A Framework for Securing Software Update Systems

The Update Framework (TUF) helps developers to secure new or existing software update systems, which are often found to be vulnerable to many known attacks. TUF addresses this widespread problem by providing a comprehensive, flexible security framework that developers can integrate with any software update system. The framework can be easily integrated (or implemented in the native programming languages of these update systems) due to its concise, self-contained architecture and specification. Developers have so far implemented the framework in the Python, Go, Ruby, and Haskell programming languages.

What is a software update system?

Generally, a software update system is an application (or part of an application) running on a client system that obtains and installs software. This can include updates to software that is already installed or even completely new software.

Three major classes of software update systems are:

Our approach

There are literally thousands of different software update systems in common use today. (In fact the average Windows user has about two dozen different software updaters on their machine!)

We built a specification and library that can be universally (and in most cases transparently) used to secure software update systems.


October 10, 2016

Lily Guo and Riyaz Faizullabhoy from Docker gave a talk on TUF and Notary at LinuxCon+ContainerCon Europe 2016. Slides of their talk are available here.

September 22, 2016

TUF now welcomes proposals to extend the specification! For more information, please see TUF Augmentation Proposals (TAPs).

August 24, 2016

Riyaz Faizullabhoy from Docker gave a talk on TUF and Notary at LinuxCon North America. Slides of his talk are available here:

February 22, 2016

David Lawrence and Ying Li from Docker are scheduled to present at PyCon 2016. The title of their presentation is: When the going gets tough, get TUF going

February 19, 2016

The Update Framework now has a logo to call its own. Thanks is given to Maria Jose Barrera ( for creating the logo, and to Santiago Torres for making it happen.

February 18, 2016

The camera-ready version of “Diplomat: Using Delegations to Protect Community Repositories” was recently submitted to NSDI 2016. The paper is freely available here on our website.

August 12, 2015

In TUF adoption news… the Docker team announced Docker Content Trust, which integrates TUF via Notary. Docker Content Trust will be available starting with Docker 1.8, and supports image signing and verification. For more information on the Docker + TUF integration, please visit:

How do I learn more?

For more information, look at the following:



Docker Distribution


LEAP Encryption Access Project



Securing Python package management

Securing Ruby package management

CoreOS App Container Specification

Hackage, Haskell’s Central Package Archive

Signing the OPAM Repository: TUF Meets Git

Other implementations



This material is based upon work supported by the National Science Foundation under Grant No. CNS-1345049 and CNS-0959138. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.