- Update to version 1.4.3: * Arti 1.4.3 adds adds the framework for measuring metrics * Initial groundwork for the Counter Galois Onion proposal * Some of the groundwork for congestion control, in the form of handshake negotiation code * The arti hsc flags --quiet and --force have been consolidated into a single --batch flag * Arti now exits by default when it does not support a recommended or required protocol * Cleanup, minor fixes and documentation enhancements OBS-URL: https://build.opensuse.org/package/show/network/arti?expand=0&rev=31
63 lines
2.3 KiB
Plaintext
63 lines
2.3 KiB
Plaintext
<services>
|
|
<service name="download_files" mode="manual" />
|
|
|
|
<service name="cargo_vendor" mode="manual">
|
|
<param name="srcdir">arti-*.tar.gz</param>
|
|
<param name="compression">zst</param>
|
|
<param name="update">true</param>
|
|
|
|
<!--
|
|
From https://gitlab.torproject.org/tpo/core/arti/-/blob/arti-v1.4.2/maint/cargo_audit
|
|
-->
|
|
|
|
<!--
|
|
This is a real but theoretical unaligned read. It might happen only on
|
|
Windows and only with a custom global allocator, which we don't do in our
|
|
arti binary. The bad crate is depended on by env-logger.
|
|
This is being discussed by those crates' contributors here:
|
|
https://github.com/rust-cli/env_logger/pull/246
|
|
-->
|
|
<param name="i-accept-the-risk">RUSTSEC-2021-0145</param>
|
|
<!--
|
|
As of 28 Nov 2023, all versions of the rsa crate have a variable
|
|
timing attack that can leak private keys.
|
|
|
|
We do not use (yet) do any private-key rsa operations in arti:
|
|
we only use it to verify signatures.
|
|
-->
|
|
<param name="i-accept-the-risk">RUSTSEC-2023-0071</param>
|
|
<!--
|
|
instant is unmaintained.
|
|
|
|
The current dependency path is:
|
|
arti -> signal-hook-async-std -> futures-lite -> fastrand -> instant
|
|
|
|
The 'signal-hook-async-std' lib hasn't been updated in three years and depends on `futures-lite = "~1"`.
|
|
The latest 'futures-lite' 2.6.0 uses a version of 'fastrand' that does not depend on instant.
|
|
|
|
We should consider trying to upstream patches for 'signal-hook-async-std',
|
|
or remove arti's dependence on it.
|
|
|
|
https://gitlab.torproject.org/tpo/core/arti/-/issues/1867
|
|
-->
|
|
<param name="i-accept-the-risk">RUSTSEC-2024-0384</param>
|
|
<!--
|
|
paste is unmaintained.
|
|
|
|
We depend on it directly in crates like tor-error, tor-persist, tor-config,
|
|
and also transitively, for example via
|
|
futures-rustls -> rustls -> aws-lc-rc -> paste
|
|
and slotmap-careful -> paste.
|
|
|
|
In the long run, we should consider replacing it with another crate
|
|
(concat-idents?).
|
|
-->
|
|
<param name="i-accept-the-risk">RUSTSEC-2024-0436</param>
|
|
</service>
|
|
|
|
<service name="cargo_audit" mode="manual">
|
|
<param name="srcdir">arti</param>
|
|
</service>
|
|
|
|
</services>
|