Merge pull request #1122 from joshuagl/joshuagl/release-0.14.0

Prepare 0.14.0 release

docs/CHANGELOG.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## v0.14.0
+### Added
+* Added a mechanism to the Updater to disable the hash prefix for target files
+  even when `consistent_snapshot` is enabled for a repository (#1102)
+
+### Changed
+* Updater now uses keyids provided in the metadata, rather than re-calculating
+  keyids using `keyid_hash_algorithms` (#1014, #1121)
+* When loading an existing repository the keyids provided in the metadata will
+  be used, rather than re-calculating keyids using `keyid_hash_algorithms` (#1014, #1121)
+* Improve reliability and performance of tests by removing sleep calls, instead
+  use polling to check whether the simple_server is ready to accept
+  connections (#1096)
+* Only calculate lengths and hashes of files listed by timestamp and snapshot
+  metadata when those lengths and hashes will be included in the metadata (#1097)
+* Re-raise chained exceptions explicitly per PEP 3134 (#1116)
+* Remove use of `securesystemslib.settings.HASH_ALGORITHMS`, instead pass
+  desired algorithms explicitly to securesystemslib's
+  `keys.format_metadata_to_key` (#1016)
+
+### Fixed
+* Better adhere to the detailed client workflow in the specification by
+  ensuring that a newly downloaded root metadata file is verified with a
+  threshold of its own signatures (#1101)
+* Update a delegating role's metadata when adding a new verification key to a
+  delegated role (#1037)
+
 ## v0.13.0
 ### Added
 * Add support for BLAKE hash functions (#993)

docs/RELEASE.md

@@ -1,8 +1,8 @@
 # Release process
 
-* Ensure docs/CHANGELOG.md contains a one-line summary of each [notable
+* Ensure `docs/CHANGELOG.md` contains a one-line summary of each [notable
   change](https://keepachangelog.com/) since the prior release
-* Update setup.py and `tuf/__init__.py` to the new version number vA.B.C
+* Update `setup.py` and `tuf/__init__.py` to the new version number vA.B.C
 * Test packaging, uploading to Test PyPI and installing from a virtual environment
   * Remove existing dist build dirs
   * Create source dist `python setup.py sdist`
@@ -10,12 +10,13 @@
   * Sign the dists `gpg --detach-sign -a dist/tuf-vA.B.C.tar.gz`
   * Upload to test PyPI `twine upload --repository testpypi dist/*`
   * Verify the uploaded package https://testpypi.python.org/pypi/tuf/
-* Create a PR with updated CHANGELOG.md and version bumps
+* Create a PR with updated `CHANGELOG.md` and version bumps
 * Once the PR is merged, pull the updated `develop` branch locally
 * Create a signed tag matching the updated version number on the merge commit
   `git tag --sign vA.B.C -m "vA.B.C"`
   * Push the tag to GitHub `git push origin vA.B.C`
-* Create a new release on GitHub, copying the CHANGELOG.md entries for the release
+* Create a new release on GitHub, copying the `CHANGELOG.md` entries for the
+  release
 * Create a package for the formal release
   * Remove existing dist build dirs
   * Create source dist `python setup.py sdist`

setup.py

@@ -78,7 +78,7 @@
 
 setup(
   name = 'tuf',
-  version = '0.13.0', # If updating version, also update it in tuf/__init__.py
+  version = '0.14.0', # If updating version, also update it in tuf/__init__.py
   description = 'A secure updater framework for Python',
   long_description = long_description,
   long_description_content_type='text/markdown',

tuf/__init__.py

@@ -2,7 +2,7 @@
 # setup.py has it hard-coded separately.
 # Currently, when the version is changed, it must be set in both locations.
 # TODO: Single-source the version number.
-__version__ = "0.13.0"
+__version__ = "0.14.0"
 
 # This reference implementation produces metadata intended to conform to
 # version 1.0.0 of the TUF specification, and is expected to consume metadata