Elgato_dark/python-tuf
1
0
Fork 0
mirror of https://github.com/theupdateframework/python-tuf synced 2026-05-24 10:08:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
5411 commits 28 branches 35 tags 23 MiB
Commit graph

5411 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jussi Kukkonen
314efaf3da Examples: Add repository application example 
This uses the repository module to create an app that
* generates everything from scratch
* serves metadata and targets from memory
* simulates a live repository by adding new targets every few seconds

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-11-28 12:13:00 +02:00
Jussi Kukkonen
5e17617fc5 Add repository module 
Plan for tuf.repository is:
* provides useful functionality for TUF repository-side implementations
  (repository applications, developer tools, etc)
* is minimalistic: only features that most implementations will use
  should be icluded
* Only example implementations will be provided in python-tuf
* As more repository implementations are built using tuf.repository
  we can evaluate what extended functionality is useful

In this PR, a single abstract class is added that provides a framework
for building repository-modifying tools. In subsequent commits
some examples will be added that demonstrate how to use the class.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-11-28 12:13:00 +02:00
Jussi Kukkonen
4d99f78cf9 Rename manual repository example 
I plan to add another repository example as well.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-11-28 12:13:00 +02:00
Jussi Kukkonen
56dbe67ebc
Merge pull request #2192 from theupdateframework/dependabot/pip/urllib3-1.26.13 
build(deps): bump urllib3 from 1.26.12 to 1.26.13
 2022-11-28 11:23:11 +02:00
Jussi Kukkonen
6ce8bb824f
Merge pull request #2194 from ameypd/develop 
Fixes #1862, added way to see full stack trace on error situations
 2022-11-25 16:25:26 +02:00
ameypd
fc0d53aae2 Fixes #1862, added way to see full stack trace on error situations 
Signed-off-by: ameypd <h20220013@goa.bits-pilani.ac.in>
 2022-11-25 19:41:49 +05:30
dependabot[bot]
d11a469e33
build(deps): bump urllib3 from 1.26.12 to 1.26.13 
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.12 to 1.26.13.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/1.26.13/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.12...1.26.13)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-24 10:01:46 +00:00
Jussi Kukkonen
fcf6cf679f
Merge pull request #2190 from jku/scorecards 
workflows: Add Scorecards workflow
 2022-11-22 18:23:53 +02:00
Jussi Kukkonen
f29d8471c8 workflows: Add Scorecards workflow 
This is a modifed version of the workflow from the project itself:
* Not using personal access tokens because I believe they are a
  security issue (this means Branch-Protection check will be incorrect)
* Not uploading results to actions cache: Maybe there's a point but I
  don't see it as the SARIF files are not very human readable

This should give us some code scanning alerts in the security tab on Github.
This is not really what I'm interested in though so I've enabled the upload
to https://api.securityscorecards.dev/. The results json on there is not
exactly readable but it is good enough to check what the current results
are -- and deps.dev should use those results after some delay I believe.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-11-22 18:15:56 +02:00
Lukas Pühringer
650796ee8d
Merge pull request #2182 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-3.0.1 
build(deps): bump actions/dependency-review-action from 3.0.0 to 3.0.1
 2022-11-21 12:10:14 +01:00
Lukas Pühringer
802fb98ff6
Merge pull request #2188 from jku/enable-urllib-annotations 
pyproject: Stop disabling urllib3 import checks in mypy
 2022-11-21 11:55:08 +01:00
Lukas Pühringer
81021149eb
Merge pull request #2189 from theupdateframework/dependabot/pip/pylint-2.15.6 
build(deps): bump pylint from 2.15.5 to 2.15.6
 2022-11-21 11:53:08 +01:00
dependabot[bot]
a93182dfa0
build(deps): bump pylint from 2.15.5 to 2.15.6 
Bumps [pylint](https://github.com/PyCQA/pylint) from 2.15.5 to 2.15.6.
- [Release notes](https://github.com/PyCQA/pylint/releases)
- [Commits](https://github.com/PyCQA/pylint/compare/v2.15.5...v2.15.6)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-21 10:07:07 +00:00
Jussi Kukkonen
49488530cb pyproject: Stop disabling urllib3 import checks in mypy 
Double reasoning for this one:
* urllib3 now does have annotations
* since we don't import requests annotations (to avoid depending on typeshed)
  urllib3 annotations are never needed: we don't use urllib3 directly

