Commit graph

6224 commits

Author SHA1 Message Date
Ivana Atanasova
bd6dedfd94 Add tricky test case blog post
This blog post explains details around the use of respository
simulator, `--dump` option and test cases with expired metadata

Fixes #1885

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
2022-06-01 12:42:49 +03:00
Jussi Kukkonen
46979bb46d
Merge pull request #2002 from abs007/patch-1916
Appending Fetcher docs to state the method to be implemented.
2022-05-31 15:17:52 +03:00
Jussi Kukkonen
e78b1aaa7d
Merge pull request #2003 from dhavalgshah/kceu22_bugbash/issue1999
fix:  ngclient: temp_file could be undefined #1999
2022-05-31 10:04:07 +03:00
Jussi Kukkonen
12833b08d8
Merge pull request #2013 from theupdateframework/dependabot/pip/mypy-0.960
build(deps): bump mypy from 0.950 to 0.960
2022-05-31 10:00:38 +03:00
dependabot[bot]
6949db0a45
build(deps): bump mypy from 0.950 to 0.960
Bumps [mypy](https://github.com/python/mypy) from 0.950 to 0.960.
- [Release notes](https://github.com/python/mypy/releases)
- [Commits](https://github.com/python/mypy/compare/v0.950...v0.960)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-26 10:05:42 +00:00
Lukas Pühringer
e9d11962b9
Merge pull request #2006 from theupdateframework/dependabot/github_actions/actions/github-script-6.1.0
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
2022-05-24 11:20:33 +02:00
Lukas Pühringer
0a0f2dd6b5
Merge pull request #2011 from theupdateframework/dependabot/pip/coverage-6.4
build(deps): bump coverage from 6.3.2 to 6.4
2022-05-24 11:12:07 +02:00
Lukas Pühringer
a586fc0be0
Merge pull request #2009 from theupdateframework/dependabot/pip/certifi-2022.5.18.1
build(deps): bump certifi from 2021.10.8 to 2022.5.18.1
2022-05-24 11:03:54 +02:00
dependabot[bot]
38201fb7f3
build(deps): bump coverage from 6.3.2 to 6.4
Bumps [coverage](https://github.com/nedbat/coveragepy) from 6.3.2 to 6.4.
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/6.3.2...6.4)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-24 08:39:11 +00:00
Lukas Pühringer
b26ed79c20
Merge pull request #2007 from theupdateframework/dependabot/pip/pylint-2.13.9
build(deps): bump pylint from 2.13.8 to 2.13.9
2022-05-24 10:38:20 +02:00
Lukas Pühringer
acfbe6836d
Merge pull request #2012 from theupdateframework/dependabot/github_actions/actions/upload-artifact-3.1.0
build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0
2022-05-23 13:53:55 +02:00
dependabot[bot]
2ae099c140
build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](6673cd052c...3cea537223)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-23 10:23:02 +00:00
dependabot[bot]
4d310aa24c
build(deps): bump certifi from 2021.10.8 to 2022.5.18.1
Bumps [certifi](https://github.com/certifi/python-certifi) from 2021.10.8 to 2022.5.18.1.
- [Release notes](https://github.com/certifi/python-certifi/releases)
- [Commits](https://github.com/certifi/python-certifi/compare/2021.10.08...2022.05.18.1)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-20 10:06:23 +00:00
Abhisman Sarkar
4a2fdabc2d Fixes #1916
The class docstring for FetcherInterface needed to clearly state that
only _fetch() had to be implemented in it's implementation. This is
because the public API of the interface is implemented already.

Signed-off-by: Abhisman Sarkar <abhisman.sarkar@gmail.com>
2022-05-17 09:40:16 +05:30
dependabot[bot]
e1b69498ad
build(deps): bump pylint from 2.13.8 to 2.13.9
Bumps [pylint](https://github.com/PyCQA/pylint) from 2.13.8 to 2.13.9.
- [Release notes](https://github.com/PyCQA/pylint/releases)
- [Changelog](https://github.com/PyCQA/pylint/blob/main/ChangeLog)
- [Commits](https://github.com/PyCQA/pylint/compare/v2.13.8...v2.13.9)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-16 10:09:51 +00:00
dependabot[bot]
78dc59bf8b
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](9ac08808f9...7a5c598405)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-13 10:17:47 +00:00
Dhaval Shah
ac7ecfb8d5 fix: Uninitialized local #1999
Annotating local temp_file_name variable is simple than
to annotate temp_file.

