Merge pull request #2 from awwad/multiroledelegation

Migrate from TUF 0.9 to TUF 1.0 and Also Add Multi-Role Delegation

Author: awwad

METADATA.md

@@ -1,6 +1,6 @@
 # Metadata
 
-Metadata files provide information that clients can use to make update decisions. Different metadata files provide different information. The various metadata files are signed by different roles as are indicated by the root role. The concept of roles allows TUF to only trust information that a role is trusted to provide.
+Metadata files provide information that clients can use to make update decisions. Different metadata files provide different information. The various metadata files are signed by different keys as are indicated by the root role. The concept of roles allows TUF to only trust information that a role is trusted to provide.
 
 The signed metadata files always include the time they were created and their expiration dates. This ensures that outdated metadata will be detected and that clients can refuse to accept metadata older than that which they've already seen.
 

README.rst

@@ -36,7 +36,7 @@ Three major classes of software update systems are:
 -  **Library package managers** such as those offered by many
    programming languages for installing additional libraries. These are
    systems such as Python's pip/easy_install + PyPI, Perl's CPAN,
-   Ruby's RubyGems, and PHP's PEAR.
+   Ruby's RubyGems, and PHP's Composer.
 
 -  **System package managers** used by operating systems to update and
    install all of the software on a client system. Debian's APT, Red
@@ -70,7 +70,7 @@ that they can do.
 
 TUF is designed to perform the first two steps of the above update procedure,
 while guarding against the majority of attacks that malicious actors have at
-their disposable; especially those attacks that are overlooked by security-conscious
+their disposal; especially those attacks that are overlooked by security-conscious
 developers.
 
 
@@ -179,7 +179,8 @@ that need to generate TUF repository files, such as metadata,
 cryptographic keys, and signatures. Whereas the minimal install can only
 verify ed25519 signatures and is intended for sofware updater clients,
 ``tuf[tools]`` provides repository maintainers secure ed25519 key and
-signature generation with PyNaCl / libsodium.
+signature verification with `PyNaCl <https://pynacl.readthedocs.io/en/latest/>`_,
+a Python binding to the Networking and Cryptography (NaCl) library.
 
 TUF tools also enable general-purpose cryptography with PyCrypto
 and/or PyCA's Cryptography.  Software updaters that want to support
@@ -209,9 +210,9 @@ section <https://virtualenv.pypa.io/en/latest/installation.html>`_,
 and instructions for installing locally from source are provided here:
 ::
 
-    $ curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-1.11.6.tar.gz
-    $ tar xvfz virtualenv-1.11.6.tar.gz
-    $ cd virtualenv-1.11.6
+    $ curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-15.0.3.tar.gz
+    $ tar xvfz virtualenv-15.0.3.tar.gz
+    $ cd virtualenv-15.0.3
     $ python virtualenv.py myVE
 
 
@@ -225,6 +226,12 @@ libraries with apt (Advanced Package Tool.)
     $ apt-get install python-dev
     $ apt-get install libffi-dev
 
+OS X users can install these header libraries with the `Homebrew <http://brew.sh/>`_ package manager.
+::
+
+    $ brew install python
+    $ brew install libffi
+
 Installation of minimal, optional, development, and testing requirements
 can then be accomplished with one command:
 ::

SECURITY.md

@@ -10,6 +10,12 @@ The following are some of the known attacks on software update systems, includin
 
 * **Rollback attacks**. An attacker presents a software update system with older files than those the client has already seen, causing the client to use files older than those the client knows about. 
 
+* **Fast-forward attacks**.  An attacker tricks a software update system into marking a file as newer (when in fact the
+latest version of the file is older than that indicated by the attacker, but newer than what the client has seen), and
+prevents the client from fetching the latest version of the file on the next update.  The client can be prevented from installing
+the latest version of the file in this case because it would refuse to install a file that is older than what it expects
+(i.e., to prevent a rollback attack).
+
 * **Indefinite freeze attacks**. An attacker continues to present a software update system with the same files the client has already seen. The result is that the client does not know that new files are available. 
 
 * **Endless data attacks**. An attacker responds to a file download request with an endless stream of data, causing harm to clients (e.g. a disk partition filling up or memory exhaustion). 

dev-requirements.txt

@@ -15,9 +15,10 @@
 # Client must also install PyCrypto to verify RSASSA-PSS signatures.  The
 # minimal install can only verify ed25519 signatures.  Pinned packages:
 # http://nvie.com/posts/pin-your-packages/
+cffi==1.7.0
 pycrypto==2.6.1
-pynacl==0.2.3
-cryptography==1.0
+pynacl==1.0.1
+cryptography==1.4.0
 
 # Testing requirements.  The rest of the testing dependencies available in
 # 'tox.ini'

docs/proposals/README.md

@@ -0,0 +1,9 @@
+# Proposals #
+
+## Accepted ##
+
+## Rejected ##
+
+## In Progress ##
+* Trust pinning
+* Multirole delegations