build(deps): bump the minimum-runtime-dependencies group across 2 directories with 1 update

[dependabot]

Updates the requirements on and tuf to permit the latest version.
Updates tuf to 6.0.0

Release notes

Sourced from tuf's releases.

v6.0.0

This release is not strictly speaking an API break from 5.1 but it does contain some major internal changes that users should be aware of when upgrading.

Changed

• ngclient: urllib3 is used as the HTTP library by default instead of requests (#2762, #2773, #2789)
  • This removes dependencies on requests, idna, charset-normalizer and certifi
  • The deprecated RequestsFetcher implementation is available but requires selecting the fetcher at Updater initialization and explicitly depending on requests
• ngclient: TLS certificate source was changed. Certificates now come from operating system certificate store instead of certifi (#2762)
• ngclient: The updater can now initialize from embedded initial root metadata every time. Users are recommended to provide the bootstrap argument to Updater (#2767)
• Test infrastructure has improved and should now be more usable externally, e.g. in distro test suites (#2749)

Changelog

Sourced from tuf's changelog.

v6.0.0

This release is not strictly speaking an API break from 5.1 but it does contain some major internal changes that users should be aware of when upgrading.

Changed

• ngclient: urllib3 is used as the HTTP library by default instead of requests (#2762, #2773, #2789)
  • This removes dependencies on requests, idna, charset-normalizer and certifi
  • The deprecated RequestsFetcher implementation is available but requires selecting the fetcher at Updater initialization and explicitly depending on requests
• ngclient: TLS certificate source was changed. Certificates now come from operating system certificate store instead of certifi (#2762)
• ngclient: The updater can now initialize from embedded initial root metadata every time. Users are recommended to provide the bootstrap argument to Updater (#2767)
• Test infrastructure has improved and should now be more usable externally, e.g. in distro test suites (#2749)

v5.1.0

Changed

• ngclient: default user-agent was updated from "tuf/x.y.z" to "python-tuf/x.y.z" (#2632)
• ngclient: max_root_rotations default value was bumped to 256 to prevent a too small value from creating issues in actual deployments were the embedded root is not easily updateable (#2675)
• repository: do_snapshot() and do_timestamp() now always create new versions if current version is not correctly signed (#2650)
• Various infrastructure and documentation improvements

v5.0.0

This release, most notably, marks stable securesystemslib v1.0.0 as minimum requirement. The update causes a minor break in the new DSSE API (see below) and affects users who also directly depend on securesystemslib. See the securesystemslib release notes and the updated python-tuf examples (#2617) for details. ngclient API remains backwards-compatible.

Changed

• DSSE API: change SimpleEnvelope.signatures type to dict, remove SimpleEnvelope.signatures_dict (#2617)
• ngclient: support app-specific user-agents (#2612)
• Various build, test and lint improvements

v4.0.0

This release is a small API change for Metadata API users (see below).

... (truncated)

Commits

• bb6d459 Merge pull request #2806 from jku/prep-v6
• 44eed61 Prepare v6.0
• bef804b Merge pull request #2811 from DimitriPapadopoulos/codespell
• 4a28307 Fix typos
• b1d9021 build(deps): bump ruff in the test-and-lint-dependencies group (#2810)
• 15933a9 ngclient: Create directories as needed (#2808)
• 067ba1a Merge pull request #2809 from theupdateframework/dependabot-add-zizmor-to-group
• 097de2b dependabot: Add zizmor to lint dependencies
• 8df9f0f build(deps): bump the dependencies group with 2 updates (#2805)
• f66168f build(deps): bump ruff in the test-and-lint-dependencies group (#2804)
• Additional commits viewable in compare view

Updates tuf to 6.0.0

Release notes

Sourced from tuf's releases.

v6.0.0

This release is not strictly speaking an API break from 5.1 but it does contain some major internal changes that users should be aware of when upgrading.

Changed

• ngclient: urllib3 is used as the HTTP library by default instead of requests (#2762, #2773, #2789)
  • This removes dependencies on requests, idna, charset-normalizer and certifi
  • The deprecated RequestsFetcher implementation is available but requires selecting the fetcher at Updater initialization and explicitly depending on requests
• ngclient: TLS certificate source was changed. Certificates now come from operating system certificate store instead of certifi (#2762)
• ngclient: The updater can now initialize from embedded initial root metadata every time. Users are recommended to provide the bootstrap argument to Updater (#2767)
• Test infrastructure has improved and should now be more usable externally, e.g. in distro test suites (#2749)

Changelog

Sourced from tuf's changelog.

v6.0.0

This release is not strictly speaking an API break from 5.1 but it does contain some major internal changes that users should be aware of when upgrading.

Changed

• ngclient: urllib3 is used as the HTTP library by default instead of requests (#2762, #2773, #2789)
  • This removes dependencies on requests, idna, charset-normalizer and certifi
  • The deprecated RequestsFetcher implementation is available but requires selecting the fetcher at Updater initialization and explicitly depending on requests
• ngclient: TLS certificate source was changed. Certificates now come from operating system certificate store instead of certifi (#2762)
• ngclient: The updater can now initialize from embedded initial root metadata every time. Users are recommended to provide the bootstrap argument to Updater (#2767)
• Test infrastructure has improved and should now be more usable externally, e.g. in distro test suites (#2749)

v5.1.0

Changed

• ngclient: default user-agent was updated from "tuf/x.y.z" to "python-tuf/x.y.z" (#2632)
• ngclient: max_root_rotations default value was bumped to 256 to prevent a too small value from creating issues in actual deployments were the embedded root is not easily updateable (#2675)
• repository: do_snapshot() and do_timestamp() now always create new versions if current version is not correctly signed (#2650)
• Various infrastructure and documentation improvements

v5.0.0

This release, most notably, marks stable securesystemslib v1.0.0 as minimum requirement. The update causes a minor break in the new DSSE API (see below) and affects users who also directly depend on securesystemslib. See the securesystemslib release notes and the updated python-tuf examples (#2617) for details. ngclient API remains backwards-compatible.

Changed

• DSSE API: change SimpleEnvelope.signatures type to dict, remove SimpleEnvelope.signatures_dict (#2617)
• ngclient: support app-specific user-agents (#2612)
• Various build, test and lint improvements

v4.0.0

This release is a small API change for Metadata API users (see below).

... (truncated)

Commits

• bb6d459 Merge pull request #2806 from jku/prep-v6
• 44eed61 Prepare v6.0
• bef804b Merge pull request #2811 from DimitriPapadopoulos/codespell
• 4a28307 Fix typos
• b1d9021 build(deps): bump ruff in the test-and-lint-dependencies group (#2810)
• 15933a9 ngclient: Create directories as needed (#2808)
• 067ba1a Merge pull request #2809 from theupdateframework/dependabot-add-zizmor-to-group
• 097de2b dependabot: Add zizmor to lint dependencies
• 8df9f0f build(deps): bump the dependencies group with 2 updates (#2805)
• f66168f build(deps): bump ruff in the test-and-lint-dependencies group (#2804)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions