Lukas Pühringer

Lukas Pühringer is a research engineer at the NYU Center for Cyber Security (CCS), where he leads the development of The Update Framework (TUF), and has been co-maintaining several of Prof. Justin Cappos’ software projects, most notably the supply chain security framework in-toto. Lukas also supervises students and gives talks about TUF and in-toto.


Session

07-12
11:55
30min
It’s happening: TUF joins PyPI (Warehouse)
Lukas Pühringer, Kairo de Araujo

The Update Framework (TUF) has been a prime reference for secure package delivery and updates for many years. Despite its popularity, integrating with existing package managers remains challenging.

PEP 458 is a very good example of some of the related challenges. Authored a decade ago, it aims to protect the freshness, consistency, and integrity of packages in the Python Packaging Index (PyPI) and provide compromise resilience. Even though these goals remain largely unaddressed, PEP 458 has not made its way into production yet!

With Repository Service For TUF (RSTUF), a new tool has emerged, which makes implementing and maintaining a TUF-powered package repository a black box to the repository maintainers and which has become mature enough to kick off an incremental integration in Warehouse and RubyGems.

In this talk, Kairo, RSTUF's tech lead, and Lukas, TUF project maintainer, will show how RSTUF has evolved and allowed us to take a big leap towards adopting TUF in Warehouse and elsewhere. Primers on TUF, PEP 458, and Warehouse will be included.

Security
South Hall 2B