* The conformance test suite is likely to still change quite a bit so
the workflow is not enabled on PRs yet
* The actual conformance client is copied from the tuf-conformance project
* This is mostly a test to see how things should work out, and a
demonstration of how the tuf-conformance project should be used
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
The goal here is to have ruff enable new rulesets when new releases are
made without us having to o anything: we can then decide if we disable
or not.
* Enable a couple more rulesets (ERA, INP, T )
* Add a few individual ignores to tests and examples
* Default to enable all, disable the rulesets we don't want
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* Remove exectuable flag from a couple of files
* Half of the test files have a shebang (but are
still not executable): remove the shebang
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
I'm not sure I agree with not using the parens in
raise SomeError
but being consistent is definitely better than not being consistent.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
There are several breaking changes coming up in securesystemslib on its
way to 1.0.
To not disrupt tuf users this patch constrains securesystemslib to not
update the current minor version..
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Minor fixes were needed, the only possibly interesting one is
the one in RequestsFetcher (use "yield from").
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* Remove bandit
* Add ruff ruleset "flake8-bandit"
* verify_release is now checked by bandit
* Avoid some asserts as suggested
* ignore a subprocess.run lint: it seems dumb
* ignore all bandit rules for tests and examples (just like before)
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Only leave E501 (line-too-long) disabled: There is a lot of embedded
test data that is not formatted according to the rules.
Fixes#2568
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
- adpot changes in dependabot.yml and remove --diff from ruff check.
- select pydocstyle, isort, pyflakes, pep8-naming, pycodestyle for ruff and ignore some small issues / add inline comments.
- adjust docstring length to 80 in various files
Signed-off-by: E3E <ntanzill@purdue.edu>
Dependabot does not support `build-system.requires`. To get
reproducibility and auto-updates, we pin the version in a regular
requirements file and use it as constraint during build.
fixes: #2529
upstream issue: dependabot/dependabot-core#8465
h/t @jku
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
This is not tracked by dependabot so needs manual updates.
Manually tested by building with previous and new hatchling version
and diffing unzipped/untared wheel and sdist.
There were no unexpected changes.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
* Python 3.7 is EOL.
* Our runtime dependencies are still ok with 3.7
* Testing dependencies have started requiring 3.8
Stop supporting and testing Python 3.7.
We could just stop testing Python 3.7 (while claiming to still support
it) but that seems like it'll lead to trouble: we will inevitably use
some 3.8 feature and then won't notice because we don't test 3.7 any
more.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This is not tracked by dependabot so needs manual updates.
Manually tested: no unexpected changes in the release artifacts.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
We already have 6 files and I'm planning to add another one: maybe it's
time to move these out of the top level directory.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Double reasoning for this one:
* urllib3 now does have annotations
* since we don't import requests annotations (to avoid depending on typeshed)
urllib3 annotations are never needed: we don't use urllib3 directly
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Since v1.0.0 python-tuf is no longer beta software.
See https://pypi.org/classifiers/ for available classifiers.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Per PEP 621 this should be a table, not a string. This resolves failures
installing on systems with newer setuptools (v61.3.0 or newer:
https://setuptools.pypa.io/en/latest/history.html#v61-3-0).
Signed-off-by: Joshua Lock <jlock@vmware.com>
requests project does not maintain annotations: typeshed project tries
to do it for them, and releases the annotations as "types-requests".
There's two main problems:
* typeshed releases constantly: this means a lot of test dependency
updates
* typeshed releases are not tagged in git: updates are impossible to
review
The benefit we get from types-requests is minimal as there is very
little requests-related code and it does not change often.
Remove annotations to lower the test dependency update churn.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Building a specific release with specific build tools feels like correct
choice for reproducibility in general. It's also practically required
as the hatchling version is embedded in the WHEEL file: this means
updating the build tool modifies the resulting build artifact.
Pin hatchling version. This version should be kept up-to-date: my
working assumption is that Dependabot will handle it.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Explicitly include `examples` dir in sdist.
The same would be achieved, by removing explicit includes, which
currently would also add these files/dirs:
```
/gitattributes
/github
/mypy_cache
/readthedocs.yaml
/verify_release
```
Maybe we should instead of defining includes, explicitly exclude
(some of) these files? The advantage of a blacklist approach is
that it becomes less likely to forget including files that should
be in included.
See hatch docs for:
- what files should be in sdist
https://ofek.dev/hatch/latest/plugins/builder/#source-distribution
- what files get into sdist by default:
https://ofek.dev/hatch/latest/plugins/builder/#default-file-selection_1
- how to configure what files get into sdist:
https://ofek.dev/hatch/latest/config/build/#file-selectionFixes#1901
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
As of setuptools 46.4.0, one can accomplish single source version
number with
version = attr: package.__version__
in setup.cfg: As long as setuptools simplified AST parser is able to
read the file, this works without actually importing anything.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
- Update linter config to no longer distinguish between legacy
and new implementation. This requires addressing a linter warning
in an until now not linted module (tuf/__init__.py).
- Remove obsolete rules in MANIFEST.in (source distribution) and
tests/.coveragerc (test coverage).
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Mypy warns us when we assign a not defined variable to an object, but
that is something that we are warned for from pylint (seach for
"pylint: disable=no-member" in test_updater_key_rotations.py
and you will find an example where we have to disable it).
We don't want to have two linters checking for the same thing
as we can end up disabling two warnings that are actually the same
on a single line.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Exclude regexs/globs are needed to exclude the test files testing
the old code.
After we remove those files we will be able to remove the exclude
regex/globs.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Instead of providing a target directory for linting by each of the
tools use one variable which will be the source of truth about which
directories do we lint.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
