ -71,6 +71,9 @@ These documents may be found here:
Our website has an [adoptions page](https://theupdateframework.github.io/adoptions.html) on it that lists the different projects. We also have an [ADOPTERS.MD](https://github.com/theupdateframework/tuf/blob/develop/docs/ADOPTERS.md) which contains much of the same information. [Uptane](https://uptane.github.io/), the automotive version of TUF, also its own [adoptions page](https://uptane.github.io/adoptions.html).
## Security Audits
There are multiple [security audits](https://theupdateframework.github.io/audits.html) of TUF available on the TUF website.
### Alternatives to TUF
The most common alternative to TUF involves using either a signing key on the server (e.g., TLS) or on a server as part of software creation (e.g., GPG signing in a build farm). Either way, the fundamental difference is that a single key / server compromise can result in an attacker having the ability to install arbitrary code on end user machines. Existing specifications / proposals like OMA-DM, SUIT, ITU-T X.1373, as well as common use patterns for GPG/PGP/RSA signing and TLS all have this flaw.