tough: support the loading of an expired repo in unsafe mode

[webern]

Issue #, if available:

Closes #112
Supports bottlerocket-os/bottlerocket#905
Supports bottlerocket-os/bottlerocket#91

Description of changes:

Add a setting to the Settings object such that we can choose to load a repository with expired metadata if we want to. This supports a use case in Bottlerocket when we need to load a cached, local repository without access to networking, and where failing due to an expiration cannot be tolerated.

I used an enum for this setting, Unsafe vs Safe to make it clearer what this setting does, and thus harder to accidentally choose incorrectly.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[zmrow]

Looks good!

Two things:

• This is a API-breaking change so we'll want to make sure that we bump the minor version of the entire library and update the changelog.
• We'll probably want to add an argument to tuftool so a user can download an expired repo. This is also an API breaking change and deserves a version bump.

Let's get @iliana 's eyes on this too. :)

[webern]

• we'll want to make sure that we bump the minor version of the entire library and update the changelog.

Agreed. The versions are already bumped to 0.5.0 and I plan to write the changelog in a separate release PR.

• We'll probably want to add an argument to tuftool so a user can download an expired repo. This is also an API breaking change and deserves a version bump.

Yes, that could be added separately if we want the functionality exposed.

[iliana]

You can move my feedback into an issue. :)

[zmrow]

Nice work!

🏎️