Tuf

The notable change in this release is 2165: The tuf.api.metadata.Key
class implementation was moved to Securesystemslib with minor API
changes. These changes require no action in tuf.ngclient users but may
require small changes in tuf.api.metadata using repository
implementations that create keys.

As a result of these changes, both signing and verification are now
fully extensible, see Securesystemslib signer API for details.

tuf.repository remains an unstable module in 3.0.0.

Added
* Build: Use pydocstyle to lint docstrings (2283, 2281)
* Examples: Add Repository uploader/signer tool example (2241)
* Metadata API: Add TargetFile.get_prefixed_paths() (2166)
* ngclient: Export TargetFile (2279)
* repository: Add strictly typed accessors and context managers (2311)
* Release: Use PyPI Trusted Publishing
https://docs.pypi.org/trusted-publishers/ (#2371)

Changed
* Build: Various minor build and release infrastructure improvements,
dependency updates
* Metadata API: Key class is still part of the API but now comes from
Securesystemslib (2165):
* `Key.verify_signature()` method signature has changed
* `Key.from_securesystemslib_key()` was removed: Use
Securesystemslibs `SSlibKey.from_securesystemslib_key()` instead

Added
* repo: experimental repository module and example (2193)
* ngclient: expose default requests fetcher (2277)
* workflow: OpenSSF scorecard (2190)
* build: Python 3.11 support (2157)
* docs: security policy (2098, 2178)
* blog: signer API (2276)
* blog: security audit (2155, 2156)

Changed
* Metadata API: bump specification version 1.0.31 (2119)
* Metadata API: allow zero length metadata files (2137)
* Metadata API: add default value for MetaFile version (2211)
* Metadata API, ngclient: decrease logger verbosity (2243)
* ngclient: define API explicitly (2233)
* ngclient: improve example client output (2194)
* ngclient: support URLs without host part (2075)
* ngclient: update metaclass syntax (2215)
* ngclient: fail gracefully on missing role (2197)
* ngclient: improve type annotations in TrustedMetadataSet (2250)
* doc: misc improvements (2097, 2130, 2183, 2185, 2201, 2208, 2230, 2278)
* build: misc improvements (2090, 2091, 2122, 2187, 2188, 2217, 2252)
* workflow: misc improvements (2001, 2092, 2147, 2159, 2173)

This release, most notably, adds support for [TAP 15] - succinct hash bin delegation,
which results in a few backwards-incompatible changes in the Metadata API.

**NOTE**: While TAP 15 has been accepted it is not yet part of the TUF specification.
Therefore, adopters should be prepared for potential changes to the implementation
in future and for a lack of support for TAP 15 in other TUF implementations.

[TAP 15]: https://github.com/theupdateframework/taps/blob/master/tap15.md

Added
* Metadata API: TAP 15 - succinct hash bin delegation (2010, 2031, 2038, 2039)
* build: CodeQL analysis action (1932)
* build: Dependency review action (1974)
* blog: ngclient design (1914)
* blog: tricky test cases (1941, 2027)

Changed
* Metadata API: **BREAKING CHANGES** in Root and Targets class (2010)
- Argument order changed in add_key() and remove_key()
- remove_key() renamed to revoke_key()
* Metadata API: Update supported spec version to 1.0.30 (2035)
* ngclient: Use trusted timestamp role if new timestamp has equal version (2024)
* docs: Misc improvements (1983, 2002, 2004, 2041, 2051, 2064)
* tests: Misc improvements (2017)
* tests: Stop using requests type annotations (1991)
* build: Pin hatchling version (1989)
* build: Tweak pip download in verify_release script (1982)
* build: Update pinned dependency versions

Fixes
* Metadata API: Check None instead of falsyness for some optional arguments (1975)
* ngclient: Prevent use of potentially undefined variable (2003)
* tests: Change git attributes for test data (2063)

This release contains major build improvements as well as fixes and
backwards-compatible API improvements.

Added
* build: Release process was moved to CD platform (1946, 1971, 1976)
* build: Build is now reproducible thanks to Hatchling (1896, 1900)
* build: Build results are now verifiable (1913, 1926, 1947, 1979)
* build: test dependencies are now pinned for reproducibility (1867, 1918)
* Metadata API: Validation is now possible during serialization (1775)
* Infrastructure: Setup development blog (1886, 1887)

Changed
* Metadata API: Supported specification version updated (1908, 1960)
* Metadata API: unrecognized_fields annotation fix (1950)
* Metadata API: Constructors are now easier to use (1922)
* Metadata API: Logging and error message improvements (1876)
* build: Include examples in source distribution (1970)
* build: Updated pinned dependency versions
* tests: Various improvements (1707, 1758, 1808, 1860, 1915, 1936,
1953, 1954, 1955)

announcement*](1.0.0-ANNOUNCEMENT.md) page for more details about the next
release and the deprecation of the legacy implementation, including migration
instructions.*

Added
* metadata API: misc input validation (1630, 1688, 1668, 1672, 1690)
* doc: repository library design document and ADR (1693)
* doc: 1.0.0 announcement (1706)
* doc: misc docstrings in metadata API (1620)
* doc: repository and client examples (1675, 1685, 1700)
* test: ngclient key rotation (1635, 1649, 1691)
* test: ngclient top-level role update (1636)
* test: ngclient non-consistent snapshot (1666, 1705)
* test: more lint/type checks and auto-formatting (1658, 1664, 1659, 1674,
1677, 1687, 1699, 1701, 1708, 1710, 1720, 1726)
* build: Python 3.10 support (1628)

Changed
* ngclient: misc API changes (1604, 1731)
* ngclient: avoid re-loading verified targets metadata (1593)
* ngclient: implicitly call refresh() (1654)
* ngclient: return loaded metadata (1680)
* ngclient: skip visited nodes on delegation tree traversal (1683)
* ngclient: remove URL normalisation (1686)
* build: modernise packaging configuration (1626)
* build: bump dependencies (1609, 1611, 1616, 1621)
* build: limit GitHub Action token visibility and permissions (1652, 1663)
* test: misc test changes (1715, 1670, 1671, 1631, 1695, 1702)

Removed
* doc: obsolete roadmap (1698)

*__NOTE:__ This will be the final release of python-tuf that includes the