Fixes #1999

Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>
2022-05-11 12:04:36 +05:30
Lukas Pühringer
80235093d2
Merge pull request #2004 from rdimitrov/dimitrovr/fix-typo
docs: remove a duplicated word in refresh() doc comment
2022-05-10 11:58:11 +02:00
Radoslav Dimitrov
9d441da73b docs: remove a duplicated word in refresh() doc comment
Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>
2022-05-10 12:29:30 +03:00
Dhaval Shah
b23c5d9fe5
fix: ngclient: temp_file could be undefined #1999
Fixes ngclient: temp_file could be undefined #1999

Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>
2022-05-10 00:32:20 +05:30
Jussi Kukkonen
c5ca38f0ae
Merge pull request #1996 from theupdateframework/dependabot/pip/cryptography-37.0.2
build(deps): bump cryptography from 37.0.1 to 37.0.2
2022-05-06 10:14:33 +03:00
dependabot[bot]
adc5770e6c
build(deps): bump cryptography from 37.0.1 to 37.0.2
Bumps [cryptography](https://github.com/pyca/cryptography) from 37.0.1 to 37.0.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/37.0.1...37.0.2)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-04 10:12:49 +00:00
Jussi Kukkonen
211f2afe56
Merge pull request #1914 from jku/blog-ngclient-design
docs: Add a blog post about ngclient design
2022-05-04 10:01:10 +03:00
Jussi Kukkonen
ac96114309 blog: Update post date, update sloccount
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-05-04 09:53:46 +03:00
Jussi Kukkonen
7b593f3fdb docs: Add doc links to ngclient blog post
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-05-04 09:50:56 +03:00
Jussi Kukkonen
2d52473dd3 docs: Add a blog post about ngclient design
Try to explain some decisions made in ngclient.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-05-04 09:50:56 +03:00
Jussi Kukkonen
096152db03
Merge pull request #1994 from theupdateframework/dependabot/pip/pylint-2.13.8
build(deps): bump pylint from 2.13.7 to 2.13.8
2022-05-04 09:25:51 +03:00
dependabot[bot]
384b1ab590
build(deps): bump pylint from 2.13.7 to 2.13.8
Bumps [pylint](https://github.com/PyCQA/pylint) from 2.13.7 to 2.13.8.
- [Release notes](https://github.com/PyCQA/pylint/releases)
- [Changelog](https://github.com/PyCQA/pylint/blob/main/ChangeLog)
- [Commits](https://github.com/PyCQA/pylint/compare/v2.13.7...v2.13.8)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-03 10:08:54 +00:00
Jussi Kukkonen
4c872e3fa6
Merge pull request #1991 from jku/no-requests-type-checking
lint: Stop using requests annotations
2022-05-03 10:42:01 +03:00
Jussi Kukkonen
cdca321b67
Merge pull request #1986 from theupdateframework/dependabot/pip/mypy-0.950
build(deps): bump mypy from 0.942 to 0.950
2022-05-03 10:36:52 +03:00
Jussi Kukkonen
dc1d1e600a
Merge pull request #1985 from theupdateframework/dependabot/pip/cryptography-37.0.1
build(deps): bump cryptography from 36.0.2 to 37.0.1
2022-05-03 10:34:51 +03:00
Lukas Pühringer
1efd52c7c4
Merge pull request #1975 from abs007/1937
Checking for None instead of falsyness
2022-05-02 09:17:06 +02:00
Abhisman Sarkar
79d924a4df Metadata API: Checking for None instead of falsyness
Fixes #1937

Initialization of unrecognized_fields acts surprisingly when the input
container is empty. Hence, We're checking for None instead of falsyness.

Signed-off-by: Abhisman Sarkar <abhisman.sarkar@gmail.com>
2022-04-29 22:39:48 +05:30
Jussi Kukkonen
eb23fff3af lint: Stop using requests annotations
requests project does not maintain annotations: typeshed project tries
to do it for them, and releases the annotations as "types-requests".

There's two main problems:
* typeshed releases constantly: this means a lot of test dependency
  updates
* typeshed releases are not tagged in git: updates are impossible to
  review

The benefit we get from types-requests is minimal as there is very
little requests-related code and it does not change often.

