v0.13.0

Added

• Add support for BLAKE hash functions (#993)
• Don't list root metadata in snapshot metadata, per latest spec (#988)
• Enable targets metadata to be generated without access to the target files (#1007, #1020)
• Implement support for abstract files and directories (#1024, #1034)
• Make lengths and hashes optional for timestamp and snapshot roles (#1031)

Changed

• Revise requirements files to have layered requirements (#978, #982)
• Update tutorial instructions (#981, #992) and documentation (#1054, #1001)
• Replace hard-coded logger names (#989)
• Fix target file path hashing to ensure paths are hashed as they appear in targets metadata (#1007)
• Refactor code handling hashed bins (#1007, #1013, #1040, #1058)
• Improve performance when delegating to a large number of hashed bins (#1012)
• Improve path handling consistency when adding targets and paths (#1008)
• Clarify error message and docstring for custom parameter of add_target() (#1027)
• Ensure each key applies to signature threshold only once (#1091)

Fixed

• Fix broken CI (#985)
• Fix tests (#1029, #1064, #1067)
• Fix loading of delegated targets during repository load (#1049, #1052, #1071)
• Fix key loading in repo.py (#1066)
• Remove redundant code in downloader (#1073)
• Fix alarming logging in updater (#1092)

v0.12.2

• Fix incorrect threshold signature computation (#974)
• Drop support for python 3.4 (#966)
• Improve documentation (#970, #960, #962, #961, #972)
• Improve test suite and tutorial scripts (#775)

tuf v0.12.1

• Relax spec version format check for backwards compatibility (#950)
• Update project metadata (#937, #939, #944, #947, #948, #953, #954)
• Update misc dependencies (#936, #941, #942, #945, #956)

tuf v0.12.0

• Add backwards incompatible TUF spec version checks (#842, #844, #854, #914)
• Adopt securesystemslib v0.12.0 update (#909, #910, #855, #912, #934)
• Fix multi-root rotation (#885, #930)
• Fix duplicate schema definitions (#929)
• Refactor metadata generation (#836)
• Refactor securesystemslib interface (#919)
• Update implementation roadmap (#833)
• Improve tests and testing infrastructure (#825, #839, #890, #915, #892, #923)
• Improve documentation (#824, #849, #852, #853, #893, #924, #928, et al.)
• Update misc dependencies (#850, #851, #916, #922, #926, #931)

tuf v0.11.2.dev3

Changelog

v0.11.2.dev3 -- not stable due to compromised slow retrieval attack protection

• Fix unnecessary delegated role downloads when using Updater.targets_of_role (PR here)
• Minor documentation refinements and corrections
• Highlight deprecations of Updater.targets_of_role() and Updater.all_targets().
• Update dependencies to latest versions: pbr, colorama, cryptography, ipaddress (Python2 only), pyyaml, six, requests, idna.
• Other minor changes

tuf v0.11.2.dev2

Changelog

v0.11.2.dev2 -- not stable

• Upgrade dependencies to latest versions.

tuf v0.11.2.dev1

Changelog

v0.11.2.dev1 -- not stable

• Allow TUF to work through proxies (HTTP, HTTPS, and TCP (HTTP CONNECT))
  • Adds requests as a dependency
  • Loses defense against a set of slow retrieval attacks in which the malicious server waits on the order of a second between every byte sent!
• Revise password handling for encrypted keys
• Upgrade dependencies to latest versions.
• Update tutorials

For now, this development release does not include a full changelog entry. To see the full list of changes, see this commit list.

tuf v0.11.1

Changelog

v0.11.1

• Prevent persistent freeze attack (pr #737).

• Add --no-release option to CLI.

• Issue deprecation warning for all_targets() and targets_of_role().

• Disable file logging, by default.

• Tweak network settings (in settings.py) for production environments.

• Add tuf.log.enable_file_logging() and tuf.log.disable_file_logging().

• Replace %xx escapes in URLs.

• Support Appveyor (for Windows) with Continuous Integration.

• Run unit tests in Python 3.4 & 3.5 under Appveyor.

