Skip to content

Releases: in-toto/in-toto

v1.2.0

08 Feb 11:29
v1.2.0
9a345ad
Compare
Choose a tag to compare

Added

  • Python 3.10 support (#480)
  • Roadmap review (#463)

Changed

Removed

  • Python 3.6 support (#485)

v1.1.1

27 Jul 16:52
v1.1.1
e8d180f
Compare
Choose a tag to compare

Added

  • Added tests that use source and destination prefixes in match rules, courtesy of
    Brandon Michael Hunter (#456)

Changed

  • Updated documentation of command alignment during verification workflow (#455)
  • Started using GitHub-native dependabot (#450)
  • Bump dependencies: attrs (#451), six (#452), securesystemslib (#453),
    cffi (#457), python-dateutil (#458), iso8601 (#459), pathspec (#460)
  • Fixed linter warnings (#462)

v1.1.0

30 Apr 18:12
v1.1.0
cc99c9f
Compare
Choose a tag to compare

NOTE: this release of in-toto drops supports for Python 2.7.
This is because Python 2.7 was marked end-of-life in January of 2020, and
since then several of in-toto's direct and transitive dependencies have stopped
supporting Python 2.7.

Added

  • SPDX License identifiers and copyright information (#440)
  • Aditya Sirish (@adityasaky) as a maintainer (#443)

Changed

  • PyPI development status from Beta to Production/Stable (#447)
  • Santiago Torres-Arias's (@SantiagoTorres) email to reflect Purdue affiliation
    (#446)
  • Debian downstream release metadata (#437)
  • Bump dependency: cryptography (#442)

Removed

  • Dropped support for Python 2.7 (#438)

v1.0.1

01 Mar 18:17
v1.0.1
4d2fe76
Compare
Choose a tag to compare

NOTE: this will be the final release of in-toto that supports Python 2.7. This is because Python 2.7 was marked end-of-life in January of 2020, and since then several of in-toto's direct and transitive dependencies have stopped supporting Python 2.7.

Added

  • Python 3.9 in the CI test matrix (#419)
  • Logo and other visual enhancements on readthedocs (#420, #428)
  • Review of first evaluation period for 2021 roadmap (#421)

Changed

  • Switch to GitHub Actions for CI (#432)
  • Switch to only running bandit on Python versions greater than 3.5 (#416)
  • Debian downstream release metadata (#418)
  • Bump tested dependencies: cffi (#415, #427), cryptography (#424, #429), securesystemslib (#430, #431), iso8601 (#423)
    NOTE: the latest version of cryptography is no longer used on Python 2, as that is not supported.

Removed

  • Dropped support for Python 3.5 (#419)

v1.0.0

23 Nov 18:48
v1.0.0
5ede520
Compare
Choose a tag to compare

Added

  • '-P/--password' (prompt) cli argument for in-toto-run/in-toto-record (#402)
  • in-toto-run link command timeout setting (#367)
  • API and usage documentation for cryptographic key handling with
    securesystemslib (#402, #408)
  • Artifact recording exclude pattern documentation (#373, #405)
  • Test key generation mixin (#402)
  • 2021 roadmap document (#381)

Changed

Removed

  • 'util' crypto module in favor of securesystemslib key interfaces (#402)
  • Obsolete coveralls.io API call in Travis test builds (#399)

Fixed

Version 0.5.0

13 Jul 10:27
v0.5.0
a621c3b
Compare
Choose a tag to compare
  • Docs: Major CLI and API documentation overhaul and release (#341, #369)
  • Bugfix: Use kwargs in in-toto-run to fix lstrip-paths bug (#340)
  • Feature: Add option to specify target directory for generated metadata (#364)
  • Tests: Add Python 3.8 to tested versions (#339)
  • Tests: Add tmp dir and gpg key test mixins (#345)
  • Tests: Use constant from securesystemslib to detect GPG in tests (#352)
  • Tests: Enhance test suite feedback on Windows (#368)
  • Dependencies: Misc updates (#342, #346, #349, #350, #353, #354, #356, #358, #359, #362, #363, #366)

Version 0.4.2

07 Jan 11:08
v0.4.2
91ff647
Compare
Choose a tag to compare
  • Drop custom OpenPGP subpackage and subprocess module and instead use the
    ones provided by securesystemslib, which are based on the in-toto
    implementation and receive continued support from a larger community (#325)
  • Add Sphinx boilerplate and update installation instructions (#298, #331)
  • Update misc dependencies (#317, #318, #319, #320, #322, #323, #324, #326, #327, #328, #333, #335, #329)
  • Update downstream debian metadata (#311, #334)

Version 0.4.1

14 Oct 09:41
v0.4.1
47ed233
Compare
Choose a tag to compare
  • Update securesystemslib dependency to v0.12.0 (#299)
  • Add --version option to CLI tools (#310)
  • Address linter warnings (#308)
  • Update downstream debian metadata (#302, #305, #309)

Version 0.4.0

09 Sep 17:02
v0.4.0
605c434
Compare
Choose a tag to compare
  • Add REQUIRE artifact rule support (#269, #280)
  • Enhance OpenPGP key export and provide key expiration verification (#266, #288)
  • Make transitive dependency PyNaCl optional for in-toto (#291)
  • Improve automatic testing and code coverage measurement (#295) as well
    as static analysis with pylint (#279, #296)
  • Update repository metadata
    • Add initial 1-year roadmap (#268)
    • Revise dependency handling for monitoring and library compatibility (#294)
    • Update maintainers and contributor information (#283, #274, #297)
    • Enhance source distribution configs and include tests and other metadata,
      relevant to downstream packagers, with future source distributions (#290)

Version 0.3.0

22 Mar 17:36
v0.3.0
a481e47
Compare
Choose a tag to compare
  • Re-factor rule verification engine and fix for a false-reject on very specific layouts (#262)
  • Add support for duplicate standard streams (#252)
  • Enhance support for Summary link naming (i.e., better sublayout verification, #256)
  • Improve rule verification messages (#243)
  • Small fixes for OpenPGP parsing functions (#255)
  • Properly verify self-signature and signature binding signatures upon export (#257)
  • Add lstrip-paths parameter (as an enhancement/replacement for basepath) (#250)
  • Fix a bug where multiple PGP subkeys could count towards the threshold (#251)
  • Fix a bug where RSA signatures wouldn't be sufficiently padded and a signature would be erroneously-rejected #170
  • Change license to Apache