Hi there! 👋 I’m an engineer with over two decades of experience in IT, specializing in open-source security and software supply chain integrity. I contribute to projects that make the digital world safer, ensuring developers and users can trust the tools they rely on every day.
💻 Open Source
The Update Framework (TUF)
I’m a maintainer of the Python implementation of The Update Framework (TUF), a trusted standard for securing software update systems. TUF is part of the Cloud Native Computing Foundation (CNCF) and is widely recognized as a critical tool in software security.
in-toto
As a maintainer of in-toto, I help secure the integrity of the software supply chain. It is also a Cloud Native Computing Foundation (CNCF) project.
Repository Service for TUF (RSTUF)
I’m the author and a core maintainer of RSTUF, a project under the OpenSSF/Linux Foundation. RSTUF focuses on securing repository content distribution, ensuring software reaches users safely and securely.
With his project I’ve been deeply involved in implementing PEP 458, a proposal to secure Python Package Index (PyPI) downloads. This initiative brings TUF’s best practices to one of the most popular repositories in the Python ecosystem.
🎙️ Talks and Presentations
Sharing knowledge and collaborating with the community are integral to what I do. Here are some recent talks:
Conference | Talk | Recording |
---|---|---|
KubeCon 2025 | Identity-based Trust - Till Death Do We Part? - John Kjell & Kairo De Araujo (3/April) | |
TUF-en up Your Software Supply Chain - Marina Moore, Edera & Kairo De Araujo (3/April) | ||
Open Source Summit 2024 | Securing Content Distribution with RSTUF, an Incubating OpenSSF Project (Kairo De Araujo & Martin Vrachev) |
Watch |
TTX Session Panelists: Daniel Appelquist (Samsung), Kairo De Araujo (TestifySec), Georg Kunz (Ericsson) Moderated by Katherine Druckman (Intel Corporation) |
||
KubeCon 2024 | Operating a Production TUF Repository (Kairo De Araujo & Fredrik Skogman, Github) |
Watch |
DEMO: Archivista using TUF to store Policy & building trust on verifying in-toto Attestations | Watch | |
PackagingCon 2023 | “Our stuff” - How to Protect Users from Package Compromise with RSTUF | Watch |
EuroPython 2023 | PEP 458 - A Solution Not Only for PyPI | Watch |
PyCon Ireland 2023 | PEP 458 - A Solution Not Only for PyPI | Watch |
PyCon SE 2023 | PEP 458 a solution not only for PyPI | |
EuroPython 2022 | Work in Progress: Implementing PEP 458 to Secure PyPI Downloads | Watch |
📝 Publications and Blog Highlights
- Introducing RSTUF, Repository Service for TUF (OpenSSF blog)
- Introducing RSTUF (Repository Service for TUF) Beta Release (VMware Open Source blog)
- Safety for All with Repository Service for TUF (VMware Open Source blog)
- Implementing PEP 458 to Secure PyPI Downloads (VMware Open Source blog)
📅 Let’s Connect
I’d love to hear from you! Whether it’s a collaboration idea, a question about my projects, or just to chat about open source, feel free to reach out:
- LinkedIn: Your LinkedIn Profile
Or schedule some time to meet with me directly!
💡 Wishlist
Curious about what’s on my mind or what I’m working toward? Visit my wishlist to see what’s next on my horizon.
📂 Archived Blog
Earlier thoughts and projects, take a look at my archived blog.