• Edit contact text to encourage users to report issues with specification.

• Generate (w/ CLI) Ed25519 keys, by default.

• Upgrade dependencies to latest versions.

• Add requirements.in, which is used to generate the other requirement files.

• Update list of adopters.

• Convert README to Markdown.

• Update installation instructions to note SSLib's optional dependencies
  that should be installed to support RSA, ECDSA, etc. keys.

• Add unit test for persistent freeze attack.

• Update list of tasks in ROADMAP.md.

tuf v.0.11.0

Changelog

v.0.11.0

Note: This is a backwards-incompatible pre-release.

• Make significant improvements to execution speed of updater.

• Resolve all of the unit test failures in Windows.

• Add or revise many CLI options.

  • Add --revoke
  • Support ECDSA, RSA, and Ed25519 keys
  • Fully support delegated roles
  • Revise help descriptions
  • Allow 2+ roles to delegate to the same role
  • Add --remove
  • Add --trust
  • Remove obsolete code
  • Add --distrust
  • Allow any top-level role to be signed
  • Allow multiple signing keys with --sign
  • Rename default directories
  • etc.

• Revise CLI documentation, such as QUICKSTART.md.

• Ensure consistent behavior between add_targets and add_target().

• Add a CLI doc that demonstrates more complex examples.

• Move LICENSE files to the root directory.

• Update dependencies.

• Update TUTORIAL.md to fix links.

• Fix bug where the latest consistent metadata is not loaded.

• Modify the pyup update schedule from daily to weekly.

• Add hashes to requirements.txt.

• Update AUTHORS.txt and add organizations.

• Replace deprecated 'cryptography' functions.

• Remove dependency in dev-requirements.txt that causes error.

• Ensure that the latest consistent metadata is added to Snapshot.

• Tweak a few logger and exception messages.

• Revise introductory text in README.

• Update ADOPTERS.md and link to pages that cover each adoption.

• Remove target paths in metadata that contain leading path separators.

• Address Pylint/Bandit warnings for the CLI modules.

• Replace calls to deprecated 'imp' module.

• Fix bug where the hashing algorithms used to generate local KEYIDs does not
  match the ones chosen by the repo.

• Fix bug in tuf.sig.get_signature_status() where a given threshold is not used.

• Refactor code that stores the previous keyids of a role.

The Update Framework v0.10.2

Note: This is a backwards-incompatible pre-release.

• Support TAP 4 (multiple repository concensus on entrusted targets).
  https://github.com/theupdateframework/taps/blob/master/tap4.md

• Add quick start guide.

• Add CLI (repo.py) to create and modify repositories.

• Refactor client CLI (client.py).

• Add pyup.io to manage dependencies.

• Update all dependencies to their latest versions.

• Add Pylint and Bandit (security) linters to Travis CI. Fix issues reported
  by both linters.

• Tidy up documenation and directory structure.

• Add option to exclude custom field when returning valid targetinfo with
  MultiRepoUpdater.get_valid_targetinfo().

• Fix PGP key fingerprint provided for security vulnerability reports.

• Modify API for creating delegations.

• Add wrapper functions for securesystemslib functions.

• Fix bug: non-default repository names raises an exception.

• Refactor modules for inconsistent use of whitespace and indentation.

• Add cryptographic functions to read and write keys from memory.

• Add full support for ECDSA keys. List ecdsa-sha2-nistp256 in specification.

• Remove example metadata. Documentation now points to up-to-date metadata
  in the tests directory.

• Remove all references to PyCrypto.

• Add copyright and license to all modules.

• Add README for the unit tests.

• Remove remnants of the compressed metadata feature (now discontinued).

• Fix minor issues such as broken links, typos, etc.

• Update configuration files to fix issues, such as duplicate upgrade commands,
  badges, etc.

• Revise policy on static code analysis, CI, etc.

• Earn CII Best Practices Badge.

• Reach 98% score for CII Silver Badge.

• Remove obsolete code, such as tufcli.py, interposition,
  check_crypto_libraries(), etc.