Ivana Atanasova
bd6dedfd94
Add tricky test case blog post
...
This blog post explains details around the use of respository
simulator, `--dump` option and test cases with expired metadata
Fixes #1885
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
2022-06-01 12:42:49 +03:00
Jussi Kukkonen
46979bb46d
Merge pull request #2002 from abs007/patch-1916
...
Appending Fetcher docs to state the method to be implemented.
2022-05-31 15:17:52 +03:00
Jussi Kukkonen
e78b1aaa7d
Merge pull request #2003 from dhavalgshah/kceu22_bugbash/issue1999
...
fix: ngclient: temp_file could be undefined #1999
2022-05-31 10:04:07 +03:00
Jussi Kukkonen
12833b08d8
Merge pull request #2013 from theupdateframework/dependabot/pip/mypy-0.960
...
build(deps): bump mypy from 0.950 to 0.960
2022-05-31 10:00:38 +03:00
dependabot[bot]
6949db0a45
build(deps): bump mypy from 0.950 to 0.960
...
Bumps [mypy](https://github.com/python/mypy ) from 0.950 to 0.960.
- [Release notes](https://github.com/python/mypy/releases )
- [Commits](https://github.com/python/mypy/compare/v0.950...v0.960 )
---
updated-dependencies:
- dependency-name: mypy
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-05-26 10:05:42 +00:00
Lukas Pühringer
e9d11962b9
Merge pull request #2006 from theupdateframework/dependabot/github_actions/actions/github-script-6.1.0
...
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
2022-05-24 11:20:33 +02:00
Lukas Pühringer
0a0f2dd6b5
Merge pull request #2011 from theupdateframework/dependabot/pip/coverage-6.4
...
build(deps): bump coverage from 6.3.2 to 6.4
2022-05-24 11:12:07 +02:00
Lukas Pühringer
a586fc0be0
Merge pull request #2009 from theupdateframework/dependabot/pip/certifi-2022.5.18.1
...
build(deps): bump certifi from 2021.10.8 to 2022.5.18.1
2022-05-24 11:03:54 +02:00
dependabot[bot]
38201fb7f3
build(deps): bump coverage from 6.3.2 to 6.4
...
Bumps [coverage](https://github.com/nedbat/coveragepy ) from 6.3.2 to 6.4.
- [Release notes](https://github.com/nedbat/coveragepy/releases )
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst )
- [Commits](https://github.com/nedbat/coveragepy/compare/6.3.2...6.4 )
---
updated-dependencies:
- dependency-name: coverage
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-05-24 08:39:11 +00:00
Lukas Pühringer
b26ed79c20
Merge pull request #2007 from theupdateframework/dependabot/pip/pylint-2.13.9
...
build(deps): bump pylint from 2.13.8 to 2.13.9
2022-05-24 10:38:20 +02:00
Lukas Pühringer
acfbe6836d
Merge pull request #2012 from theupdateframework/dependabot/github_actions/actions/upload-artifact-3.1.0
...
build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0
2022-05-23 13:53:55 +02:00
dependabot[bot]
2ae099c140
build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](6673cd052c...3cea537223 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-05-23 10:23:02 +00:00
dependabot[bot]
4d310aa24c
build(deps): bump certifi from 2021.10.8 to 2022.5.18.1
...
Bumps [certifi](https://github.com/certifi/python-certifi ) from 2021.10.8 to 2022.5.18.1.
- [Release notes](https://github.com/certifi/python-certifi/releases )
- [Commits](https://github.com/certifi/python-certifi/compare/2021.10.08...2022.05.18.1 )
---
updated-dependencies:
- dependency-name: certifi
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-05-20 10:06:23 +00:00
Abhisman Sarkar
4a2fdabc2d
Fixes #1916
...
The class docstring for FetcherInterface needed to clearly state that
only _fetch() had to be implemented in it's implementation. This is
because the public API of the interface is implemented already.
Signed-off-by: Abhisman Sarkar <abhisman.sarkar@gmail.com>
2022-05-17 09:40:16 +05:30
dependabot[bot]
e1b69498ad
build(deps): bump pylint from 2.13.8 to 2.13.9
...
Bumps [pylint](https://github.com/PyCQA/pylint ) from 2.13.8 to 2.13.9.
- [Release notes](https://github.com/PyCQA/pylint/releases )
- [Changelog](https://github.com/PyCQA/pylint/blob/main/ChangeLog )
- [Commits](https://github.com/PyCQA/pylint/compare/v2.13.8...v2.13.9 )
---
updated-dependencies:
- dependency-name: pylint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-05-16 10:09:51 +00:00
dependabot[bot]
78dc59bf8b
build(deps): bump actions/github-script from 6.0.0 to 6.1.0
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](9ac08808f9...7a5c598405 )
---
updated-dependencies:
- dependency-name: actions/github-script
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-05-13 10:17:47 +00:00
Dhaval Shah
ac7ecfb8d5
fix: Uninitialized local #1999
...
