Accepting request 1138965 from home:VaiTon:branches:network

- Update to version 1.1.12~0:
  Arti 1.1.12 continues work on support for running onion services.
  You can now launch an onion service and expect it to run,
  though the user experience leaves a lot to be desired.
  Don't rely on this onion service implementation for security yet;
  there are a number of [missing security features]
  we will need to develop before we can recommend them
  for actual use.
  3c44d849f4/CHANGELOG.md
- Updated the ignored RUSTSEC advisories, as per the project
  recommended way of building the crate

OBS-URL: https://build.opensuse.org/request/show/1138965
OBS-URL: https://build.opensuse.org/package/show/network/arti?expand=0&rev=12

_service

@@ -3,7 +3,7 @@
         <param name="url">https://gitlab.torproject.org/tpo/core/arti.git</param>
         <param name="versionformat">@PARENT_TAG@~@TAG_OFFSET@</param>
         <param name="scm">git</param>
-        <param name="revision">arti-v1.1.11</param>
+        <param name="revision">arti-v1.1.12</param>
         <param name="match-tag">*</param>
         <param name="versionrewrite-pattern">arti-v(\d+\.\d+\.\d+)</param>
         <param name="versionrewrite-replacement">\1</param>
@@ -17,7 +17,7 @@
         <param name="update">true</param>
 
         <!-- From
-        https://gitlab.torproject.org/tpo/core/arti/-/blob/58f578f9097b090b289f4ea59488044796428daf/maint/cargo_audit
+        https://gitlab.torproject.org/tpo/core/arti/-/blob/3c44d849f4c3332ccbb86328392d54e7c1d8e9b6/maint/cargo_audit
         -->
 
         <!--
@@ -31,31 +31,13 @@
         <param name="i-accept-the-risk">RUSTSEC-2021-0145</param>
 
         <!--
-        This is an API vulnerability in ed25519-dalek v1.x.x, to the
-        extent that it does not force you to store private and public
-        keys as a single keypair.
-
-        We have desigend our APIs to work around this, and believe we
-        are not affected.  We should eventually upgrade to
-        ed25519-dalek >= 2, however.
+        As of 28 Nov 2023, all versions of the rsa crate have a variable
+        timing attack that can leak private keys.
+        
+        We do not use (yet) do any private-key rsa operations in arti:
+        we only use it to verify signatures.
         -->
-        <param name="i-accept-the-risk">RUSTSEC-2022-0093</param>
-
-        <!--
-        This is a DOS vulnerability against rustls-webpki (only some versions)
-        and webpki (all versions) where some cert chains can cause
-        ridiculous CPU usage.
-
-        We've upgraded our rustls-webpki usage, but webpki (which is
-        unmaintained) is still used by tls-api, which we use from
-        arti-hyper.
-
-        I've opened https://github.com/stepancheg/rust-tls-api/issues/45
-        for this issue, but I'm not sure whether `tls-api` is maintained.
-
-        See https://gitlab.torproject.org/tpo/core/arti/-/issues/1016
-        -->
-        <param name="i-accept-the-risk">RUSTSEC-2023-0052</param>
+        <param name="i-accept-the-risk">RUSTSEC-2023-0071</param>
     </service>
 
     <service name="cargo_audit" mode="manual">

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.torproject.org/tpo/core/arti.git</param>
-              <param name="changesrevision">db9a5263e7b185b90750c658dff8e5a50fce0a2e</param></service></servicedata>
+              <param name="changesrevision">d6e89fbb361137efcfb0ce5d66437a6ff77cdb2e</param></service></servicedata>

arti-1.1.11~0.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:089bb58b408fa5952267f0b1124f64368cf05497cde2a9f7f4f7c57e56ea0a2d
-size 59665934

arti-1.1.12~0.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bed3a87097a7d6539a4fefc3540de5e7c80b80000509065ae8cd61607e8bb226
+size 59838990

arti.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Mon Jan 15 14:15:55 UTC 2024 - eyadlorenzo@gmail.com
+
+- Update to version 1.1.12~0:
+
+  Arti 1.1.12 continues work on support for running onion services.
+  You can now launch an onion service and expect it to run,
+  though the user experience leaves a lot to be desired.
+  Don't rely on this onion service implementation for security yet;
+  there are a number of [missing security features]
+  we will need to develop before we can recommend them
+  for actual use.
+
+  https://gitlab.torproject.org/tpo/core/arti/-/blob/3c44d849f4c3332ccbb86328392d54e7c1d8e9b6/CHANGELOG.md
+
+- Updated the ignored RUSTSEC advisories, as per the project
+  recommended way of building the crate
+
 -------------------------------------------------------------------
 Fri Dec 08 22:07:44 UTC 2023 - eyadlorenzo@gmail.com
 

arti.obsinfo

@@ -1,4 +1,4 @@
 name: arti
-version: 1.1.11~0
-mtime: 1701710674
-commit: db9a5263e7b185b90750c658dff8e5a50fce0a2e
+version: 1.1.12~0
+mtime: 1704811794
+commit: d6e89fbb361137efcfb0ce5d66437a6ff77cdb2e

arti.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package arti
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
 
 Name:           arti
 #               This will be set by osc services, that will run after this.
-Version:        1.1.11~0
+Version:        1.1.12~0
 Release:        0
 Summary:        An implementation of Tor, in Rust.
 #               If you know the license, put it's SPDX string here.

vendor.tar.zst

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:cf0871aaea272014e2621b49fe7d567ff3ab43499bfeac492c61fb27e24e0e2e
-size 56607331
+oid sha256:6d69828d0930667af3a0808e34d108f34d1320a950a59afc45d756d1f7e7010b
+size 56685850