The Cloud Native Computing Foundation adds two security projects to its open source stable

Frederic Lardinois

The Cloud Native Computing Foundation (CNCF) is probably best known for being the home of the Kubernetes container orchestration project, but there plenty of other projects that now fall under the organization's umbrella. All of them focus on bringing the kind of modern cloud-native tooling that companies like Google, Microsoft, Facebook and others take for granted to a wider range of users.

Today, the CNCF is expanding its stable with the addition of the Docker-incubated Notary and The Update Framework (TUF), which was originally developed by professor Justin Cappos and his team at NYU's Tandon School of engineering. These are actually related projects. Notary, which can provide a layer of trust to any content, is actually an implementation of the TUF.

The main idea behind all of this is that simply using the TLS protocol to secure the communication between a web server and client isn't enough, as the server itself may have been hacked. So if you, for example, want to distribute Docker containers and guarantee that these haven't been compromised, the Notary/TUF client and server applications handle the signing of the metadata and provides you with an additional layer of trust.

"In a developer’s workflow, security can often be an afterthought; however, every piece of
deployed code from the OS to the application should be signed. Notary establishes strong trust
guarantees to prevent malicious content from being injected into the workflow processes," said
David Lawrence, Senior Software Engineer at Docker. "Notary is a widely used implementation
in the container space. By joining CNCF, we hope Notary will be more widely adopted and
different use cases will emerge."

Docker uses this to implement its Docker Content Trust system, for example, while LinuxKit uses it to distribute its kernels and system packages. The automotive industry is also looking into a variant of TUF called Uptane to secure the code that runs inside modern cars.

If you want to dig a little bit deeper into how Notary/TUF works, Docker's documentation probably offers the best introduction.

“Notary and the TUF specification address a key challenge for enterprises working with containers by providing a solution for trusted, cross-platform delivery of content," writes Chris Aniszczyk, COO of the CNCF, in today's announcement. "We are excited to have these projects come in as one collective contribution to CNCF and look forward to cultivating their communities."

The Docker Platform (including the Enterprise and Community editions), Moby Project, Huawei,
Motorola Solutions, VMWare, LinuxKit, Quay and Kubernetes have all integrated Notary/TUF already, so these are clearly projects that should fit in well with the rest of the CNCF tools.

With the addition of Notary and TUF, the CNCF is now home to fourteen projects.