Annotating local temp_file_name variable is simple than
to annotate temp_file.
Fixes #1999
Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>
2022-05-11 12:04:36 +05:30
Lukas Pühringer
80235093d2
Merge pull request #2004 from rdimitrov/dimitrovr/fix-typo
...
docs: remove a duplicated word in refresh() doc comment
2022-05-10 11:58:11 +02:00
Radoslav Dimitrov
9d441da73b
docs: remove a duplicated word in refresh() doc comment
...
Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>
2022-05-10 12:29:30 +03:00
Dhaval Shah
b23c5d9fe5
fix: ngclient: temp_file could be undefined #1999
...
Fixes ngclient: temp_file could be undefined #1999
Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>
2022-05-10 00:32:20 +05:30
Jussi Kukkonen
c5ca38f0ae
Merge pull request #1996 from theupdateframework/dependabot/pip/cryptography-37.0.2
...
build(deps): bump cryptography from 37.0.1 to 37.0.2
2022-05-06 10:14:33 +03:00
dependabot[bot]
adc5770e6c
build(deps): bump cryptography from 37.0.1 to 37.0.2
...
Bumps [cryptography](https://github.com/pyca/cryptography ) from 37.0.1 to 37.0.2.
- [Release notes](https://github.com/pyca/cryptography/releases )
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pyca/cryptography/compare/37.0.1...37.0.2 )
---
updated-dependencies:
- dependency-name: cryptography
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-05-04 10:12:49 +00:00
Jussi Kukkonen
211f2afe56
Merge pull request #1914 from jku/blog-ngclient-design
...
docs: Add a blog post about ngclient design
2022-05-04 10:01:10 +03:00
Jussi Kukkonen
ac96114309
blog: Update post date, update sloccount
...
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-05-04 09:53:46 +03:00
Jussi Kukkonen
7b593f3fdb
docs: Add doc links to ngclient blog post
...
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-05-04 09:50:56 +03:00
Jussi Kukkonen
2d52473dd3
docs: Add a blog post about ngclient design
...
Try to explain some decisions made in ngclient.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-05-04 09:50:56 +03:00
Jussi Kukkonen
096152db03
Merge pull request #1994 from theupdateframework/dependabot/pip/pylint-2.13.8
...
build(deps): bump pylint from 2.13.7 to 2.13.8
2022-05-04 09:25:51 +03:00
dependabot[bot]
384b1ab590
build(deps): bump pylint from 2.13.7 to 2.13.8
...
Bumps [pylint](https://github.com/PyCQA/pylint ) from 2.13.7 to 2.13.8.
- [Release notes](https://github.com/PyCQA/pylint/releases )
- [Changelog](https://github.com/PyCQA/pylint/blob/main/ChangeLog )
- [Commits](https://github.com/PyCQA/pylint/compare/v2.13.7...v2.13.8 )
---
updated-dependencies:
- dependency-name: pylint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-05-03 10:08:54 +00:00
Jussi Kukkonen
4c872e3fa6
Merge pull request #1991 from jku/no-requests-type-checking
...
lint: Stop using requests annotations
2022-05-03 10:42:01 +03:00
Jussi Kukkonen
cdca321b67
Merge pull request #1986 from theupdateframework/dependabot/pip/mypy-0.950
...
build(deps): bump mypy from 0.942 to 0.950
2022-05-03 10:36:52 +03:00
Jussi Kukkonen
dc1d1e600a
Merge pull request #1985 from theupdateframework/dependabot/pip/cryptography-37.0.1
...
build(deps): bump cryptography from 36.0.2 to 37.0.1
2022-05-03 10:34:51 +03:00
Lukas Pühringer
1efd52c7c4
Merge pull request #1975 from abs007/1937
...
Checking for None instead of falsyness
2022-05-02 09:17:06 +02:00
Abhisman Sarkar
79d924a4df
Metadata API: Checking for None instead of falsyness
...
Fixes #1937
Initialization of unrecognized_fields acts surprisingly when the input
container is empty. Hence, We're checking for None instead of falsyness.
Signed-off-by: Abhisman Sarkar <abhisman.sarkar@gmail.com>
2022-04-29 22:39:48 +05:30
Jussi Kukkonen
eb23fff3af
lint: Stop using requests annotations
...
requests project does not maintain annotations: typeshed project tries
to do it for them, and releases the annotations as "types-requests".
