Tuf Versions Save

This release is a small API change for Metadata API users (see below). ngclient API is compatible but optional DSSE support has been added.

Added

• Added optional DSSE support to Metadata API and ngclient (#2436)

Changed

• Metadata API: Improved verification functionality for repository users (#2551):
  • This is an API change for Metadata API users ( Root.get_verification_result() and Targets.get_verification_result() specifically)
  • Root.get_root_verification_result() has been added to handle the special case of root verification
• Started using UTC datetimes instead of naive datetimes internally (#2573)
• Constrain securesystemslib dependency to <0.32.0 in preparation for future securesystemslib API changes
• Various build, test and lint improvements

This is a security fix release to address advisory GHSA-77hh-43cm-v8j6. The issue does not affect tuf.ngclient users, but could affect tuf.api.metadata users.

Changed

• Added additional input validation to tuf.api.metadata.Targets.get_delegated_role()

See CHANGELOG.md for details.

See CHANGELOG.md for details.

See CHANGELOG.md for details.

See CHANGELOG.md for details.

See CHANGELOG.md for details.

This release makes ngclient and the Metadata API the supported python-tuf APIs. It also removes the legacy implementation as documented in the 1.0.0 announcement: all library code is now contained in tuf.api or tuf.ngclient.

See Python-TUF reaches version 1.0.0 for a blog post about this release.

Added

• tests: Extend testing (#1689, #1703, #1711, #1728, #1735, #1738, #1742, #1766, #1777, #1809, #1831)

Changed

• Metadata API: Disallow microseconds in expiry (#1712)
• Metadata API: Preserve role keyid order (#1754)
• Metadata API: Make exceptions more consistent (#1725, #1734, #1787, #1840, #1836)
• Metadata API: Update supported spec version to "1.0.28" (#1825)
• Metadata API: Accept legacy spec version "1.0" (#1796)
• Metadata API: Accept custom fields in Metadata (#1861)
• ngclient: Remove temporary file in failure cases (#1757)
• ngclient: Explicitly encode rolename in URL (#1759)
• ngclient: Allow HTTP payload compression (#1774)
• ngclient: Make exceptions more consistent (#1799, #1810)
• docs: Improve documentation (#1744, #1749, #1750, #1755, #1771, #1776, #1772, #1780, #1781, #1800, #1815, #1820, #1829, #1838, #1850, #1853, #1855, #1856, #1868, #1871)
• build: Various build infrastructure improvements (#1718, #1724, #1760, #1762, #1767, #1803, #1830, #1832, #1837, #1839)
• build: Stop supporting EOL Python 3.6 (#1783)
• build: Update dependencies (#1809, #1827, #1834, #1863, #1865, #1870)

Removed

• Remove all legacy code including old client, repository_tool, repository_lib and the scripts (#1790)
• Metadata API: Remove modification helper methods that are no longer necessary (#1736, #1740, #1743)
• tests: Remove client tests that were replaced with better ones (#1741)
• tests: Stop using unittest_toolbox (#1792)
• docs: Remove deprecated documentation (#1768, #1769, #1773, #1848)

NOTE: This will be the final release of python-tuf that includes the legacy implementation code. Please see the 1.0.0 announcement page for more details about the next release and the deprecation of the legacy implementation, including migration instructions.

Added

• metadata API: misc input validation (#1630, #1688, #1668, #1672, #1690)
• doc: repository library design document and ADR (#1693)
• doc: 1.0.0 announcement (#1706)
• doc: misc docstrings in metadata API (#1620)
• doc: repository and client examples (#1675, #1685, #1700)
• test: ngclient key rotation (#1635, #1649, #1691)
• test: ngclient top-level role update (#1636)
• test: ngclient non-consistent snapshot (#1666, #1705)
• test: more lint/type checks and auto-formatting (#1658, #1664, #1659, #1674, #1677, #1687, #1699, #1701, #1708, #1710, #1720, #1726)
• build: Python 3.10 support (#1628)

Changed

• ngclient: misc API changes (#1604, #1731)
• ngclient: avoid re-loading verified targets metadata (#1593)
• ngclient: implicitly call refresh() (#1654)
• ngclient: return loaded metadata (#1680)
• ngclient: skip visited nodes on delegation tree traversal (#1683)
• ngclient: remove URL normalisation (#1686)
• build: modernise packaging configuration (#1626)
• build: bump dependencies (#1609, #1611, #1616, #1621)
• build: limit GitHub Action token visibility and permissions (#1652, #1663)
• test: misc test changes (#1715, #1670, #1671, #1631, #1695, #1702)

Removed

• doc: obsolete roadmap (#1698)

For users of legacy client (tuf.client module) this is purely a security fix release with no API or functionality changes. For ngclient (tuf.ngclient) and Metadata API (tuf.api.metadata), some API changes are included.

All users are advised to upgrade.

Note that python-tuf has required python>=3.5 since release 0.18.0.

Fixed

• GHSA-wjw6-2cqr-j4qr: Fix client side issue in both legacy client (tuf.client) and ngclient (tuf.ngclient) where a malicious repository could trick client to overwrite files outside the client metadata store during a metadata update. The fix includes percent-encoding the metadata rolename before using it as part of a filename https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr
• ngclient: Do not use urljoin to form metadata URL (included in GHSA-wjw6-2cqr-j4qr)
• ngclient: Persist metadata safely (#1574)
• ngclient: Handle timeout on session.get() (#1588)

Added

• build: Dependabot now monitors GitHub Actions (#1572)
• tests: ngclient test improvements (#1564, #1569, #1587)
• Metadata API: Add TargetFile.from_file() (#1521)

Changed

• build: Bump dependency charset-normalizer (#1581, #1586)
• build: Bump dependency urllib3 (#1589)
• build: Bump dependency cryptography (#1596)
• Metadata API: Documentation improvements (#1533, #1590)
• Metadata API: change Timestamp meta API (#1446)
• Metadata API: change Delegations roles API (#1537)
• ngclient: Remove unnecessary sleep() (#1608)
• ngclient: Fix consistent targets URL resolution (#1591)
• ngclient: Don't use target path as local path (#1592)