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-11-21 11:59:36 +02:00
Jussi Kukkonen
6856854f74
Merge pull request #2176 from theupdateframework/dependabot/pip/mypy-0.991 
build(deps): bump mypy from 0.982 to 0.991
 2022-11-21 10:39:06 +02:00
dependabot[bot]
b6133cc7bb
build(deps): bump mypy from 0.982 to 0.991 
Bumps [mypy](https://github.com/python/mypy) from 0.982 to 0.991.
- [Release notes](https://github.com/python/mypy/releases)
- [Commits](https://github.com/python/mypy/compare/v0.982...v0.991)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-21 08:34:44 +00:00
Jussi Kukkonen
077602e3bb
Merge pull request #2187 from rogdex24/develop 
verify_release: PEP 484 compliant annotations - Issue #2171
 2022-11-21 10:32:25 +02:00
Abu Talha
21ed19c264 verify_release: PEP 484 compliant annotations 
Signed-off-by: Abu Talha <itsabutalha@gmail.com>
 2022-11-21 06:41:17 +00:00
Jussi Kukkonen
7f4ae24788
Merge pull request #2185 from lukpueh/fix-pypi-classifier 
doc: update PyPI Development Status classifier
 2022-11-20 15:50:32 +02:00
Lukas Puehringer
1980ca1f11 doc: update PyPI Development Status classifier 
Since v1.0.0 python-tuf is no longer beta software.

See https://pypi.org/classifiers/ for available classifiers.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
 2022-11-18 14:23:37 +01:00
Lukas Pühringer
fb17922eac
Merge pull request #2183 from jku/no-limits 
README: Remove limitations
 2022-11-18 14:17:38 +01:00
Jussi Kukkonen
f56d5267ed README: Remove limitations 
There may be ways to unsafely use the client library but situation
should be significantly better now with ngclient:
  * metadata writing is safer, more atomic
  * non-root cached metadata is never trusted (so inconsistent
    cached repository is not a security issue)
  * the cache locations are now clearly application
    decisions (they are required Updater constructor args)

Move the notice to Updater module documentation.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-11-18 13:16:41 +02:00
Lukas Pühringer
a4d5cf49c9
Merge pull request #2181 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.33 
build(deps): bump github/codeql-action from 2.1.32 to 2.1.33
 2022-11-17 11:45:05 +01:00
dependabot[bot]
10ba3918a7
build(deps): bump actions/dependency-review-action from 3.0.0 to 3.0.1 
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](30d5821115...11310527b4)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-17 10:11:44 +00:00
dependabot[bot]
878b7ff4d9
build(deps): bump github/codeql-action from 2.1.32 to 2.1.33 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.32 to 2.1.33.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](4238421316...678fc3afe2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-17 10:11:41 +00:00
Lukas Pühringer
7568fc6a8e
Merge pull request #2177 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.32 
build(deps): bump github/codeql-action from 2.1.31 to 2.1.32
 2022-11-17 09:54:31 +01:00
Lukas Pühringer
cd1c38d307
Merge pull request #2178 from lukpueh/change-security-contact 
Update security policy to use new reporting
 2022-11-16 14:49:12 +01:00
Lukas Puehringer
9a54677ee9 Update security policy to use new reporting 
- Enabled new GitHub feature (beta) to privately report security
  issues to all maintainers in repo settings.
  https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability

- Updated security policy document to instruct reporters to use the
  new reporting mechanism instead of email+pgp.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
 2022-11-15 17:01:16 +01:00
Jussi Kukkonen
3bc24ad2c3
Merge pull request #2159 from jku/permissions-tweaks 
Github workflows: Permissions tweaks
 2022-11-15 14:34:48 +02:00
dependabot[bot]
eb8c4263ce
build(deps): bump github/codeql-action from 2.1.31 to 2.1.32 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.31 to 2.1.32.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](c3b6fce4ee...4238421316)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-15 10:04:06 +00:00
Jussi Kukkonen
5a4c7ad032
Merge pull request #2175 from theupdateframework/dependabot/github_actions/actions/dependency-review-action-3.0.0 
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.0
 2022-11-14 14:34:09 +02:00
Jussi Kukkonen
eaa8224706
Merge pull request #2170 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.31 
build(deps): bump github/codeql-action from 2.1.30 to 2.1.31
 2022-11-14 14:09:42 +02:00
dependabot[bot]
bd03b32a9e
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.0 
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](0efb1d1d84...30d5821115)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-14 10:09:59 +00:00
Lukas Pühringer
7311808f11
Merge pull request #2173 from jku/fix-pip-cache-in-coveralls-fin 
workflows: Use setup-python to setup python in coveralls-fin
 2022-11-09 10:35:49 +01:00
Jussi Kukkonen
a6c3b487e3 workflows: Use setup-python to setup python in coveralls-fin 
This makes the job just like all other jobs

