trdl is an Open Source solution providing a secure channel for delivering updates from the Git repository to the end user.
The project team releases new versions of the software and switches them in the release channels. Git acts as the single source of truth while Vault is used as a tool to verify operations as well as populate and maintain the TUF repository.
The user selects a release channel, continuously receives the latest software version from the TUF repository, and uses it.
Continuous delivery via the CI system works well for the SaaS model, that is, for software hosted on cloud servers. At the same time, you would be hard-pressed to find a tool that is as fast at delivering code to user devices.
What complicates things:
There are many package managers, but they all have common drawbacks:
Releases new software versions.
Publishes the release channels.
Verifies all operations via a quorum of GPG signatures.
Ensures a continuous rotation of TUF repository encryption keys and metadata.
Updates software versions through selected channels.
Verifies updates pulled from a trusted TUF repository.
Provides various options for using and updating the software.
The user doesn’t have to download specific package versions. Instead, all (s)he has to do is choose a release channel with the desired compatibility (any SemVer combination) and stability levels (alpha, beta, early access, stable, or rock solid). Via these channels, developers distribute the appropriate release versions. There is no limit to the frequency of the updates.
trdl implements the so-called "M of N" verification mechanism: every commit in Git related to releasing or publishing channels must be signed using a set minimum number of trusted GPG keys.
The trdl security system is based on three components: the TUF repository, the Vault plugin, and Git.