There's two main problems:
* typeshed releases constantly: this means a lot of test dependency
updates
* typeshed releases are not tagged in git: updates are impossible to
review
The benefit we get from types-requests is minimal as there is very
little requests-related code and it does not change often.
Remove annotations to lower the test dependency update churn.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-29 15:27:50 +03:00
Lukas Pühringer
83f2eee19f
Merge pull request #1983 from jku/update-maintainer-permissions-list
...
Update maintainers permission checklist
2022-04-28 15:40:29 +02:00
Lukas Pühringer
b1bbd6c8e2
Merge pull request #1989 from jku/pin-hatchling-version
...
build: Pin hatchling version
2022-04-28 15:35:01 +02:00
dependabot[bot]
7ffc5db30f
build(deps): bump mypy from 0.942 to 0.950
...
Bumps [mypy](https://github.com/python/mypy ) from 0.942 to 0.950.
- [Release notes](https://github.com/python/mypy/releases )
- [Commits](https://github.com/python/mypy/compare/v0.942...v0.950 )
---
updated-dependencies:
- dependency-name: mypy
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-04-28 10:06:32 +00:00
dependabot[bot]
a70918d662
build(deps): bump cryptography from 36.0.2 to 37.0.1
...
Bumps [cryptography](https://github.com/pyca/cryptography ) from 36.0.2 to 37.0.1.
- [Release notes](https://github.com/pyca/cryptography/releases )
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pyca/cryptography/compare/36.0.2...37.0.1 )
---
updated-dependencies:
- dependency-name: cryptography
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-04-28 10:06:23 +00:00
Jussi Kukkonen
48a6b76299
build: Pin hatchling version
...
Building a specific release with specific build tools feels like correct
choice for reproducibility in general. It's also practically required
as the hatchling version is embedded in the WHEEL file: this means
updating the build tool modifies the resulting build artifact.
Pin hatchling version. This version should be kept up-to-date: my
working assumption is that Dependabot will handle it.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-28 12:17:45 +03:00
Jussi Kukkonen
5ba3c9249f
Merge pull request #1982 from jku/fix-pip-download
...
verify_release: Tweak pip download
2022-04-28 09:56:12 +03:00
Jussi Kukkonen
7c0de84f26
Update maintainers permission checklist
...
* Release permissions are now controlled in GitHub release environment
* It is no longer required for a releasing maintainer to have PyPI
permissions
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-27 18:11:38 +03:00
Jussi Kukkonen
96232d2db0
verify_release: Tweak pip download
...
It seems --no-deps does not work as it used to (and actually installs
all build dependencies). This is very bad because verify_release also
uses "--no-binary :all:" leading to actually _building_ all build
dependencies from source.
Use "--no-binary tuf" instead: build dependencies will still be
installed (into a working environment) but at least they won't be built
from source.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-27 17:54:36 +03:00
Jussi Kukkonen
3f28d406b5
Merge pull request #1980 from jku/release-1.1.0
...
python-tuf 1.1.0 release
2022-04-27 16:08:07 +03:00
Jussi Kukkonen
8941748edb
python-tuf 1.1.0
...
* Update Changelog
* bump version
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-27 16:03:07 +03:00
Jussi Kukkonen
7e5b9b5580
Merge pull request #1979 from lukpueh/verify_release-sign
...
Add option to sign release artifacts with verify_release
2022-04-27 14:32:07 +03:00
Lukas Pühringer
a3d5a37e43
build: minor style/wording fixes in verify_release
...
Co-authored-by: Joshua Lock <jlock@vmware.com>
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-27 13:09:48 +02:00
Jussi Kukkonen
6b511c689b
Merge pull request #1977 from theupdateframework/dependabot/pip/securesystemslib-cryptopynacl--0.23.0
...
build(deps): bump securesystemslib[crypto,pynacl] from 0.22.0 to 0.23.0
2022-04-27 13:47:58 +03:00
Lukas Puehringer
8167889944
doc: describe signatures creation in RELEASE.md
...
Mention how to use verify_release with the recently added --sign
option to create signatures for a verified release.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-27 12:47:21 +02:00
Lukas Puehringer
e56ff07b1a
build: add 'gpg sign' option to verify_release
...
Add option to sign locally built release artifacts with gpg,
if they match the downloaded artifacts from GitHub, PyPI.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-27 12:47:15 +02:00
Lukas Puehringer
e7544bfbe7
build: fix success message in verify_release
...
Prior to #1946 the verify_release script was successful if both PyPI
and GitHub release artifacts matched the local build.
Now, if the `--skip-pypi` option is provided, the script can also
be successful if only the GitHub release artifacts match the local
build.
This commit splits the final success message in two separate
success messages, one for PyPI and one for GitHub.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-04-27 12:34:07 +02:00