Remove annotations to lower the test dependency update churn.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-29 15:27:50 +03:00
Lukas Pühringer
83f2eee19f
Merge pull request #1983 from jku/update-maintainer-permissions-list
Update maintainers permission checklist
2022-04-28 15:40:29 +02:00
Lukas Pühringer
b1bbd6c8e2
Merge pull request #1989 from jku/pin-hatchling-version
build: Pin hatchling version
2022-04-28 15:35:01 +02:00
dependabot[bot]
7ffc5db30f
build(deps): bump mypy from 0.942 to 0.950
Bumps [mypy](https://github.com/python/mypy) from 0.942 to 0.950.
- [Release notes](https://github.com/python/mypy/releases)
- [Commits](https://github.com/python/mypy/compare/v0.942...v0.950)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-28 10:06:32 +00:00
dependabot[bot]
a70918d662
build(deps): bump cryptography from 36.0.2 to 37.0.1
Bumps [cryptography](https://github.com/pyca/cryptography) from 36.0.2 to 37.0.1.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/36.0.2...37.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-28 10:06:23 +00:00
Jussi Kukkonen
48a6b76299 build: Pin hatchling version
Building a specific release with specific build tools feels like correct
choice for reproducibility in general. It's also practically required
as the hatchling version is embedded in the WHEEL file: this means
updating the build tool modifies the resulting build artifact.

Pin hatchling version. This version should be kept up-to-date: my
working assumption is that Dependabot will handle it.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-28 12:17:45 +03:00
Jussi Kukkonen
5ba3c9249f
Merge pull request #1982 from jku/fix-pip-download
verify_release: Tweak pip download
2022-04-28 09:56:12 +03:00
Jussi Kukkonen
7c0de84f26 Update maintainers permission checklist
* Release permissions are now controlled in GitHub release environment
* It is no longer required for a releasing maintainer to have PyPI
  permissions

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-27 18:11:38 +03:00
Jussi Kukkonen
96232d2db0 verify_release: Tweak pip download
It seems --no-deps does not work as it used to (and actually installs
all build dependencies). This is very bad because verify_release also
uses "--no-binary :all:" leading to actually _building_ all build
dependencies from source.

Use "--no-binary tuf" instead: build dependencies will still be
installed (into a working environment) but at least they won't be built
from source.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-27 17:54:36 +03:00
Jussi Kukkonen
3f28d406b5
Merge pull request #1980 from jku/release-1.1.0
python-tuf 1.1.0 release
2022-04-27 16:08:07 +03:00
Jussi Kukkonen
8941748edb python-tuf 1.1.0
* Update Changelog
* bump version

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-27 16:03:07 +03:00
Jussi Kukkonen
7e5b9b5580
Merge pull request #1979 from lukpueh/verify_release-sign
Add option to sign release artifacts with verify_release
2022-04-27 14:32:07 +03:00
Lukas Pühringer
a3d5a37e43 build: minor style/wording fixes in verify_release
Co-authored-by: Joshua Lock <jlock@vmware.com>
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-27 13:09:48 +02:00
Jussi Kukkonen
6b511c689b
Merge pull request #1977 from theupdateframework/dependabot/pip/securesystemslib-cryptopynacl--0.23.0
build(deps): bump securesystemslib[crypto,pynacl] from 0.22.0 to 0.23.0
2022-04-27 13:47:58 +03:00
Lukas Puehringer
8167889944 doc: describe signatures creation in RELEASE.md
Mention how to use verify_release with the recently added --sign
option to create signatures for a verified release.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-27 12:47:21 +02:00
Lukas Puehringer
e56ff07b1a build: add 'gpg sign' option to verify_release
Add option to sign locally built release artifacts with gpg,
if they match the downloaded artifacts from GitHub, PyPI.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-27 12:47:15 +02:00
Lukas Puehringer
e7544bfbe7 build: fix success message in verify_release
Prior to #1946 the verify_release script was successful if both PyPI
and GitHub release artifacts matched the local build.

Now, if the `--skip-pypi` option is provided, the script can also
be successful if only the GitHub release artifacts match the local
build.

This commit splits the final success message in two separate
success messages, one for PyPI and one for GitHub.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-27 12:34:07 +02:00