Skip to content

Release 0.20.0 #1732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Dec 16, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 17 additions & 25 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
----------------------------
*__IMPORTANT NOTICE:__ A stable 1.0.0 release of the modern implementation only
is scheduled for January 2022. Please see the [*1.0.0
announcement*](1.0.0-ANNOUNCEMENT.md) page for more details about the release
announcement*](docs/1.0.0-ANNOUNCEMENT.md) page for more details about the release
and the deprecation of the legacy implementation, including migration
instructions.*

Expand All @@ -19,31 +19,22 @@ This repository is the **reference implementation** of
It is written in Python and intended to conform to version 1.0 of the
[TUF specification](https://theupdateframework.github.io/specification/latest/).

The repository currently includes two implementations:
1) A *legacy implementation*, with
[`tuf/client/updater.py`](tuf/client/updater.py) implementing the detailed
client workflow and [`tuf/repository_tool.py`](tuf/repository_tool.py)
providing a high-level interface for repository operations.
The legacy implementation is in use in production systems, but is [no longer
being actively worked on](docs/adr/0002-pre-1-0-deprecation-strategy.md).
2) A *modern implementation*. We are in the process of rewriting the reference
implementation in [modern Python](docs/adr/0001-python-version-3-6-plus.md)
to both: a) address scalability and integration issues identified in
supporting integration into the Python Package Index (PyPI), and other
large-scale repositories, and b) to ensure maintainability of the project.
This implementation consists of:
* a "low-level" metadata API, designed to provide easy and safe access to
TUF metadata and handle (de)serialization from/to files, provided in the
[`tuf/api/metadata.py`](tuf/api/metadata.py) module.
* an implementation of the detailed client workflow built on top of the
metadata API, provided in the
[`tuf/ngclient/updater.py`](tuf/ngclient/updater.py) module.
The modern implementation is not considered production ready and does not yet
provide any high-level support for implementing
[repository operations](https://theupdateframework.github.io/specification/latest/#repository-operations),
though the addition of API to support them is planned.
Python-TUF provides two APIs:
* [`tuf.api.metadata`](https://theupdateframework.readthedocs.io/en/latest/api/tuf.api.html),
a "low-level" API, designed to provide easy and safe access to TUF
metadata and to handle (de)serialization from/to files.
* [`tuf.ngclient`](https://theupdateframework.readthedocs.io/en/latest/api/tuf.ngclient.html),
a client implementation built on top of the metadata API.

High-level support for implementing
[repository operations](https://theupdateframework.github.io/specification/latest/#repository-operations)
is planned but not yet provided: see [1.0.0 plans](docs/1.0.0-ANNOUNCEMENT.md).

In addition to these APIs the project also provides a *legacy
implementation* with `tuf.client` implementing the client workflow and
`tuf.repository_tool` providing a high-level interface for repository
operations. The legacy implementation is going to be
[deprecated](docs/1.0.0-ANNOUNCEMENT.md) in the near future.

The reference implementation strives to be a readable guide and demonstration
for those working on implementing TUF in their own languages, environments, or
Expand Down Expand Up @@ -75,7 +66,8 @@ Documentation
-------------
* [Introduction to TUF's Design](docs/OVERVIEW.rst)
* [The TUF Specification](https://theupdateframework.github.io/specification/latest/)
* [Getting Started with the TUF Reference Implementation](docs/GETTING_STARTED.rst)
* Examples: [client](examples/client_example) and [repository](examples/repo_example)
* [API Reference](https://theupdateframework.readthedocs.io/)
* [Governance](docs/GOVERNANCE.md) and [Maintainers](docs/MAINTAINERS.txt)
for the reference implementation
* [Miscellaneous Docs](docs/)
Expand Down
File renamed without changes.
37 changes: 37 additions & 0 deletions docs/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,42 @@
# Changelog


## v0.20.0

*__NOTE:__ This will be the final release of python-tuf that includes the
legacy implementation code. Please see the [*1.0.0
announcement*](1.0.0-ANNOUNCEMENT.md) page for more details about the next
release and the deprecation of the legacy implementation, including migration
instructions.*

### Added
* metadata API: misc input validation (#1630, #1688, #1668, #1672, #1690)
* doc: repository library design document and ADR (#1693)
* doc: 1.0.0 announcement (#1706)
* doc: misc docstrings in metadata API (#1620)
* doc: repository and client examples (#1675, #1685, #1700)
* test: ngclient key rotation (#1635, #1649, #1691)
* test: ngclient top-level role update (#1636)
* test: ngclient non-consistent snapshot (#1666, #1705)
* test: more lint/type checks and auto-formatting (#1658, #1664, #1659, #1674,
#1677, #1687, #1699, #1701, #1708, #1710, #1720, #1726)
* build: Python 3.10 support (#1628)

### Changed
* ngclient: misc API changes (#1604, #1731)
* ngclient: avoid re-loading verified targets metadata (#1593)
* ngclient: implicitly call refresh() (#1654)
* ngclient: return loaded metadata (#1680)
* ngclient: skip visited nodes on delegation tree traversal (#1683)
* ngclient: remove URL normalisation (#1686)
* build: modernise packaging configuration (#1626)
* build: bump dependencies (#1609, #1611, #1616, #1621)
* build: limit GitHub Action token visibility and permissions (#1652, #1663)
* test: misc test changes (#1715, #1670, #1671, #1631, #1695, #1702)

### Removed
* doc: obsolete roadmap (#1698)

## v0.19.0

For users of legacy client (tuf.client module) this is purely a security fix
Expand Down
2 changes: 1 addition & 1 deletion setup.cfg
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[metadata]
name = tuf
version = 0.19.0
version = 0.20.0
author = https://www.updateframework.com
author_email = [email protected]
description = A secure updater framework for Python
Expand Down
2 changes: 1 addition & 1 deletion tuf/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# setup.cfg has it hard-coded separately.
# Currently, when the version is changed, it must be set in both locations.
# TODO: Single-source the version number.
__version__ = "0.19.0"
__version__ = "0.20.0"

# This reference implementation produces metadata intended to conform to
# version 1.0.0 of the TUF specification, and is expected to consume metadata
Expand Down