TUFening the Cloud: CII Badge Acknowledges Standards of The Update Framework

When the Linux Foundation adopted The Update Framework (TUF) in October of 2017, it both recognized what the software update framework had already achieved to date and set a new standard for it to strive for. As one of only 14 projects under the umbrella of the Cloud Native Computing Foundation (CNCF), TUF is expected to forward the group’s mission of “making cloud-native computing universal and sustainable.” The CNCF vision of cloud-native computing as “enabling cloud portability without vendor lock-in” meshes well with TUF’s longstanding commitment to keep its architecture and specification open, concise, self-contained, and able to be integrated into any software update system.

But, opportunity also brings responsibility, and the TUF research team wasted little time in making sure it was living up to the “best practices for open source projects” advocated by CNCF. These best practices are codified in the CNCF Core Infrastructure Initiative Best Practices, or simply the CII Badge program. By providing a standardized form of certification in the open source community, the group aims, in the words of TUF senior developer Vladimir Diaz,“to improve code readability, maintainability, security, community involvement,” and increase “contributions from people outside of the project.”

The CII program was announced in May of 2016 and certified a core group of open source software projects shortly afterwards. Initially all badges were one level, and were referred to simply as “passing.” A little more than a year later, Gold and Silver badges were added to recognize projects that are willing to commit to higher standards. To earn a silver badge, which TUF completed at the beginning of May, it needed to attest that it had adopted a code of conduct, that its governance mode was clearly defined, and that it used at least one static analysis tool to look for common vulnerabilities in the analyzed language or environment. To date, TUF is only the fourth organization to achieve Silver badge status.

Applying for a badge is not overly complicated. Individuals can voluntarily self-certify their projects, at no cost, by using a web application to explain how they follow each of the listed best practices. These practices include having a website that clearly describes the nature of the project, its governance and contribution processes, licensing information, access to documentation on how to create, manage, and use software, and a mechanism for bug reports, comments, and contributions. In total, the site asks questions about 66 criteria organized into 6 categories, including quality and security.

The home page for the badge notes that the program was inspired by “the many badges available to projects on GitHub.“ As of the time of this writing, 169 projects, including prominent FLOSS (Free/Libre and Open Source Software) programs such as GnuPG, blender, GitLab, Kubernetes and Node had achieved passing status. Though the certification process is voluntary and carries no legal or regulatory status, the badge does offer consumers a quick way to check what projects are following best practices and, as a result, might be “more likely to produce higher-quality secure software.”

For Diaz, there is another advantage to participation in the CII program. “It makes it easy to identify, learn about, and keep track of the best practices that our project might want to adopt. Our responses in the self-certification also makes it easy for the CNCF to go through them and verify that we actually follow these best practices.”

After earning the CII badge, the TUF project was highlighted on the program’s front page. David A. Wheeler, who leads CII Badge, wants the program to “highlight different kinds of security-related projects that have badges, since we’re particularly interested in securing critical software. In addition, we want people to learn about software distribution hardening systems like TUF; we hope that highlighting TUF would make it a little more visible.” TUF and Notary, Docker’s implementation of TUF, were the first security projects adopted by CNCF and thus reflect this increased emphasis on security.

For more information on the CII Best Practices Badge program, go to the criteria, or statistics pages.