Fixes #2172

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-11-08 18:54:16 +02:00
dependabot[bot]
8d0ae4f99d
build(deps): bump github/codeql-action from 2.1.30 to 2.1.31 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](18fe527fa8...c3b6fce4ee)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-08 10:08:46 +00:00
Jussi Kukkonen
be6c561ec6
Merge pull request #2163 from theupdateframework/dependabot/pip/cryptography-38.0.3 
build(deps): bump cryptography from 38.0.2 to 38.0.3
 2022-11-04 14:12:45 +02:00
Jussi Kukkonen
b8326a245f
Merge pull request #2164 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.30 
build(deps): bump github/codeql-action from 2.1.29 to 2.1.30
 2022-11-04 14:12:16 +02:00
Jussi Kukkonen
0c07a84441
Merge pull request #2157 from jku/enable-py-3.11 
build: Enable Python 3.11 in test matrix
 2022-11-03 13:19:38 +02:00
dependabot[bot]
c12df73040
build(deps): bump github/codeql-action from 2.1.29 to 2.1.30 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](ec3cf9c605...18fe527fa8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-03 10:03:51 +00:00
dependabot[bot]
f85807287b
build(deps): bump cryptography from 38.0.2 to 38.0.3 
Bumps [cryptography](https://github.com/pyca/cryptography) from 38.0.2 to 38.0.3.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/38.0.2...38.0.3)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-02 11:07:28 +00:00
Jussi Kukkonen
98587c579e
Merge pull request #2075 from KOLANICH-libs/netloc 
Supported `file` scheme without netloc.
 2022-11-02 11:17:08 +02:00
Jussi Kukkonen
35a7dd58c5 RequestsFetcher: satisfy mypy with small fix 
The typeshed annotations for requests say that the hostname could be None:
I think this is untrue but let's keep mypy happy.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-10-31 21:25:02 +03:00
KOLANICH
0c9c494261 Supported schemes without netloc. 
Signed-off-by: KOLANICH <KOLANICH@users.noreply.github.com>
 2022-10-31 21:23:56 +03:00
Jussi Kukkonen
b002860206 Github workflows: Only upload to pypi in upstream repo 
This is not a security measure: it makes testing the CD/release workflow
(at least the non-pypi-upload parts) in a fork a little easier as the pypi
upload is skipped.

This does make testing the pypi upload even more difficult but maybe
that is acceptable?

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-10-31 12:14:23 +02:00
Jussi Kukkonen
327fcf8640 GitHub workflows: limit "content:write" to minimum 
permissions can be defined on workflow and job level, but not on step level.
Currently permissions are defined at workflow level which is not ideal.
Create a new "release_candidate" job so that we can minimize the
"content:write" permission exposure.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-10-31 12:13:11 +02:00
Jussi Kukkonen
53521bfda0 workflows: Set top-level permissions 
This changes very little but it does mean any jobs added in future have to
be explicit about the permissions they need. This also makes OSSF scorecard
happier.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
 2022-10-30 12:56:22 +02:00
Jussi Kukkonen
6b03ef43ae
Merge pull request #2158 from UDITBALUJA/develop 
updated hatchling to current latest 1.11.1
 2022-10-29 21:23:26 +03:00
UDITBALUJA
37313fbfc4 updated hatchling to current latest 1.11.1 
Signed-off-by: UDITBALUJA <uditbaluja1000@gmail.com>
 2022-10-29 19:27:53 +05:30
Jussi Kukkonen
ee3e2799d5
Merge pull request #2148 from theupdateframework/dependabot/pip/pylint-2.15.5 
build(deps): bump pylint from 2.15.4 to 2.15.5
 2022-10-28 15:49:33 +03:00