Tuf

For users of legacy client (tuf.client module) this is purely a security fix
release with no API or functionality changes. For ngclient (tuf.ngclient) and
Metadata API (tuf.api.metadata), some API changes are included.

**All users are advised to upgrade**.

Note that python-tuf has required python>=3.5 since release 0.18.0.

Fixed
* GHSA-wjw6-2cqr-j4qr: Fix client side issue in both legacy client (tuf.client)
and ngclient (tuf.ngclient) where a malicious repository could trick client
to overwrite files outside the client metadata store during a metadata
update. The fix includes percent-encoding the metadata rolename before using
it as part of a filename
https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr
* ngclient: Do not use urljoin to form metadata URL (included in
GHSA-wjw6-2cqr-j4qr)
* ngclient: Persist metadata safely (1574)
* ngclient: Handle timeout on session.get() (1588)

Added
* build: Dependabot now monitors GitHub Actions (1572)
* tests: ngclient test improvements (1564, 1569, 1587)
* Metadata API: Add TargetFile.from_file() (1521)

Changed
* build: Bump dependency charset-normalizer (1581, 1586)
* build: Bump dependency urllib3 (1589)
* build: Bump dependency cryptography (1596)
* Metadata API: Documentation improvements (1533, 1590)
* Metadata API: change Timestamp meta API (1446)
* Metadata API: change Delegations roles API (1537)
* ngclient: Remove unnecessary sleep() (1608)
* ngclient: Fix consistent targets URL resolution (1591)
* ngclient: Don't use target path as local path (1592)

Changed
* Update setup.cfg to not build universal wheels (1566)

* Support only Python 3 and modernize the infrastructure accordingly
* Metadata API (a low-level API for metadata de/serialization and
modification) is now feature-complete for the client use cases
* ngclient (a new high-level client API) was added. ngclient should be
considered an unstable API and is not yet recommended for production
use.

Additionally the Github project name changed: project is now "python-tuf"
instead of "tuf". Redirects are in place for the old name but updating links is
advised.

Added
* Add ADR6: Where to implement serialization (1270)
* Add ADR8: Unrecognized fields (1343)
* Add ADR9: Refine reference implementation purpose (1554)
* Add client Network IO abstraction (1250, 1302)
* Add many features to Metadata API to support de/serializing
specification-compliant metadata, and safer access through API:
* Metadata.from_bytes()/to_bytes() (1354, 1490)
* Key, Role (1360, 1386, 1423, 1480, 1481, 1520)
* DelegationRole, Delegations (1370, 1512)
* MetaFile, TargetFile (1329, 1437, 1454, 1514)
* verification of threshold of signatures (1435, 1436)
* expiration check method (1347)
* support unrecognized fields in metadata (1345)
* use Generics to improve static typing (1457)
* Extensive Metadata API testing and validation
(1359, 1416, 1416, 1430, 1449, 1450, 1451, 1460, 1466, 1511)
* Add ngclient: a new client library implementation
(1408, 1448, 1463 1467, 1470, 1474, 1501, 1509, 1519, 1524)
* Infrastructure improvements:
* mypy, black and isort integration (1314, 1363, 1395, 1455, 1489)
* API reference documentation build (1517)

Removed
* Remove Python 2 support (1293)
* Remove direct dependency on six
* Remove obsolete reference to Thandy in a LICENSE file (1472)

Changed
* Bump dependencies:
* Certifi
* Cryptography
* Idna
* Requests
* Securesystemslib
* Six
* Urllib3
* Replace indirect dependency chardet with charset-normalizer
* Move Metadata API serialization to sub-package (1279)
* Use SecureSystemslib Signer interface in Metadata API (1272)
* Make imports compatible with vendoring (1261)

Fixed
* 'ecdsa' is a supported key type (1453)
* Fix various build infrastructure issues (1289, 1295, 1321, 1327, 1364,
1369, 1542)
* Test fixes (1337, 1346)

**NOTE**: this will be the final release of tuf that supports Python 2.7.
This is because Python 2.7 was marked [end-of-life](
https://www.python.org/dev/peps/pep-0373/) in January of 2020, and
since then several of tuf's direct and transient dependencies have stopped
supporting Python 2.7.

Added
* Added Architectural Decisions Records (ADRs) for:
* where to develop python-tuf 1.0 (1220)
* to justify the extent of OOP in the metadata model (1229)
* to decide on a Python code style guide (1232)

Changed
* Switch to GitHub Actions for CI (1242, 1283, 1252)
* Switch to only running bandit on Python versions greater than 3.5 (1234)
* Bump dependencies: requests (1245), chardet (1239), urllib3 (1268),
cffi (1280), securesystemslib (1285), cryptography (1282, 1286).
**NOTE**: the latest version of cryptography is no longer used on
Python 2, as that is not supported.
* Moved from dependabot-preview to GitHub native Dependabot (1258)
* Configure dependabot to ignore idna, as it breaks Python 2.7 builds (1259)
* Install securesystemslib in tox in non-editable mode (1228)
* Change the editable venv installation order (1271)

Fixed
* Updated expiration check in Updater to better match the specification (1235)
* Ensure tempfile's are closed in Updater (1226)

Removed
* Dropped support for Python 3.5 (1238)

Added
* Begin to document architectural and project-wide decisions as Architectural
Decision Records (ADRs) in docs/adr (1182, 1203)
* Add Python 3.9 to the CI test matrix (1200)
* Implement a class for Root metadata in the simple TUF role metadata model in
`tuf.api` (1193)

Changed
* Bump dependencies: cryptography (1189, 1190), requests (1210),
urllib (1212), cffi (1222), certifi (1201), securesystemslib (1191)
* Simplify the test runner (`aggregate_tests`) and stop executing unit test
modules in a random order (1187)
* Speed up indefinite freeze tests by removing `sleep()` calls (1194)
* Adapt to securesystemslib changes in key generation interfaces (1191)
* Migrate from travis-ci.org to travis-ci.com (1208)
* Make metadata signatures ordered by keyid, to ensure deterministic signature
ordering in metadata files (1217)
* Improve test reliability by using thread-safe `Queue`s, rather than files,
for process communication (1198)
* Avoid reading an entire target file into memory when generating target file
hashes in `tuf.client.updater` (1219)
* Remove use of an empty list (`[]`) as the default argument in a test
function (1216)
* Simplified updater logic for downloading and verifying target files (1202)

 Fixed
* Fix threshold computation in `_verify_root_self_signed()` such that
signatures by the same root key count only once towards the threshold (1218)