Hi there! 👋 I’m an engineer with over two decades of experience in IT, specializing in open-source security and software supply chain integrity. I contribute to projects that make the digital world safer, ensuring developers and users can trust the tools they rely on every day.

💻 Open Source

The Update Framework (TUF)

I’m a maintainer of the Python implementation of The Update Framework (TUF), a trusted standard for securing software update systems. TUF is part of the Cloud Native Computing Foundation (CNCF) and is widely recognized as a critical tool in software security.

in-toto

As a maintainer of in-toto, I help secure the integrity of the software supply chain. It is also a Cloud Native Computing Foundation (CNCF) project.

Repository Service for TUF (RSTUF)

I’m the author and a core maintainer of RSTUF, a project under the OpenSSF/Linux Foundation. RSTUF focuses on securing repository content distribution, ensuring software reaches users safely and securely.

With his project I’ve been deeply involved in implementing PEP 458, a proposal to secure Python Package Index (PyPI) downloads. This initiative brings TUF’s best practices to one of the most popular repositories in the Python ecosystem.

🎙️ Talks and Presentations

Sharing knowledge and collaborating with the community are integral to what I do. Here are some recent talks:

Conference Talk Recording
KubeCon 2025 Identity-based Trust - Till Death Do We Part? - John Kjell & Kairo De Araujo (3/April)  
  TUF-en up Your Software Supply Chain - Marina Moore, Edera & Kairo De Araujo (3/April)  
Open Source Summit 2024 Securing Content Distribution with RSTUF, an Incubating OpenSSF Project
(Kairo De Araujo & Martin Vrachev)
Watch
  TTX Session
Panelists: Daniel Appelquist (Samsung), Kairo De Araujo (TestifySec), Georg Kunz (Ericsson)
Moderated by Katherine Druckman (Intel Corporation)
 
KubeCon 2024 Operating a Production TUF Repository
(Kairo De Araujo & Fredrik Skogman, Github)
Watch
  DEMO: Archivista using TUF to store Policy & building trust on verifying in-toto Attestations Watch
PackagingCon 2023 “Our stuff” - How to Protect Users from Package Compromise with RSTUF Watch
EuroPython 2023 PEP 458 - A Solution Not Only for PyPI Watch
PyCon Ireland 2023 PEP 458 - A Solution Not Only for PyPI Watch
PyCon SE 2023 PEP 458 a solution not only for PyPI  
EuroPython 2022 Work in Progress: Implementing PEP 458 to Secure PyPI Downloads Watch

📝 Publications and Blog Highlights

📅 Let’s Connect

I’d love to hear from you! Whether it’s a collaboration idea, a question about my projects, or just to chat about open source, feel free to reach out:

Or schedule some time to meet with me directly!

💡 Wishlist

Curious about what’s on my mind or what I’m working toward? Visit my wishlist to see what’s next on my horizon.

📂 Archived Blog

Earlier thoughts and projects, take a look at my archived blog.