Skip to content

tuf v0.10.1

Pre-release
Pre-release
Compare
Choose a tag to compare
@vladimir-v-diaz vladimir-v-diaz released this 13 Nov 22:11
· 3921 commits to develop since this release
v0.10.1
This tag was signed with the committer’s verified signature.
vladimir-v-diaz Vladimir Diaz
GPG key ID: 5DEE9B97B0E2289A
Learn about vigilant mode.
0b2b497
This commit was signed with the committer’s verified signature.
vladimir-v-diaz Vladimir Diaz
GPG key ID: 5DEE9B97B0E2289A
Learn about vigilant mode.

Note: This is a backwards-incompatible pre-release.

  • Add CHANGELOG.md, MAINTAINERS.txt, CODE-OF-CONDUCT.md, GOVERNANCE.md,
    ADOPTERS.md, DCO requirements, and instructions for submitting a vulnerability
    report.

  • Move specification to github.com/theupdateframework/specification.

  • Dual license the project: MIT license and Apache license, version 2.

  • Update to latest version of securesystemslib v0.10.8, which dropped PyCrypto
    and multi-lib support.

  • Add ecdsa-sha2-nistp256 to specification.

  • Remove directory of example metadata. Documentation now references unit test
    metadata.

  • Implement TAP 9 (mandatory metadata signing schemes).
    https://github.com/theupdateframework/taps/blob/master/tap9.md

  • Drop support for Python 2.6 and 3.3.

  • Support Python 3.6.

  • Improve code coverage to 99%.

  • Convert specification from text to Markdown format.

  • Add MERCURY paper, which covers protection against roleback attacks.

  • Implement TAP 6 (include specification version in metadata).

  • Implement TAP 10 (remove native support for compressed metadata).

  • Support ability to append an externally-generated signature to metadata.

  • Remove capitalization from rolenames listed in metadata.

  • Add a more detailed client workflow to specification.

  • Modify client workflow: A client must now fetch root first. Intermediate
    versions of Root must also be downloaded and verified by the client. See
    specification for modified workflow.

  • Fix bug with key IDs, where incorrect number of key IDs are detected.

  • Minor bug fixes, such as catching correct type and number of exceptions,
    detection of slow retrieval attack, etc.

  • Do not list Root's hash and lenth in Snapshot (only its version number).

  • Allow user to configure hashing algorithm used to generate hashed bin delegations.

  • Fix Markdown errors in SECURITY.md.

  • Add fast-forward attack to specification

  • Remove simple-settings dependency

  • Move crypto-related code to external library (securesystemslib).

  • Allow replacement of already listed targets in metadata. Fix issue #319.

  • Add instructions for contributors in README.

  • Copy (rather than link) target file to consistent target. Fix issue #390.

  • Rename target() -> get_one_valid_targetinfo().

  • Ensure consistent Root is written if consistent snapshot = False. Fix issue #391.

  • repository_tool.status(): Print status of only the top-level roles.

  • Document and demonstrate protection against repository attacks.

  • Add installation instructions for Fedora-based environments.

  • Exclude "private" dict key from metadata.

  • "backtrack" attribute renamed to "terminating".

  • Fix data loss that might occur during sudden power failure. Pull requests #365, 367.

  • Add repository tool function that can mark roles as dirty.

  • Store all delegated roles in one flat directory.

  • Support Unix shell-style wildcards for paths listed in metadata.

  • Add draft of specification (version 1.0).

  • Sleep a short while during download.py while loop to release CPU.

  • Support multiple key ID hashing algorithms.

  • Prepend version number to filename of consistent metadata.

  • Remove updater method: refresh_targets_metadata_chain().

  • Add Diplomat paper. It covers integrating TUF with community repositories.

  • Add project logo.

  • Delegations now resemble a graph, rather than a tree.

Assets 4
Loading