Tuf

Added
* repo: experimental repository module and example (2193)
* ngclient: expose default requests fetcher (2277)
* workflow: OpenSSF scorecard (2190)
* build: Python 3.11 support (2157)
* docs: security policy (2098, 2178)
* blog: signer API (2276)
* blog: security audit (2155, 2156)

Changed
* Metadata API: bump specification version 1.0.31 (2119)
* Metadata API: allow zero length metadata files (2137)
* Metadata API: add default value for MetaFile version (2211)
* Metadata API, ngclient: decrease logger verbosity (2243)
* ngclient: define API explicitly (2233)
* ngclient: improve example client output (2194)
* ngclient: support URLs without host part (2075)
* ngclient: update metaclass syntax (2215)
* ngclient: fail gracefully on missing role (2197)
* ngclient: improve type annotations in TrustedMetadataSet (2250)
* doc: misc improvements (2097, 2130, 2183, 2185, 2201, 2208, 2230, 2278)
* build: misc improvements (2090, 2091, 2122, 2187, 2188, 2217, 2252)
* workflow: misc improvements (2001, 2092, 2147, 2159, 2173)

This release, most notably, adds support for [TAP 15] - succinct hash bin delegation,
which results in a few backwards-incompatible changes in the Metadata API.

**NOTE**: While TAP 15 has been accepted it is not yet part of the TUF specification.
Therefore, adopters should be prepared for potential changes to the implementation
in future and for a lack of support for TAP 15 in other TUF implementations.

[TAP 15]: https://github.com/theupdateframework/taps/blob/master/tap15.md

Added
* Metadata API: TAP 15 - succinct hash bin delegation (2010, 2031, 2038, 2039)
* build: CodeQL analysis action (1932)
* build: Dependency review action (1974)
* blog: ngclient design (1914)
* blog: tricky test cases (1941, 2027)

Changed
* Metadata API: **BREAKING CHANGES** in Root and Targets class (2010)
- Argument order changed in add_key() and remove_key()
- remove_key() renamed to revoke_key()
* Metadata API: Update supported spec version to 1.0.30 (2035)
* ngclient: Use trusted timestamp role if new timestamp has equal version (2024)
* docs: Misc improvements (1983, 2002, 2004, 2041, 2051, 2064)
* tests: Misc improvements (2017)
* tests: Stop using requests type annotations (1991)
* build: Pin hatchling version (1989)
* build: Tweak pip download in verify_release script (1982)
* build: Update pinned dependency versions

Fixes
* Metadata API: Check None instead of falsyness for some optional arguments (1975)
* ngclient: Prevent use of potentially undefined variable (2003)
* tests: Change git attributes for test data (2063)

This release contains major build improvements as well as fixes and
backwards-compatible API improvements.

Added
* build: Release process was moved to CD platform (1946, 1971, 1976)
* build: Build is now reproducible thanks to Hatchling (1896, 1900)
* build: Build results are now verifiable (1913, 1926, 1947, 1979)
* build: test dependencies are now pinned for reproducibility (1867, 1918)
* Metadata API: Validation is now possible during serialization (1775)
* Infrastructure: Setup development blog (1886, 1887)

Changed
* Metadata API: Supported specification version updated (1908, 1960)
* Metadata API: unrecognized_fields annotation fix (1950)
* Metadata API: Constructors are now easier to use (1922)
* Metadata API: Logging and error message improvements (1876)
* build: Include examples in source distribution (1970)
* build: Updated pinned dependency versions
* tests: Various improvements (1707, 1758, 1808, 1860, 1915, 1936,
1953, 1954, 1955)

announcement*](1.0.0-ANNOUNCEMENT.md) page for more details about the next
release and the deprecation of the legacy implementation, including migration
instructions.*

Added
* metadata API: misc input validation (1630, 1688, 1668, 1672, 1690)
* doc: repository library design document and ADR (1693)
* doc: 1.0.0 announcement (1706)
* doc: misc docstrings in metadata API (1620)
* doc: repository and client examples (1675, 1685, 1700)
* test: ngclient key rotation (1635, 1649, 1691)
* test: ngclient top-level role update (1636)
* test: ngclient non-consistent snapshot (1666, 1705)
* test: more lint/type checks and auto-formatting (1658, 1664, 1659, 1674,
1677, 1687, 1699, 1701, 1708, 1710, 1720, 1726)
* build: Python 3.10 support (1628)

Changed
* ngclient: misc API changes (1604, 1731)
* ngclient: avoid re-loading verified targets metadata (1593)
* ngclient: implicitly call refresh() (1654)
* ngclient: return loaded metadata (1680)
* ngclient: skip visited nodes on delegation tree traversal (1683)
* ngclient: remove URL normalisation (1686)
* build: modernise packaging configuration (1626)
* build: bump dependencies (1609, 1611, 1616, 1621)
* build: limit GitHub Action token visibility and permissions (1652, 1663)
* test: misc test changes (1715, 1670, 1671, 1631, 1695, 1702)

Removed
* doc: obsolete roadmap (1698)

*__NOTE:__ This will be the final release of python-tuf that includes the

For users of legacy client (tuf.client module) this is purely a security fix
release with no API or functionality changes. For ngclient (tuf.ngclient) and
Metadata API (tuf.api.metadata), some API changes are included.

**All users are advised to upgrade**.

Note that python-tuf has required python>=3.5 since release 0.18.0.

Fixed
* GHSA-wjw6-2cqr-j4qr: Fix client side issue in both legacy client (tuf.client)
and ngclient (tuf.ngclient) where a malicious repository could trick client
to overwrite files outside the client metadata store during a metadata
update. The fix includes percent-encoding the metadata rolename before using
it as part of a filename
https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr
* ngclient: Do not use urljoin to form metadata URL (included in
GHSA-wjw6-2cqr-j4qr)
* ngclient: Persist metadata safely (1574)
* ngclient: Handle timeout on session.get() (1588)

Added
* build: Dependabot now monitors GitHub Actions (1572)
* tests: ngclient test improvements (1564, 1569, 1587)
* Metadata API: Add TargetFile.from_file() (1521)

Changed
* build: Bump dependency charset-normalizer (1581, 1586)
* build: Bump dependency urllib3 (1589)
* build: Bump dependency cryptography (1596)
* Metadata API: Documentation improvements (1533, 1590)
* Metadata API: change Timestamp meta API (1446)
* Metadata API: change Delegations roles API (1537)
* ngclient: Remove unnecessary sleep() (1608)
* ngclient: Fix consistent targets URL resolution (1591)
* ngclient: Don't use target path as local path (1592)