In Toto Versions Save

Added

• Python 3.10 support (#480)
• Roadmap review (#463)

Changed

• Bump dependencies: attrs (#482), cffi (#474), cryptography (#468, #472, #477, #481), iso8601 (#476, #478, #479), pycparser (#475), pynacl (#483), securesystemslib (#469)
• Use explicit UTF-8 encoding in open calls (#470)
• Misc. linter changes (#473)
• Update acknowledgment to reflect Purdue (#471)

Removed

• Python 3.6 support (#485)

Added

• Added tests that use source and destination prefixes in match rules, courtesy of Brandon Michael Hunter (#456)

Changed

• Updated documentation of command alignment during verification workflow (#455)
• Started using GitHub-native dependabot (#450)
• Bump dependencies: attrs (#451), six (#452), securesystemslib (#453), cffi (#457), python-dateutil (#458), iso8601 (#459), pathspec (#460)
• Fixed linter warnings (#462)

NOTE: this release of in-toto drops supports for Python 2.7. This is because Python 2.7 was marked end-of-life in January of 2020, and since then several of in-toto's direct and transitive dependencies have stopped supporting Python 2.7.

Added

• SPDX License identifiers and copyright information (#440)
• Aditya Sirish (@adityasaky) as a maintainer (#443)

Changed

• PyPI development status from Beta to Production/Stable (#447)
• Santiago Torres-Arias's (@SantiagoTorres) email to reflect Purdue affiliation (#446)
• Debian downstream release metadata (#437)
• Bump dependency: cryptography (#442)

Removed

• Dropped support for Python 2.7 (#438)

NOTE: this will be the final release of in-toto that supports Python 2.7. This is because Python 2.7 was marked end-of-life in January of 2020, and since then several of in-toto's direct and transitive dependencies have stopped supporting Python 2.7.

Added

• Python 3.9 in the CI test matrix (#419)
• Logo and other visual enhancements on readthedocs (#420, #428)
• Review of first evaluation period for 2021 roadmap (#421)

Changed

• Switch to GitHub Actions for CI (#432)
• Switch to only running bandit on Python versions greater than 3.5 (#416)
• Debian downstream release metadata (#418)
• Bump tested dependencies: cffi (#415, #427), cryptography (#424, #429), securesystemslib (#430, #431), iso8601 (#423) NOTE: the latest version of cryptography is no longer used on Python 2, as that is not supported.

Removed

• Dropped support for Python 3.5 (#419)

Added

• '-P/--password' (prompt) cli argument for in-toto-run/in-toto-record (#402)
• in-toto-run link command timeout setting (#367)
• API and usage documentation for cryptographic key handling with securesystemslib (#402, #408)
• Artifact recording exclude pattern documentation (#373, #405)
• Test key generation mixin (#402)
• 2021 roadmap document (#381)

Changed

• Move 'settings' docs to new 'configuration' section and make minor enhancements in structure and content (#405)
• Update tested dependencies (#377, #383, #384, #386, #389, #390, #394, #397, #398, #400, #404, #406, #409, #410, #411)
• Debian downstream release metadata (#382)

Removed

• 'util' crypto module in favor of securesystemslib key interfaces (#402)
• Obsolete coveralls.io API call in Travis test builds (#399)

Fixed

• Minor docs issues (#396, #385, #395)
• pylint 2.6.0 (#387) and lgtm.com (#379) warnings

• Docs: Major CLI and API documentation overhaul and release (#341, #369)
• Bugfix: Use kwargs in in-toto-run to fix lstrip-paths bug (#340)
• Feature: Add option to specify target directory for generated metadata (#364)
• Tests: Add Python 3.8 to tested versions (#339)
• Tests: Add tmp dir and gpg key test mixins (#345)
• Tests: Use constant from securesystemslib to detect GPG in tests (#352)
• Tests: Enhance test suite feedback on Windows (#368)
• Dependencies: Misc updates (#342, #346, #349, #350, #353, #354, #356, #358, #359, #362, #363, #366)

• Drop custom OpenPGP subpackage and subprocess module and instead use the ones provided by securesystemslib, which are based on the in-toto implementation and receive continued support from a larger community (#325)
  • A race condition that caused tests to sporadically fail was already fixed in securesystemslib and is now also available to in-toto (#282, secure-systems-lab/securesystemslib#186)
• Add Sphinx boilerplate and update installation instructions (#298, #331)
• Update misc dependencies (#317, #318, #319, #320, #322, #323, #324, #326, #327, #328, #333, #335, #329)
• Update downstream debian metadata (#311, #334)

• Update securesystemslib dependency to v0.12.0 (#299)
• Add --version option to CLI tools (#310)
• Address linter warnings (#308)
• Update downstream debian metadata (#302, #305, #309)

• Add REQUIRE artifact rule support (#269, #280)
• Enhance OpenPGP key export and provide key expiration verification (#266, #288)
• Make transitive dependency PyNaCl optional for in-toto (#291)
• Improve automatic testing and code coverage measurement (#295) as well as static analysis with pylint (#279, #296)
• Update repository metadata
  • Add initial 1-year roadmap (#268)
  • Revise dependency handling for monitoring and library compatibility (#294)
  • Update maintainers and contributor information (#283, #274, #297)
  • Enhance source distribution configs and include tests and other metadata, relevant to downstream packagers, with future source distributions (#290)

• Re-factor rule verification engine and fix for a false-reject on very specific layouts (#262)
• Add support for duplicate standard streams (#252)
• Enhance support for Summary link naming (i.e., better sublayout verification, #256)
• Improve rule verification messages (#243)
• Small fixes for OpenPGP parsing functions (#255)
• Properly verify self-signature and signature binding signatures upon export (#257)
• Add lstrip-paths parameter (as an enhancement/replacement for basepath) (#250)
• Fix a bug where multiple PGP subkeys could count towards the threshold (#251)
• Fix a bug where RSA signatures wouldn't be sufficiently padded and a signature would be erroneously-rejected #170
• Change license to Apache