Defending against attacks on package managers
2021-11-09, 17:00–17:20 (UTC), Room 3

In this talk, Joshua Lock and Marina Moore will discuss common attacks on package managers, and the kinds of threats that package managers face as part of the software supply chain. They will then present The Update Framework (TUF), a mechanism for securing package managers against these threats in a simple, resilient way that will protect users against even nation state attacks. Package managers can adopt all features of TUF wholesale, or start with the subset that will be most helpful for their users. This talk will conclude with a demonstration of TUF’s versatility; explaining how TUF has been adopted by the Python Packaging Index (PyPI) to provide end-to-end protection of packages from the developer to the end user, and how this adoption can be used as a model for other package managers looking to improve software distribution and update security.


The Update Framework (TUF) is a CNCF graduated project that provides a specification and reference implementation for securing software update systems and other types of content repository. It is used in practice by a diverse range of applications; from single application updaters, through operating systems to automotive firmware update systems and package managers like pip and Composer (for Drupal). TUF was designed to specifically counter previous attacks on software update systems and to create a simple, compromise-resilient framework that will make supply chain attacks on software update systems much harder.

This talk will be valuable to maintainers of package managers that support software updates. It will provide information about attacks that package managers may be vulnerable to, as well as tools to prevent these attacks. The audience will come away with a practical understanding of TUF that they can bring back to their projects to improve security either by implementing TUF directly, or by applying some of the principles to make modular improvements to security.

Joshua is a collaborator and maintainer on The Update Framework (TUF) and Supply-chain Levels for Software Artifacts (SLSA) projects. He is fortunate enough to work on these projects, and others, at VMware in their Open Source Technology Center. In a past life he spent many years working on and with the Yocto Project. Joshua has spoken at several events including Linux Security Summit, Embedded Linux Conference, and KubeCon + CloudNativeCon.

This speaker also appears in:

Marina Moore is a PhD student at NYU Tandon’s Secure Systems Lab focusing on secure software updates and supply chain security. While at NYU she has worked primarily on research and development for The Update Framework (TUF), Uptaneand Notary.