v6.0.0

This release is not strictly speaking an API break from 5.1 but it does contain some
major internal changes that users should be aware of when upgrading.

Changed

• ngclient: urllib3 is used as the HTTP library by default instead of requests (#2762,
  #2773, #2789)
  • This removes dependencies on requests, idna, charset-normalizer and certifi
  • The deprecated RequestsFetcher implementation is available but requires selecting
    the fetcher at Updater initialization and explicitly depending on requests
• ngclient: TLS certificate source was changed. Certificates now come from operating
  system certificate store instead of certifi (#2762)
• ngclient: The updater can now initialize from embedded initial root metadata every
  time. Users are recommended to provide the bootstrap argument to Updater (#2767)
• Test infrastructure has improved and should now be more usable externally, e.g. in
  distro test suites (#2749)

v5.1.0

Changed

• ngclient: default user-agent was updated from "tuf/x.y.z" to "python-tuf/x.y.z" (#2632)
• ngclient: max_root_rotations default value was bumped to 256 to prevent a too small value
  from creating issues in actual deployments were the embedded root is not easily
  updateable (#2675)
• repository: do_snapshot() and do_timestamp() now always create new versions if current version
  is not correctly signed (#2650)
• Various infrastructure and documentation improvements

v5.0.0

This release, most notably, marks stable securesystemslib v1.0.0 as minimum
requirement. The update causes a minor break in the new DSSE API (see below)
and affects users who also directly depend on securesystemslib. See the securesystemslib release
notes
and the updated python-tuf examples (#2617) for details. ngclient API remains
backwards-compatible.

Changed

• DSSE API: change SimpleEnvelope.signatures type to dict, remove
  SimpleEnvelope.signatures_dict (#2617)
• ngclient: support app-specific user-agents (#2612)
• Various build, test and lint improvements

v4.0.0

This release is a small API change for Metadata API users (see below).
ngclient API is compatible but optional DSSE support has been added.

Added

• Added optional DSSE support to Metadata API and ngclient (#2436)

Changed

• Metadata API: Improved verification functionality for repository users (#2551):
  • This is an API change for Metadata API users (
    Root.get_verification_result() and Targets.get_verification_result()
    specifically)
  • Root.get_root_verification_result() has been added to handle the special
    case of root verification
• Started using UTC datetimes instead of naive datetimes internally (#2573)
• Constrain securesystemslib dependency to <0.32.0 in preparation for future
  securesystemslib API changes
• Various build, test and lint improvements

v3.1.1

This is a security fix release to address advisory GHSA-77hh-43cm-v8j6. The issue does not affect tuf.ngclient users, but could affect tuf.api.metadata users.

Changed

• Added additional input validation to tuf.api.metadata.Targets.get_delegated_role()

v3.1.0

See CHANGELOG.md for details.

v3.0.0

See CHANGELOG.md for details.

v2.1.0

See CHANGELOG.md for details.

v2.0.0

See CHANGELOG.md for details.

v1.1.0

See CHANGELOG.md for details.