In the past year we have made an effort to revise, redesign and rewrite this python-tuf reference implementation, and we are very excited to announce a stable 1.0.0 release scheduled for January 2022. The release will include:
- a modern low-level metadata API
- a fully specification-compliant updater client, serving as a more robust and yet more flexible stand-in replacement for the legacy client updater
As discussed in ADR 2, this release will not include any legacy code, as its maintenance has become infeasible for the python-tuf team. The pre-1.0.0 deprecation strategy from ADR 2 applies as follows:
Bugs reported with tuf versions prior to 1.0.0 will likely not be addressed directly by tuf’s maintainers. Pull Requests to fix bugs in the last release prior to 1.0.0 will be considered, and merged (subject to normal review processes). Note that there may be delays due to the lack of developer resources for reviewing such pull requests.
For the reasons outlined in ADR 10, this release will not yet include a new repository tool. However, the new metadata API makes it easy to replicate the desired functionality tailored to the specific needs of any given repository (see Migration for details).
Given the clean cut with the legacy reference implementation, we provide the following migration support:
- detailed code documentation on https://theupdateframework.readthedocs.io
- verbose code examples for client updater usage, and repository-side operations based on the low-level metadata API
- individual migration support upon request
- targeted migration support initiative for known users