Open Source Technology Improvement Fund is thrilled to report the results of another security audit. Python-TUF is a reference implementation written in Python for The Update Framework (TUF); a framework for secure content delivery and updates.

The primary result of the work is one medium and four low-severity issues. Details on the findings and how they were resolved can be found both in the Python-TUF and X41 blog posts linked below. Full details on the audit methodology and issues fixed can be found in the report below. 

Thank you to the Python-TUF team for their engagement and contributions to make this a successful audit review. Also, a big thank you to Cloud Native Computing Foundation (CNCF) for funding this audit and entrusting Open Source Technology Improvement Fund to manage it. 

Special thanks to the team at X41 D-Sec for their thorough audit of the Python-TUF code.

Everyone around the world depends on OSS. OSTIF is planning more security audits in 2023 to proactively find and fix vulnerabilities! If you’re interested in financially supporting this work, contact [email protected].

 

References: 

Full report: https://ostif.org/wp-content/uploads/2022/10/x41-python-tuf-audit-2022-09-09.pdf

X41 D-Sec blog: https://x41-dsec.de/security/research/job/news/2022/10/26/tuf/

Python TUF blog with excellent feedback and information: https://theupdateframework.github.io/python-tuf/2022/10/21/python-tuf-security-assessment.html