[raesene9]

Whilst TUF absolutely does help with some of the cases in the paper and generally, it's important to notice that at least one of the scenarios in the paper may not be covered by solutions like TUF.

I'm thinking of the scenario where a bad actor takes over an existing library with the original owner's blessing, either by contributing and then taking on maintainership, or via payment to the original owner.

In that case ownership of signing keys may transition to the new owners voluntarily, so there would be no noticable change, in terms of signing of packages.

[trishankkarthik]

That's a bit like saying: well, encrypting the iPhone isn't all that jazz, because all I have to do is hit the owner with a $5 wrench.

I mean, yes, but cryptography alone cannot solve that problem. TUF and in-toto provide cryptographic solutions to cryptographic problems, which is much more than anyone else is doing today.