Tuf

* Support only Python 3 and modernize the infrastructure accordingly
* Metadata API (a low-level API for metadata de/serialization and
modification) is now feature-complete for the client use cases
* ngclient (a new high-level client API) was added. ngclient should be
considered an unstable API and is not yet recommended for production
use.

Additionally the Github project name changed: project is now "python-tuf"
instead of "tuf". Redirects are in place for the old name but updating links is
advised.

Added
* Add ADR6: Where to implement serialization (1270)
* Add ADR8: Unrecognized fields (1343)
* Add ADR9: Refine reference implementation purpose (1554)
* Add client Network IO abstraction (1250, 1302)
* Add many features to Metadata API to support de/serializing
specification-compliant metadata, and safer access through API:
* Metadata.from_bytes()/to_bytes() (1354, 1490)
* Key, Role (1360, 1386, 1423, 1480, 1481, 1520)
* DelegationRole, Delegations (1370, 1512)
* MetaFile, TargetFile (1329, 1437, 1454, 1514)
* verification of threshold of signatures (1435, 1436)
* expiration check method (1347)
* support unrecognized fields in metadata (1345)
* use Generics to improve static typing (1457)
* Extensive Metadata API testing and validation
(1359, 1416, 1416, 1430, 1449, 1450, 1451, 1460, 1466, 1511)
* Add ngclient: a new client library implementation
(1408, 1448, 1463 1467, 1470, 1474, 1501, 1509, 1519, 1524)
* Infrastructure improvements:
* mypy, black and isort integration (1314, 1363, 1395, 1455, 1489)
* API reference documentation build (1517)

Removed
* Remove Python 2 support (1293)
* Remove direct dependency on six
* Remove obsolete reference to Thandy in a LICENSE file (1472)

Changed
* Bump dependencies:
* Certifi
* Cryptography
* Idna
* Requests
* Securesystemslib
* Six
* Urllib3
* Replace indirect dependency chardet with charset-normalizer
* Move Metadata API serialization to sub-package (1279)
* Use SecureSystemslib Signer interface in Metadata API (1272)
* Make imports compatible with vendoring (1261)

Fixed
* 'ecdsa' is a supported key type (1453)
* Fix various build infrastructure issues (1289, 1295, 1321, 1327, 1364,
1369, 1542)
* Test fixes (1337, 1346)

**NOTE**: this will be the final release of tuf that supports Python 2.7.
This is because Python 2.7 was marked [end-of-life](
https://www.python.org/dev/peps/pep-0373/) in January of 2020, and
since then several of tuf's direct and transient dependencies have stopped
supporting Python 2.7.

Added
* Added Architectural Decisions Records (ADRs) for:
* where to develop python-tuf 1.0 (1220)
* to justify the extent of OOP in the metadata model (1229)
* to decide on a Python code style guide (1232)

Changed
* Switch to GitHub Actions for CI (1242, 1283, 1252)
* Switch to only running bandit on Python versions greater than 3.5 (1234)
* Bump dependencies: requests (1245), chardet (1239), urllib3 (1268),
cffi (1280), securesystemslib (1285), cryptography (1282, 1286).
**NOTE**: the latest version of cryptography is no longer used on
Python 2, as that is not supported.
* Moved from dependabot-preview to GitHub native Dependabot (1258)
* Configure dependabot to ignore idna, as it breaks Python 2.7 builds (1259)
* Install securesystemslib in tox in non-editable mode (1228)
* Change the editable venv installation order (1271)

Fixed
* Updated expiration check in Updater to better match the specification (1235)
* Ensure tempfile's are closed in Updater (1226)

Removed
* Dropped support for Python 3.5 (1238)

Added
* Begin to document architectural and project-wide decisions as Architectural
Decision Records (ADRs) in docs/adr (1182, 1203)
* Add Python 3.9 to the CI test matrix (1200)
* Implement a class for Root metadata in the simple TUF role metadata model in
`tuf.api` (1193)

Changed
* Bump dependencies: cryptography (1189, 1190), requests (1210),
urllib (1212), cffi (1222), certifi (1201), securesystemslib (1191)
* Simplify the test runner (`aggregate_tests`) and stop executing unit test
modules in a random order (1187)
* Speed up indefinite freeze tests by removing `sleep()` calls (1194)
* Adapt to securesystemslib changes in key generation interfaces (1191)
* Migrate from travis-ci.org to travis-ci.com (1208)
* Make metadata signatures ordered by keyid, to ensure deterministic signature
ordering in metadata files (1217)
* Improve test reliability by using thread-safe `Queue`s, rather than files,
for process communication (1198)
* Avoid reading an entire target file into memory when generating target file
hashes in `tuf.client.updater` (1219)
* Remove use of an empty list (`[]`) as the default argument in a test
function (1216)
* Simplified updater logic for downloading and verifying target files (1202)

 Fixed
* Fix threshold computation in `_verify_root_self_signed()` such that
signatures by the same root key count only once towards the threshold (1218)

Added
* Simple TUF role metadata model in the `tuf.api` package for interacting with
metadata files directly, per-file without the overheads of reading and
writing the entire repository at once (1112, 1177, 1183)
* Raise `MissingLocalRepositoryError` in updater when local repository can not
be found (1173)
* Tests for targets metadata generation with existing `fileinfo` (1078)
* Test-verbosity documentation (1151)

Changed
* Raise an error in `tuf.client.updater` when metadata is loaded without a
signature (1100)
* Print a warning in `tuf.repository_tool` when metadata is written without a
signature (1100)
* Remove iso8661 dependency (1176)
* Bump dependencies: cffi (1146), cryptography (1149), urllib (1179),
securesystemslib (1183)
* Overhauled logging to be less verbose and less alarming, by removing logging
in the library when an exception is raised (including the same information
that was logged) and using more appropriate log levels (1145)
* Make test output more useful by reducing and improving logging (1145, 1104, 1170)
* Make the `targets_path`, `metadata_path` and `confined_target_dirs` fields in
`tuf.client.updater`s mirror configuration optional (1153, 1166)
* Include LICENSE files with source distributions (1162)
* Update Python version to be used in release instructions (1163)
* Remove direct use of `colorama` and dependency (1180)

Fixed
* Ensure file objects and `requests.Responses` are closed during tests (1147)
* Auto-test against `securesystemslib` head of development (1185)
* Fix parameter name in `tuf.repository_lib` error message (1078)

Added
* Added a mechanism to the Updater to disable the hash prefix for target files
even when `consistent_snapshot` is enabled for a repository (1102)

Changed
* Updater now uses keyids provided in the metadata, rather than re-calculating
keyids using `keyid_hash_algorithms` (1014, 1121)
* When loading an existing repository the keyids provided in the metadata will
be used, rather than re-calculating keyids using `keyid_hash_algorithms` (1014, 1121)
* Improve reliability and performance of tests by removing sleep calls, instead
use polling to check whether the simple_server is ready to accept
connections (1096)
* Only calculate lengths and hashes of files listed by timestamp and snapshot
metadata when those lengths and hashes will be included in the metadata (1097)
* Re-raise chained exceptions explicitly per PEP 3134 (1116)
* Remove use of `securesystemslib.settings.HASH_ALGORITHMS`, instead pass
desired algorithms explicitly to securesystemslib's
`keys.format_metadata_to_key` (1016)

Fixed
* Better adhere to the detailed client workflow in the specification by
ensuring that a newly downloaded root metadata file is verified with a
threshold of its own signatures (1101)
* Update a delegating role's metadata when adding a new verification key to a
delegated role (1037)