Tuf

This release is not strictly speaking an API break from 5.1 but it does contain some
major internal changes that users should be aware of when upgrading.

Changed

* ngclient: urllib3 is used as the HTTP library by default instead of requests (2762,
2773, 2789)
* This removes dependencies on `requests`, `idna`, `charset-normalizer` and `certifi`
* The deprecated RequestsFetcher implementation is available but requires selecting
the fetcher at Updater initialization and explicitly depending on requests
* ngclient: TLS certificate source was changed. Certificates now come from operating
system certificate store instead of `certifi` (2762)
* ngclient: The updater can now initialize from embedded initial root metadata every
time. Users are recommended to provide the `bootstrap` argument to Updater (2767)
* Test infrastructure has improved and should now be more usable externally, e.g. in
distro test suites (2749)

Changed

* ngclient: default user-agent was updated from "tuf/x.y.z" to "python-tuf/x.y.z" (2632)
* ngclient: max_root_rotations default value was bumped to 256 to prevent a too small value
from creating issues in actual deployments were the embedded root is not easily
updateable (2675)
* repository: do_snapshot() and do_timestamp() now always create new versions if current version
is not correctly signed (2650)
* Various infrastructure and documentation improvements

This release, most notably, marks stable securesystemslib v1.0.0 as minimum
requirement. The update causes a minor break in the new DSSE API (see below)
and affects users who also directly depend on securesystemslib. See the [securesystemslib release
notes](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md#securesystemslib-v100)
and the updated python-tuf `examples` (2617) for details. ngclient API remains
backwards-compatible.

Changed
* DSSE API: change `SimpleEnvelope.signatures` type to `dict`, remove
`SimpleEnvelope.signatures_dict` (2617)
* ngclient: support app-specific user-agents (2612)
* Various build, test and lint improvements

This release is a small API change for Metadata API users (see below).
ngclient API is compatible but optional DSSE support has been added.

Added
* Added optional DSSE support to Metadata API and ngclient (2436)

Changed
* Metadata API: Improved verification functionality for repository users (2551):
* This is an API change for Metadata API users (
`Root.get_verification_result()` and `Targets.get_verification_result()`
specifically)
* `Root.get_root_verification_result()` has been added to handle the special
case of root verification
* Started using UTC datetimes instead of naive datetimes internally (2573)
* Constrain securesystemslib dependency to <0.32.0 in preparation for future
securesystemslib API changes
* Various build, test and lint improvements

This is a security fix release to address advisory
GHSA-77hh-43cm-v8j6. The issue does **not** affect tuf.ngclient
users, but could affect tuf.api.metadata users.

Changed
* Added additional input validation to
`tuf.api.metadata.Targets.get_delegated_role()`

Added
* Metadata API: move verify_delegate() to Root/Targets (2378)
- *verify_delegate() on Metadata is now deprecated*
* Metadata API: add get_verification_result() as verbose alternative for
verify_delegate() (2481)
* Metadata API: add MetaFile.from_data() convenience factory (2273)

Changed
* Metadata API: change Root.roles type hint to Dict (2411)
* Various minor improvements in tests (2447, 2491), docs
(2390, 2392, 2474) and build (2389, 2453, 2479, 2488)

Removed
* build: Python 3.7 support (2460)