[theamk]

Note that TUF is great for things with multiple contributiors (think npm or pypa).

For the simple case of "a single publisher publishes update for a single product", TUF is an overkill. Something like signify or seccure will be way easier to set up and use.

[trishankdatadog]

signify is nice when key distribution, revocation, and rotation is handled for you... but how do you do that securely for many different publishers on a single repo?