Dependabot pushes to main repository and ends up triggering two builds
every time (one for PR, one for push): limit the rule for build-on-push
to apply to develop branch only.
If release branches are used later on they should be added to list here.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
On Python3 bump cryptography from 3.3.1 to 3.4.5.
On python2 bump from 3.3.1 to 3.3.2 (3.3-branch is the last branch
with python2 support).
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
If you follow the instructions we provide for our contributors in
docs/CONTRIBUTORS.rst your sys.path (used to search for imports)
will put securesystemlib project directory first and tuf directory
second.
This creates a problem with imports from tuf modules because we can
import the wrong file or on relative imports (as currently we
use in the tests when we import utils), the imports cannot be resolved.
If we change the installation order, then tuf directory will be the
first in the import resolution path and those problems will be fixed.
PS: I want to express my gratitude towards Jussi who helped me find
this problem.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
The Dependabot status badge no longer works, since having
migrated from stand-alone to GitHub native in #1258.
The issue is tracked upstream in dependabot/dependabot-core#1912.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
A recent commit reinstates publishing of coverage data to
coveralls.io. This commit re-adds the corresponding badge which
was temporarily removed in #1242.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Prior to this commit our GitHub workflow would set up one Python
version only for each build, which means that the commands to run
the tests and publish coverage (tox and coveralls) were run with
the same Python version as tox runs the tests in.
Given that the coveralls CLI tool dropped py2 a couple of releases
ago, this commit sets up an additional service py3 to run coveralls
(and tox) on when building for py2.
To prevent tox from using the wrong Python version to run the tests
on, this commit changes the toxenv value from the generic 'py'
(uses default python on path) to 'py27'.
For convenience and readability we use the environment variable
TOXENV instead of the tox -e option.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
New releases of the transitive (via 'requests') dependency 'idna'
break Python 2.7 builds. To fix this we configure dependabot to not
bump 'idna' in requirements-pinned.txt, which lists and
auto-updates all immediate and transitive dependencies for CI/CD
testing.
An alternative would be to add and restrict 'idna' in
'requirements.txt' but this is less preferable because
'requirements.txt' should only have direct dependencies.
For consulted dependabot config docs see:
https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/enabling-and-disabling-version-updates#disabling-dependabot-version-updates
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The newly add GitHub workflow, which replaces Travis and Appveyor
does not support publishing coverage (coveralls) and license
(fossa) data yet (formerly done by Travis).
This commit removes the corresponding badges from README. It shall
be reverted once coveralls and fossa are re-enabled.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Replace mentions of travis/appveyor with GitHub Actions in
governance (contribution) and readme (badges) documents.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Configure workflow to run all tox environments, where each 'py' env
runs on linux, macos and windows, and sslib master and lint builds
run only Linux/Python3.x only.
The workflow also configures pip caching.
TODO: Adopt publishing of coverage (coveralls) and license (fossa)
data from .travis.yml.
Co-authored-by: Jussi Kukkonen <jkukkonen@vmware.com>
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Configure tox to use legacy resolver as a temporary workaround
for pypa/pip#9215, which results in huge unnecessary downloads.
Co-authored-by: Jussi Kukkonen <jkukkonen@vmware.com>
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The GitHub action windows runners (added in a subsequent commit)
choke on a test that runs os.makedirs with a too long directory
name, and expects an OSError with error numbers ENAMETOOLONG or
ENOENT. However, this particular runner returns EINVAL in Python 3,
which according to bugs.python.org/msg295851 is not unlikely.
This commit simply adds EINVAL to the expected error numbers.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
We recently enabled support for Python 3.9 and also added
3.9 builds on appveyor, but they don't work out of the box.
Instead of troubleshooting this I suggest we soon switch to
GitHub actions:
https://github.com/theupdateframework/tuf/issues/1195.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
requirements-pinned.txt lists all immediate and transitive
dependencies combined for all supported Python versions.
This commit semi-automatically updates the pinned dependencies
using the instructions in requirements.txt:
Updated dependencies are:
- cryptography (supersedes dependabot's #1237)
- certifi (supersedes dependabot's #1233)
- enum34 (oddly not detected by dependabot)
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Python 3.5 has now reached its end-of-life and has been retired.
https://www.python.org/dev/peps/pep-0478/
The optional (but highly recommended) 'cryptography' dependency
has also just dropped support for 3.5. Continuing support for 3.5
in TUF does not seem worth the effort.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Add a test to ensure that metadata expires at the expiration time, not
after it.
This tests the change to the updater introduced in 4bcd703
Signed-off-by: Joshua Lock <jlock@vmware.com>
The specification, as of 1.0.16, describes an update expiration check as:
> The expiration timestamp in the trusted $ROLE metadata file MUST be
higher than the fixed update expiration time.
Having done some research into how other security providers are comparing
expiration equivalents (i.e. OpenSSL x509 certificate checking code, and
GnuPG expiration checks), and how other TUF implementations are performing
the same check (rust-tuf, go-tuf), we came to a consensus that the correct
way to implement expiration comparisons is:
expiration <= now
Where:
expiration: is the metadata's expiration datetime
now: is the current system time, or the fixed notion of time in the
detailed client workflow (introduced in 1.0.16 of the spec)
Fixes#1231
Signed-off-by: Joshua Lock <jlock@vmware.com>
Bandit just dropped support for Python <3.5. This commit adds
a corresponding constraint to requirements-test.txt.
Note, we run bandit in a dedicated 'lint' tox environment, which
uses Python3.8 on Travis.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Use Google style guide with refinements, because the Google style
guide is a comprehensive, well-established style guide that is
mostly based on PEP-8 and was accepted by everyone on the TUF team.
There is no need to replicate these recommendations. However, we do
provide a very slim document with additional refinements, in order
to emphasize on items the we consider especially important, want to
be handled differently, or in one specific way, where the Google
guide would allow multiple.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Co-authored-by: Joshua Lock <jlock@vmware.com>
