Release 0.20.0

README.md

@@ -9,7 +9,7 @@
 ----------------------------
 *__IMPORTANT NOTICE:__ A stable 1.0.0 release of the modern implementation only
 is scheduled for January 2022. Please see the [*1.0.0
-announcement*](1.0.0-ANNOUNCEMENT.md) page for more details about the release
+announcement*](docs/1.0.0-ANNOUNCEMENT.md) page for more details about the release
 and the deprecation of the legacy implementation, including migration
 instructions.*
 
@@ -19,31 +19,22 @@ This repository is the **reference implementation** of
 It is written in Python and intended to conform to version 1.0 of the
 [TUF specification](https://theupdateframework.github.io/specification/latest/).
 
-The repository currently includes two implementations:
-1) A *legacy implementation*, with
-   [`tuf/client/updater.py`](tuf/client/updater.py) implementing the detailed
-   client workflow and [`tuf/repository_tool.py`](tuf/repository_tool.py)
-   providing a high-level interface for repository operations.
-   The legacy implementation is in use in production systems, but is [no longer
-   being actively worked on](docs/adr/0002-pre-1-0-deprecation-strategy.md).
-2) A *modern implementation*. We are in the process of rewriting the reference
-   implementation in [modern Python](docs/adr/0001-python-version-3-6-plus.md)
-   to both: a) address scalability and integration issues identified in
-   supporting integration into the Python Package Index (PyPI), and other
-   large-scale repositories, and b) to ensure maintainability of the project.
-   This implementation consists of:
-   * a "low-level" metadata API, designed to provide easy and safe access to
-     TUF metadata and handle (de)serialization from/to files, provided in the
-     [`tuf/api/metadata.py`](tuf/api/metadata.py) module.
-   * an implementation of the detailed client workflow built on top of the
-     metadata API, provided in the
-     [`tuf/ngclient/updater.py`](tuf/ngclient/updater.py) module.
-   The modern implementation is not considered production ready and does not yet
-   provide any high-level support for implementing
-   [repository operations](https://theupdateframework.github.io/specification/latest/#repository-operations),
-   though the addition of API to support them is planned.
+Python-TUF provides two APIs:
+  * [`tuf.api.metadata`](https://theupdateframework.readthedocs.io/en/latest/api/tuf.api.html),
+    a "low-level" API, designed to provide easy and safe access to TUF
+    metadata and to handle (de)serialization from/to files.
+  * [`tuf.ngclient`](https://theupdateframework.readthedocs.io/en/latest/api/tuf.ngclient.html),
+    a client implementation built on top of the metadata API.
 
+High-level support for implementing
+[repository operations](https://theupdateframework.github.io/specification/latest/#repository-operations)
+is planned but not yet provided: see [1.0.0 plans](docs/1.0.0-ANNOUNCEMENT.md).
 
+In addition to these APIs the project also provides a *legacy
+implementation* with `tuf.client` implementing the client workflow and
+`tuf.repository_tool` providing a high-level interface for repository
+operations. The legacy implementation is going to be
+[deprecated](docs/1.0.0-ANNOUNCEMENT.md) in the near future.
 
 The reference implementation strives to be a readable guide and demonstration
 for those working on implementing TUF in their own languages, environments, or
@@ -75,7 +66,8 @@ Documentation
 -------------
 * [Introduction to TUF's Design](docs/OVERVIEW.rst)
 * [The TUF Specification](https://theupdateframework.github.io/specification/latest/)
-* [Getting Started with the TUF Reference Implementation](docs/GETTING_STARTED.rst)
+* Examples: [client](examples/client_example) and [repository](examples/repo_example)
+* [API Reference](https://theupdateframework.readthedocs.io/)
 * [Governance](docs/GOVERNANCE.md) and [Maintainers](docs/MAINTAINERS.txt)
 for the reference implementation
 * [Miscellaneous Docs](docs/)

docs/CHANGELOG.md

@@ -1,5 +1,42 @@
 # Changelog
 
+
+## v0.20.0
+
+*__NOTE:__ This will be the final release of python-tuf that includes the
+legacy implementation code. Please see the [*1.0.0
+announcement*](1.0.0-ANNOUNCEMENT.md) page for more details about the next
+release and the deprecation of the legacy implementation, including migration
+instructions.*
+
+### Added
+* metadata API: misc input validation (#1630, #1688, #1668, #1672, #1690)
+* doc: repository library design document and ADR (#1693)
+* doc: 1.0.0 announcement (#1706)
+* doc: misc docstrings in metadata API (#1620)
+* doc: repository and client examples (#1675, #1685, #1700)
+* test: ngclient key rotation (#1635, #1649, #1691)
+* test: ngclient top-level role update (#1636)
+* test: ngclient non-consistent snapshot (#1666, #1705)
+* test: more lint/type checks and auto-formatting (#1658, #1664, #1659, #1674,
+        #1677, #1687, #1699, #1701, #1708, #1710, #1720, #1726)
+* build: Python 3.10 support (#1628)
+
+### Changed
+* ngclient: misc API changes (#1604, #1731)
+* ngclient: avoid re-loading verified targets metadata (#1593)
+* ngclient: implicitly call refresh() (#1654)
+* ngclient: return loaded metadata (#1680)
+* ngclient: skip visited nodes on delegation tree traversal (#1683)
+* ngclient: remove URL normalisation (#1686)
+* build: modernise packaging configuration (#1626)
+* build: bump dependencies (#1609, #1611, #1616, #1621)
+* build: limit GitHub Action token visibility and permissions (#1652, #1663)
+* test: misc test changes (#1715, #1670, #1671, #1631, #1695, #1702)
+
+### Removed
+* doc: obsolete roadmap (#1698)
+
 ## v0.19.0
 
 For users of legacy client (tuf.client module) this is purely a security fix

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = tuf
-version = 0.19.0
+version = 0.20.0
 author = https://www.updateframework.com
 author_email = [email protected]
 description = A secure updater framework for Python

tuf/__init__.py

@@ -2,7 +2,7 @@
 # setup.cfg has it hard-coded separately.
 # Currently, when the version is changed, it must be set in both locations.
 # TODO: Single-source the version number.
-__version__ = "0.19.0"
+__version__ = "0.20.0"
 
 # This reference implementation produces metadata intended to conform to
 # version 1.0.0 of the TUF specification, and is expected to consume metadata