Python-Tuf v0.18.0 recently came, and it is quite a big update with major and minor changes. We will go through all of those changes, additions, fixes and removals in this document.
Without further a due, let’s start!
What is Python-Tuf?
The Update Framework (TUF) or TUF helps developers maintain the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system. Linux Foundation hosts TUF as part of the Cloud Native Computing Foundation (CNCF) and various tech companies and open source organizations. You can use a variant of TUF called Uptane to secure over-the-air updates in automobiles. The python-tuf repository is the reference implementation of The Update Framework (TUF). It is written in Python and intended to conform to version 1.0 of the TUF specification.
0.18 is quite a big release with three main themes:
Firstly, we can see that the latest release will support only Python 3 and modernize the infrastructure accordingly.
Secondly, we can see that Metadata API (a low-level API for metadata de/serialization and modification) is now feature-complete for the client use cases. The new release brings the addition of ngclient (a new high-level client API). You must consider ngclient an unstable API and not yet recommended for production use.
Finally, the Github project name got changed. In version0.18.0, the naming of the project is now “python-tuf” instead of “tuf”. Redirects are in place for the old name, but you must update the links.
The release of version 0.18.0 brings the addition of ADR6, where we can see the implementation of serialization. We find the addition of ADR8 in which unrecognized fields gets priority. We also see the addition of ADR9, which will refine references for implementation purposes. There is also the addition of client Network IO abstraction.
The latest release brings many features to Metadata API to support de/serializing specification-compliant Metadata and safer access through API such as Metadata.from_bytes()/to_bytes(), Key, Role, DelegationRole, Delegations, MetaFile and TargetFile. With this release, we see the verification of the threshold of signatures. There is now the expiration of the check method. We also see the addition of the support for unrecognized fields in Metadata. Again, the new release will bring the use of Generics to improve static typing. There is also extensive Metadata API testing and validation. Also, the addition of ngclient, a new client library implementation, gets a special mention. Finally, we can see many infrastructure improvements such as mypy, black and isort integration, and API reference documentation.
Version 0.18.0 brings the removal of Python 2 support. There is also a removal of direct dependency on six. Furthermore, we see the removal of obsolete references to Thandy in a LICENSE file.
The latest update brings the changes in Bump dependencies such as Certifi, Cryptography, Idna, Requests, Securesystemslib, Six and Urllib3. We see the replacing of indirect dependency chardet with charset-normalizer. Again, we find the moving of Metadata API serialization to sub-package. There is also the use of the SecureSystemslib Signer interface in Metadata API. Finally, we can observe the making of imports compatible with vendoring.
The latest release brings a few fixes. Firstly, we can see the fixing of ‘ecdsa’, which is now a supported key type. Again, we see the fixing of various build infrastructure issues. Finally, the test fixes will give a lot of benefits to the users.
We have gone through all of the new additions and changes that Python-Tuf brought with version 0.18.0. You can try out the latest version by clicking here. Contribute to the repository by clicking here. Have a blast while trying out this framework, and we will see you guys in the next one.
You can find more of our blogs below. Happy learning!