Consistent release versioning and tagging

[lukpueh]

Consistent release version numbers and corresponding git tags are not only expected by users of our software, but also necessary for automated tools, such as dependency scanners, or downstream packager update detectors (see https://github.com/secure-systems-lab/securesystemslib/issues/167 and https://github.com/in-toto/in-toto/issues/286 for discussions).

Versioning "semantic versioning" (semver) provides a clearly defined de-facto standard, which we already adhere to with TUF, in-toto and securesystemslib (more or less). We should make this a principle and be strict about it.

Tagging The easiest way seems to just use the semantic version number as git tag name. However, @SantiagoTorres has a compelling argument for v-prefixing the semantic version string, that is command line auto-completion (e.g. git checkout v[tab]).

Most importantly, there should be no switching between conventions, such as a mix of X.Y.Z, vX.Y.Z or <arbitrary-prefix>vX.Y.Z (see in-toto#releases and securesystemslib#releases).

[lukpueh]

I just found out that TUF uses PEP 440 (see https://github.com/theupdateframework/specification/issues/33#issuecomment-468379281).

I am not sure if we are doing it right though. Take a look at the TUF release history on PyPI, it is ordered by version numbers, but the order does not align with the order of the release dates.