Release 2020.1

There is now support for making the [`/sysroot` mount point read-only to start](https://github.com/ostreedev/ostree/pull/1767), and this is used by Fedora CoreOS today.   This protects against a lot of accidental damage, and also generalizes and improves the previous special case handling of having `/boot` read-only.  One known issue is that `ostree pull` is broken with this enabled, and this will be fixed.

Error-handling around GPG verification has had an overhaul. Specifically, libostree now has more specific error codes to distinguish between different verification failures. This should allow apps to have more fine-grained control over how to respond to errors. Do note that the error messages themselves have changed, and we strongly suggest that anyone relying on a specific error message string to migrate to using the API directly.

The original "archive" (split up objects) format didn't make it easy for a client system to know how much data it would be downloading.  Later, static deltas were added which addressed this problem, but there are situations in which object fetches still occur.  Later then support for optional `sizes` metadata in commit objects was added but was never really stabilized/publicized.  There were also some bugs in it.  [That is now completed](https://github.com/ostreedev/ostree/pull/1957) - the sizes data is now stable. and new API was added to read it.

This release adds [initial fs-verity support](https://github.com/ostreedev/ostree/pull/1959); it doesn't do too much today.  Bigger picture it's important to understand that the vision of OSTree is to enable Linux systems that feel like they're "image based" (transactional, versioned updates, no dependency resolution client side), but also to enable things like doing commits on the client side.  Today rpm-ostree supports replacing the kernel client side as a first class operation.  This is crucially important to make it feel truly like a Linux system that *you own*.  See also [this blog](https://blog.verbum.org/2019/12/23/starting-from-open-and-foss/).  Having a story for how system integrity works in this model is more complicated, but we (the CoreOS team at RHT) will be continuing work on it.

A small tweak was made to have OSTree create repo structure directories and files (such as `objects/` or `.lock`) with group write permissions. This is useful for managing OSTree remote servers from multiple UIDs. For systems with the default umask of `0022`, this should have no effect.

We've extensively reworked CI for the upstream repo. In addition to Travis, testing is now done on top of Fedora CoreOS. Not all tests have been carried over, but expect to see more coming. This rework will also allow us to have more comprehensive tests previously not possible.

Several fixes were made to the test suite to handle the cases of systemd vs no-systemd, and `systemd` is now advertised in the list of features in `ostree --version` if present.

---

```
$ git shortlog --no-merges v2019.6..
Alex Kiernan (6):
      test-switchroot.sh: Exclude /proc from file list
      build: Expose systemd in OSTREE_FEATURES
      tests: Skip /var test if running with systemd and libmount
      test-switchroot.sh: Find ostree-prepare-root in installed tests
      fixup! test-switchroot.sh: Find ostree-prepare-root in installed tests
      build: fix systemd feature advertisement

Cole Robinson (1):
      docs: Fix 'package layering' rpm-ostree link

Colin Walters (8):
      Post-release version bump
      finalize-staged: Use the core option parsing to load sysroot
      Support mounting /sysroot (and /boot) read-only
      Initial fs-verity support
      Add .cci.jenkinsfile
      travis: Update debian/ubuntu environments
      ci: Replace PAPR with CoreOS CI
      deploy: Avoid trying to change immutable state unnecessarily

Dan Nicholson (26):
      lib/commit: Only set generate_sizes for archive repos
      tests/sizes: Improve metadata validation
      lib/commit: Fix object sizes metadata for multiple commits
      lib/commit: Make size entries for existing objects
      tests/sizes: Test sizes metadata with existing objects
      tests/sizes: Test that sizes metadata is not reused
      tests/sizes: Check duplicate file doesn't add sizes entry
      libarchive: Support commit sizes metadata
      core: Add OstreeCommitSizesEntry type
      core: Add ostree_commit_get_object_sizes API
      bin/show: Add --print-sizes option to show sizes metadata
      tests/core: Really pick C.UTF-8 locale
      ci/rpmostree: Bump to 2019.4
      lib/gpg: Prefer declare-and-initialize style
      tests/libtest: Record long GPG key IDs and fingerprints
      tests/libtest: Make temporary gpghome private
      tests/gpghome: Create revocation certificates for keys
      tests/gpg-verify-data: Split out signature data
      tests/gpg-verify-data: Empty out trustdb.gpg
      tests/test-gpg-verify-result: Allow specifying signature files
      lib/gpg: Add more specific OstreeGpgError codes
      tests/gpg: Test ostree_gpg_verify_result_require_valid_signature
      tests/gpg: Add tests for importing updated remote GPG keys
      ci/flatpak: Patch GPG error assertions from OSTree
      ostree/trivial-httpd: Fix --autoexit with --daemonize and --log-file
      ostree/trivial-httpd: Add log message for autoexit

John Hiesey (1):
      lib/commit: Include object type in sizes metadata

Jonathan Lebon (1):
      lib/repo: Create repo directories as 0775

clime (1):
      Update ostree-pull.xml with info about pulled refs location and access

```

Git-EVTag-v0-SHA512: b3907c7d53696eee789bf9be60df54385a3146347b78752212745b2f84e0429b5d50f8cb7408b2be483757893e1b65dc1eeb5c8fa1f6446efbe81efbd998e249
-----BEGIN PGP SIGNATURE-----

iQFHBAABCgAxFiEEq5KKnPjdBikJw3u93EX9WSHBPwsFAl5OtZkTHHdhbHRlcnNA
dmVyYnVtLm9yZwAKCRDcRf1ZIcE/C7OMB/993U5gxnUxp/s8TWjdDQjamAqFX4eK
f6qUo50l63yTZ9tjGG8cz2vqlz6kePpjGcQFtlUJPrIV8AF3LuUunlMdG/aDlD49
Fc5RF5k1FYwHPTaka82Saf7bZ1heOLonBlyWc18AAqrIx89dNYx9thcCamml4ueL
OK71490Gqi+Y0Kr5g5g78MIShGw1byhNFUqzXIo4QHKwCig7kBFvQW6686tcTWU1
2QsvFuxyRrVYYWBob9Y7wCZpmlibq9wtodj1sQBJfxthVuXWJW3kGvhT0D2ew3FZ
ZO8x73OBRznEwaHua+CvTQ+xicr0HwNyQEXGfx0EGRu9+OcQx+tW8SVB
=fGkD
-----END PGP SIGNATURE-----