From 506ae5552d7493f08e3b31d9495a1d04959ae381 Mon Sep 17 00:00:00 2001
From: Joshua Lock <jlock@vmware.com>
Date: Thu, 30 Jul 2020 22:19:56 +0100
Subject: [PATCH 1/5] Document release process steps

Write down the expected steps for a maintainer to follow when making a
release of tuf

Signed-off-by: Joshua Lock <jlock@vmware.com>
---
 docs/RELEASE.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 docs/RELEASE.md

diff --git a/docs/RELEASE.md b/docs/RELEASE.md
new file mode 100644
index 0000000000..41f72fe5e9
--- /dev/null
+++ b/docs/RELEASE.md
@@ -0,0 +1,29 @@
+# Release process
+
+* Ensure docs/CHANGELOG.md contains a one-line summary of each significant
+  change since the prior release
+* Update setup.py and `tuf/__init__.py` to the new version number vA.B.C
+* Test packaging, uploading to Test PyPI and installing from a virtual environment
+  * Remove existing dist build dirs
+  * Create source dist `python setup.py sdist`
+  * Create wheel (with 2 and 3 support) `python setup.py bdist_wheel --universal`
+  * Sign the dists `gpg --detach-sign -a dist/tuf-vA.B.C.tar.gz`
+  * Upload to test PyPI `twine upload --repository testpypi dist/*`
+  * Verify the uploaded package https://testpypi.python.org/pypi/tuf/
+* Create a PR with updated CHANGELOG.md and version bumps
+* Once the PR is merged, pull the updated `develop` branch locally
+* Create a signed tag matching the updated version number on the merge commit
+  `git tag --sign vA.B.C`
+* Create a new release on GitHub, copying the CHANGELOG.md entries for the release
+* Create a package for the formal release
+  * Remove existing dist build dirs
+  * Create source dist `python setup.py sdist`
+  * Create wheel (with 2 and 3 support) `python setup.py bdist_wheel --universal`
+  * Sign source dist `gpg --detach-sign -a dist/tuf-vA.B.C.tar.gz`
+  * Sign wheel `gpg --detach-sign -a dist/tuf-vA.B.C-py2.py3-none-any.whl`
+  * Upload to test PyPI `twine upload --repository testpypi dist/*`
+  * Verify the uploaded package https://testpypi.python.org/pypi/tuf/
+  * Upload to PyPI `twine upload dist/*`
+* Attach the signed dists to the release on GitHub
+* Announce the release on [#tuf on CNCF Slack](https://cloud-native.slack.com/archives/C8NMD3QJ3)
+* Ensure [POUF 1](https://github.com/theupdateframework/taps/blob/master/POUFs/reference-POUF/pouf1.md), for the reference implementation, is up-to-date

From ea958bc5688180c31cc51aa9f0e32fea591b653d Mon Sep 17 00:00:00 2001
From: Joshua Lock <jlock@vmware.com>
Date: Thu, 30 Jul 2020 22:20:33 +0100
Subject: [PATCH 2/5] Prepare 0.13.0 release

Signed-off-by: Joshua Lock <jlock@vmware.com>
---
 docs/CHANGELOG.md | 21 +++++++++++++++++++++
 setup.py          |  2 +-
 tuf/__init__.py   |  2 +-
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index a10d63f5bf..9d2bb31837 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -1,5 +1,26 @@
 # Changelog
 
+## v0.13.0
+* Revise requirements files to have layered requirements (#978, #982)
+* Update tutorial instructions (#981, #992) and documentation (#1054, #1001)
+* Fix broken CI (#985)
+* Add support for BLAKE hash functions (#993)
+* Replace hard-coded logger names (#989)
+* Don't list root metadata in snapshot metadata (#988)
+* Enable targets metadata to be generated without access to the target files (#1007, #1020)
+* Fix target file path hashing to ensure paths are hashed as they appear in targets metadata (#1007)
+* Refactor code handling hashed bins (#1007, #1013, #1040, #1058)
+* Improve performance when delegating to a large number of hashed bins (#1012)
+* Improve path handling consistency when adding targets and paths (#1008)
+* Clarify error message and docstring for custom parameter of add_target() (#1027)
+* Fix tests (#1029, #1064, #1067)
+* Implement support for abstract files and directories (#1024, #1034)
+* Fix loading of delegated targets during repository load (#1049, #1052, #1071)
+* Fix key loading in repo.py (#1066)
+* Remove redundant code in downloader (#1073)
+* Make lengths and hashes optional for timestamp and snapshot roles (#1031)
+* Fix alarming logging in updater (#1092)
+
 ## v0.12.2
 * Fix incorrect threshold signature computation (#974)
 * Drop support for python 3.4 (#966)
diff --git a/setup.py b/setup.py
index 7607cb3bff..f7ca6d2276 100755
--- a/setup.py
+++ b/setup.py
@@ -78,7 +78,7 @@
 
 setup(
   name = 'tuf',
-  version = '0.12.2', # If updating version, also update it in tuf/__init__.py
+  version = '0.13.0', # If updating version, also update it in tuf/__init__.py
   description = 'A secure updater framework for Python',
   long_description = long_description,
   long_description_content_type='text/markdown',
diff --git a/tuf/__init__.py b/tuf/__init__.py
index aa951e8e3a..2c2601bf33 100755
--- a/tuf/__init__.py
+++ b/tuf/__init__.py
@@ -2,7 +2,7 @@
 # setup.py has it hard-coded separately.
 # Currently, when the version is changed, it must be set in both locations.
 # TODO: Single-source the version number.
-__version__ = "0.12.2"
+__version__ = "0.13.0"
 
 # This reference implementation produces metadata intended to conform to
 # version 1.0.0 of the TUF specification, and is expected to consume metadata

From 0714632edc46316f88d89138a8f4bedf980a21b8 Mon Sep 17 00:00:00 2001
From: Joshua Lock <jlock@vmware.com>
Date: Tue, 4 Aug 2020 09:49:08 +0100
Subject: [PATCH 3/5] docs/RELEASE.md: link to guidance on changelogs

https://keepachangelog.com provides good advice on curating a changelog

Signed-off-by: Joshua Lock <jlock@vmware.com>
---
 docs/RELEASE.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/RELEASE.md b/docs/RELEASE.md
index 41f72fe5e9..a77628c71b 100644
--- a/docs/RELEASE.md
+++ b/docs/RELEASE.md
@@ -1,7 +1,7 @@
 # Release process
 
-* Ensure docs/CHANGELOG.md contains a one-line summary of each significant
-  change since the prior release
+* Ensure docs/CHANGELOG.md contains a one-line summary of each [notable
+  change](https://keepachangelog.com/) since the prior release
 * Update setup.py and `tuf/__init__.py` to the new version number vA.B.C
 * Test packaging, uploading to Test PyPI and installing from a virtual environment
   * Remove existing dist build dirs

From 2dc4651136492fd7b6be08bd0e19907f776bbed9 Mon Sep 17 00:00:00 2001
From: Joshua Lock <jlock@vmware.com>
Date: Tue, 4 Aug 2020 09:50:33 +0100
Subject: [PATCH 4/5] docs/CHANGELOG.md: update for v0.13.0

Categorise changes by type, per the recommendations at keepachangelog.com

Signed-off-by: Joshua Lock <jlock@vmware.com>
---
 docs/CHANGELOG.md | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 9d2bb31837..fa9a380811 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -1,24 +1,30 @@
 # Changelog
 
 ## v0.13.0
+### Added
+* Add support for BLAKE hash functions (#993)
+* Don't list root metadata in snapshot metadata, per latest spec (#988)
+* Enable targets metadata to be generated without access to the target files (#1007, #1020)
+* Implement support for abstract files and directories (#1024, #1034)
+* Make lengths and hashes optional for timestamp and snapshot roles (#1031)
+
+### Changed
 * Revise requirements files to have layered requirements (#978, #982)
 * Update tutorial instructions (#981, #992) and documentation (#1054, #1001)
-* Fix broken CI (#985)
-* Add support for BLAKE hash functions (#993)
 * Replace hard-coded logger names (#989)
-* Don't list root metadata in snapshot metadata (#988)
-* Enable targets metadata to be generated without access to the target files (#1007, #1020)
 * Fix target file path hashing to ensure paths are hashed as they appear in targets metadata (#1007)
 * Refactor code handling hashed bins (#1007, #1013, #1040, #1058)
 * Improve performance when delegating to a large number of hashed bins (#1012)
 * Improve path handling consistency when adding targets and paths (#1008)
 * Clarify error message and docstring for custom parameter of add_target() (#1027)
+* Ensure each key applies to signature threshold only once (#1091)
+
+## Fixed
+* Fix broken CI (#985)
 * Fix tests (#1029, #1064, #1067)
-* Implement support for abstract files and directories (#1024, #1034)
 * Fix loading of delegated targets during repository load (#1049, #1052, #1071)
 * Fix key loading in repo.py (#1066)
 * Remove redundant code in downloader (#1073)
-* Make lengths and hashes optional for timestamp and snapshot roles (#1031)
 * Fix alarming logging in updater (#1092)
 
 ## v0.12.2

From eb1c8d0845bb86eb6d47da2734471fe3fadf2155 Mon Sep 17 00:00:00 2001
From: Joshua Lock <jlock@vmware.com>
Date: Tue, 4 Aug 2020 10:29:27 +0100
Subject: [PATCH 5/5] setup.py: add project_urls links

These additional URLs will be displayed on PyPI:
https://packaging.python.org/guides/distributing-packages-using-setuptools/#project-urls

Signed-off-by: Joshua Lock <jlock@vmware.com>
---
 setup.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/setup.py b/setup.py
index f7ca6d2276..2bc4518324 100755
--- a/setup.py
+++ b/setup.py
@@ -108,6 +108,10 @@
     'Topic :: Security',
     'Topic :: Software Development'
   ],
+  project_urls={
+    'Source': 'https://github.com/theupdateframework/tuf',
+    'Issues': 'https://github.com/theupdateframework/tuf/issues'
+  },
   python_requires=">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4",
   install_requires = [
     'iso8601>=0.1.12',