KubeCon + CloudNativeCon North America Virtual | November 17-20, 2020 | Don’t Miss Out | Learn more

Cloud Native Computing Foundation Announces TUF Graduation

Amazon, Datadog, Google, IBM, Microsoft, VMWare and other leading cloud native companies have adopted the specification

SAN FRANCISCO, Calif. – December 18, 2019 – The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, today announced that The Update Framework (TUF) is the ninth project to graduate, following Kubernetes, Prometheus, Envoy, CoreDNS, containerd, Fluentd, Jaeger, and Vitess. For projects to move from the maturity level of incubation to graduation, they must demonstrate thriving adoption, an open governance process, and a strong commitment to community, sustainability, and inclusivity.

TUF, an open-source technology that secures software update systems, is the first specification and first security-focused project to graduate. Justin Cappos, associate professor of computer science and engineering at NYU Tandon School of Engineering, initially developed the project in 2009. Cappos is also the first academic researcher to lead a graduated project and TUF is the first project born out of a university to graduate. 

“We are moving into a new decade where open source software is pervasive and updated seamlessly across our lives through many devices,” said Chris Aniszczyk, CTO/COO of the Cloud Native Computing Foundation. “We are thrilled to see TUF secure an important part of the software supply chain and look forward to continue sustaining their community in CNCF.”

TUF has become an industry de facto standard for securing software update systems. It is utilized by leading providers of cloud-based services, including Amazon – which recently released a new implementation of TUF – Microsoft, Google, Cloudflare, Datadog, DigitalOcean, Docker, IBM, Red Hat, VMware, and many others.

TUF was accepted as a CNCF project in 2017. That same year, Cappos, along with a team of researchers from the University of Michigan Transportation Research Institute and Southwest Research Institute, developed Uptane, the automotive application of TUF. Uptane has been widely adopted by automakers—according to projections, roughly one-third of the 2023 model cars on United States roads will use Uptane. 

 “We designed TUF so that an organization does not need to be perfect in their operational security,” said Cappos. “If a company accidentally makes a signing key public, has a hacker break into their software repository, or if a disgruntled employee goes rogue, the damage they can cause is limited. Defense in depth is key to security, and the security of the software update infrastructure is among the most critical concerns in practice.” 

Major contributors to TUF within NYU Tandon include doctoral graduate Trishank Karthik Kuppusamy, now chief security solutions engineer at Datadog; current doctoral students Santiago Torres and Marina Moore; and developer Lukas Puehringer, along with former developers Sebastien Awwad and Vladimir Diaz, who participated as part of Cappos’ Secure Systems Lab. The team also acknowledges the wide range of contributions from organizations, including Docker, Tor, Python, and others, as well as participants across the CNCF landscape and the automotive industry. 

To officially graduate from incubating status, the project has adopted the CNCF Code of Conduct. It has also defined transparent open governance and not only achieved a CII Best Practices badge, but was the first CNCF project to also receive a silver badge. 

TUF Background

TUF was launched almost a decade ago as a way to build system resilience against key compromises and other attacks that can spread malware or compromise a repository. The primary goals behind its design are:

  • To provide a framework (a set of libraries, file formats, and utilities) that can be used to secure new and existing software update systems.
  • To provide the means to minimize the impact of key compromises.
  • To be flexible enough to meet the needs of a wide variety of software update systems.
  • To be easy to integrate with existing software update systems.

For more about TUF, please visit https://theupdateframework.github.io/.

Additional Resources

About Cloud Native Computing Foundation

Cloud native computing empowers organizations to build and run scalable applications with an open source software stack in public, private, and hybrid clouds. The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure, including Kubernetes, Prometheus, and Envoy. CNCF brings together the industry’s top developers, end users, and vendors, and runs the largest open source developer conferences in the world. Supported by more than 500 members, including the world’s largest cloud computing and software companies, as well as over 200 innovative startups, CNCF is part of the nonprofit Linux Foundation. For more information, please visit www.cncf.io.


The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page. Linux is a registered trademark of Linus Torvalds.

Media Contact

Jessie Adams-Shore 

The Linux Foundation