Accepting request 1126653 from network

Update to version 1.1.10:

OBS-URL: https://build.opensuse.org/request/show/1126653
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/arti?expand=0&rev=3

.gitattributes

@@ -21,5 +21,3 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
-## Specific LFS patterns
-vendor.tar.zstd filter=lfs diff=lfs merge=lfs -text

_service

@@ -3,7 +3,7 @@
         <param name="url">https://gitlab.torproject.org/tpo/core/arti.git</param>
         <param name="versionformat">@PARENT_TAG@~@TAG_OFFSET@</param>
         <param name="scm">git</param>
-        <param name="revision">arti-v1.1.9</param>
+        <param name="revision">arti-v1.1.10</param>
         <param name="match-tag">*</param>
         <param name="versionrewrite-pattern">arti-v(\d+\.\d+\.\d+)</param>
         <param name="versionrewrite-replacement">\1</param>
@@ -13,8 +13,49 @@
     <service name="set_version" mode="manual" />
     <service name="cargo_vendor" mode="manual">
         <param name="srcdir">arti</param>
-        <param name="compression">zstd</param>
+        <param name="compression">zst</param>
         <param name="update">true</param>
+
+        <!-- From
+        https://gitlab.torproject.org/tpo/core/arti/-/blob/58f578f9097b090b289f4ea59488044796428daf/maint/cargo_audit
+        -->
+
+        <!--
+        This is a real but theoretical unaligned read.  It might happen only on
+        Windows and only with a custom global allocator, which we don't do in our
+        arti binary.  The bad crate is depended on by env-logger and clap.
+        This is being discussed by those crates' contributors here:
+            https://github.com/clap-rs/clap/pull/4249
+            https://github.com/rust-cli/env_logger/pull/246
+        -->
+        <param name="i-accept-the-risk">RUSTSEC-2021-0145</param>
+
+        <!--
+        This is an API vulnerability in ed25519-dalek v1.x.x, to the
+        extent that it does not force you to store private and public
+        keys as a single keypair.
+
+        We have desigend our APIs to work around this, and believe we
+        are not affected.  We should eventually upgrade to
+        ed25519-dalek >= 2, however.
+        -->
+        <param name="i-accept-the-risk">RUSTSEC-2022-0093</param>
+
+        <!--
+        This is a DOS vulnerability against rustls-webpki (only some versions)
+        and webpki (all versions) where some cert chains can cause
+        ridiculous CPU usage.
+
+        We've upgraded our rustls-webpki usage, but webpki (which is
+        unmaintained) is still used by tls-api, which we use from
+        arti-hyper.
+
+        I've opened https://github.com/stepancheg/rust-tls-api/issues/45
+        for this issue, but I'm not sure whether `tls-api` is maintained.
+
+        See https://gitlab.torproject.org/tpo/core/arti/-/issues/1016
+        -->
+        <param name="i-accept-the-risk">RUSTSEC-2023-0052</param>
     </service>
     <service name="cargo_audit" mode="manual">
         <param name="srcdir">arti</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.torproject.org/tpo/core/arti.git</param>
-              <param name="changesrevision">9a7eeb27440d1a55e3b7052d5347be6fc54bedfb</param></service></servicedata>
+              <param name="changesrevision">3d8ac346c6044d9455944aa7a3c10fcc0baf814e</param></service></servicedata>

arti-1.1.10~0.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:38da75494a60fa93f21dc1dfb0e524539dd27067382d63babc9538a75902bf52
+size 59505166

arti-1.1.9~0.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c6a41a3865fed98931b7b1444371733c69bcff54871f020638c15c2aa4ee2248
-size 59273230

arti.changes

@@ -1,4 +1,50 @@
 -------------------------------------------------------------------
+Mon Nov 13 17:17:23 UTC 2023 - eyadlorenzo@gmail.com
+
+- Update to version 1.1.10:
+  
+  Arti 1.1.10 continues work on support for onion services in
+  Arti. At last, we can (technically) run as an onion service...
+  though not yet in a useful way. (Onion services don't yet recover
+  correctly after a restart, outdated keys are not removed, and we
+  are missing other important security features.)
+
+  ### Breaking changes in lower-level crates
+
+  - The [`IoErrorExt`] trait in [`tor-basic-utils`] is now
+    sealed. ([!1654])
+  - The [`Requestable`] trait in [`tor-dirclient`] is now sealed,
+    and most of its members are now private. ([!1679])
+  - In [`tor-cell`], stream and circuit IDs are now inherently
+    non-zero. To represent an ID that might be zero on the wire, we
+    now use
+    `Option<StreamId>` or `Option<CircId>`. ([#1080], [!1697])
+  - In [`tor-cell`], `CREATE2` handshake types are no longer raw
+    `u16` values. ([!1703])
+  - In [`tor-cert`], `encode_and_sign` now returns an
+    `Ed25519EncodedCert` rather than a raw `Vec<u8>`. ([!1702])
+
+  
+  ### Client features
+
+  - Arti can now be configured to listen for connections on
+    multiple arbitrary addresses—not just `localhost`. ([!1613])
+
+  ### Key manager
+
+  - The key manager code now has improved support for generating
+    keypairs, keys with derived data, and other structures needed for
+    onion services. ([!1653])
+  - The key manager now encodes whether a key is private or public in its
+    file extension. ([!1672])
+  - The key manager now disallows path components that could lead
+    (under some programming errors) to directory traversal. ([!1661])
+  - We can now list keys by path and type; this is important so that
+    we can identify disused keys and eventually expire them. ([!1677])
+
+  See https://gitlab.torproject.org/tpo/core/arti/-/blob/c39857a8a63200ed5ed539d1f9231b05d7da7e0d/CHANGELOG.md
+  for more info
+-------------------------------------------------------------------
 Mon Oct 30 12:37:00 UTC 2023 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 
 - Add _constraints file to avoid build failures

arti.obsinfo

@@ -1,4 +1,4 @@
 name: arti
-version: 1.1.9~0
-mtime: 1696280645
-commit: 9a7eeb27440d1a55e3b7052d5347be6fc54bedfb
+version: 1.1.10~0
+mtime: 1698768032
+commit: 3d8ac346c6044d9455944aa7a3c10fcc0baf814e

arti.spec

@@ -18,7 +18,7 @@
 
 Name:           arti
 #               This will be set by osc services, that will run after this.
-Version:        1.1.9~0
+Version:        1.1.10~0
 Release:        0
 Summary:        An implementation of Tor, in Rust.
 #               If you know the license, put it's SPDX string here.
@@ -26,7 +26,7 @@ Summary:        An implementation of Tor, in Rust.
 License:        Apache-2.0 OR MIT
 URL:            https://gitlab.torproject.org/tpo/core/arti
 Source0:        %{name}-%{version}.tar
-Source1:        vendor.tar.zstd
+Source1:        vendor.tar.zst
 Source2:        cargo_config
 BuildRequires:  cargo-packaging
 BuildRequires:  pkgconfig(openssl)

vendor.tar.zst

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bf9b1bcb5b9222003bfb4f4abfbf0b2b6b87b6366d08596977d2a8993a456df4
+size 52740477

vendor.tar.zstd

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2c9556ffd7084d85561268e05f916141299aa6a8a25e7077fd2aff628ace9d60
-size 52447374