Releases: in-toto/in-toto
Releases · in-toto/in-toto
v1.2.0
Added
Changed
- Bump dependencies: attrs (#482), cffi (#474), cryptography (#468, #472, #477, #481), iso8601 (#476, #478, #479), pycparser (#475), pynacl (#483), securesystemslib (#469)
- Use explicit UTF-8 encoding in open calls (#470)
- Misc. linter changes (#473)
- Update acknowledgment to reflect Purdue (#471)
Removed
- Python 3.6 support (#485)
v1.1.1
Added
- Added tests that use source and destination prefixes in match rules, courtesy of
Brandon Michael Hunter (#456)
Changed
v1.1.0
NOTE: this release of in-toto drops supports for Python 2.7.
This is because Python 2.7 was marked end-of-life in January of 2020, and
since then several of in-toto's direct and transitive dependencies have stopped
supporting Python 2.7.
Added
- SPDX License identifiers and copyright information (#440)
- Aditya Sirish (@adityasaky) as a maintainer (#443)
Changed
- PyPI development status from
Beta
toProduction/Stable
(#447) - Santiago Torres-Arias's (@SantiagoTorres) email to reflect Purdue affiliation
(#446) - Debian downstream release metadata (#437)
- Bump dependency: cryptography (#442)
Removed
- Dropped support for Python 2.7 (#438)
v1.0.1
NOTE: this will be the final release of in-toto that supports Python 2.7. This is because Python 2.7 was marked end-of-life in January of 2020, and since then several of in-toto's direct and transitive dependencies have stopped supporting Python 2.7.
Added
- Python 3.9 in the CI test matrix (#419)
- Logo and other visual enhancements on readthedocs (#420, #428)
- Review of first evaluation period for 2021 roadmap (#421)
Changed
- Switch to GitHub Actions for CI (#432)
- Switch to only running bandit on Python versions greater than 3.5 (#416)
- Debian downstream release metadata (#418)
- Bump tested dependencies: cffi (#415, #427), cryptography (#424, #429), securesystemslib (#430, #431), iso8601 (#423)
NOTE: the latest version of cryptography is no longer used on Python 2, as that is not supported.
Removed
- Dropped support for Python 3.5 (#419)
v1.0.0
Added
- '-P/--password' (prompt) cli argument for in-toto-run/in-toto-record (#402)
- in-toto-run link command timeout setting (#367)
- API and usage documentation for cryptographic key handling with
securesystemslib (#402, #408) - Artifact recording exclude pattern documentation (#373, #405)
- Test key generation mixin (#402)
- 2021 roadmap document (#381)
Changed
- Move 'settings' docs to new 'configuration' section and make minor
enhancements in structure and content (#405) - Update tested dependencies (#377, #383, #384, #386, #389, #390, #394, #397,
#398, #400, #404, #406, #409, #410, #411) - Debian downstream release metadata (#382)
Removed
- 'util' crypto module in favor of securesystemslib key interfaces (#402)
- Obsolete coveralls.io API call in Travis test builds (#399)
Fixed
Version 0.5.0
- Docs: Major CLI and API documentation overhaul and release (#341, #369)
- Bugfix: Use kwargs in in-toto-run to fix lstrip-paths bug (#340)
- Feature: Add option to specify target directory for generated metadata (#364)
- Tests: Add Python 3.8 to tested versions (#339)
- Tests: Add tmp dir and gpg key test mixins (#345)
- Tests: Use constant from securesystemslib to detect GPG in tests (#352)
- Tests: Enhance test suite feedback on Windows (#368)
- Dependencies: Misc updates (#342, #346, #349, #350, #353, #354, #356, #358, #359, #362, #363, #366)
Version 0.4.2
- Drop custom OpenPGP subpackage and subprocess module and instead use the
ones provided by securesystemslib, which are based on the in-toto
implementation and receive continued support from a larger community (#325)- A race condition that caused tests to sporadically fail was already fixed
in securesystemslib and is now also available to in-toto (#282,
secure-systems-lab/securesystemslib#186)
- A race condition that caused tests to sporadically fail was already fixed
- Add Sphinx boilerplate and update installation instructions (#298, #331)
- Update misc dependencies (#317, #318, #319, #320, #322, #323, #324, #326, #327, #328, #333, #335, #329)
- Update downstream debian metadata (#311, #334)
Version 0.4.1
Version 0.4.0
- Add REQUIRE artifact rule support (#269, #280)
- Enhance OpenPGP key export and provide key expiration verification (#266, #288)
- Make transitive dependency PyNaCl optional for in-toto (#291)
- Improve automatic testing and code coverage measurement (#295) as well
as static analysis with pylint (#279, #296) - Update repository metadata
- Add initial 1-year roadmap (#268)
- Revise dependency handling for monitoring and library compatibility (#294)
- Update maintainers and contributor information (#283, #274, #297)
- Enhance source distribution configs and include tests and other metadata,
relevant to downstream packagers, with future source distributions (#290)
Version 0.3.0
- Re-factor rule verification engine and fix for a false-reject on very specific layouts (#262)
- Add support for duplicate standard streams (#252)
- Enhance support for Summary link naming (i.e., better sublayout verification, #256)
- Improve rule verification messages (#243)
- Small fixes for OpenPGP parsing functions (#255)
- Properly verify self-signature and signature binding signatures upon export (#257)
- Add lstrip-paths parameter (as an enhancement/replacement for basepath) (#250)
- Fix a bug where multiple PGP subkeys could count towards the threshold (#251)
- Fix a bug where RSA signatures wouldn't be sufficiently padded and a signature would be erroneously-rejected #170
- Change license to Apache