Files
arti/_service
Eyad Issa 6b1f12b482 - Use source urls to fetch sources
- Update to version 1.4.3:
  * Arti 1.4.3 adds adds the framework for measuring metrics
  * Initial groundwork for the Counter Galois Onion proposal
  * Some of the groundwork for congestion control, in the form of
    handshake negotiation code
  * The arti hsc flags --quiet and --force have been consolidated
    into a single --batch flag
  * Arti now exits by default when it does not support a
    recommended or required protocol
  * Cleanup, minor fixes and documentation enhancements

OBS-URL: https://build.opensuse.org/package/show/network/arti?expand=0&rev=31
2025-05-06 11:36:28 +00:00

63 lines
2.3 KiB
Plaintext

<services>
<service name="download_files" mode="manual" />
<service name="cargo_vendor" mode="manual">
<param name="srcdir">arti-*.tar.gz</param>
<param name="compression">zst</param>
<param name="update">true</param>
<!--
From https://gitlab.torproject.org/tpo/core/arti/-/blob/arti-v1.4.2/maint/cargo_audit
-->
<!--
This is a real but theoretical unaligned read. It might happen only on
Windows and only with a custom global allocator, which we don't do in our
arti binary. The bad crate is depended on by env-logger.
This is being discussed by those crates' contributors here:
https://github.com/rust-cli/env_logger/pull/246
-->
<param name="i-accept-the-risk">RUSTSEC-2021-0145</param>
<!--
As of 28 Nov 2023, all versions of the rsa crate have a variable
timing attack that can leak private keys.
We do not use (yet) do any private-key rsa operations in arti:
we only use it to verify signatures.
-->
<param name="i-accept-the-risk">RUSTSEC-2023-0071</param>
<!--
instant is unmaintained.
The current dependency path is:
arti -> signal-hook-async-std -> futures-lite -> fastrand -> instant
The 'signal-hook-async-std' lib hasn't been updated in three years and depends on `futures-lite = "~1"`.
The latest 'futures-lite' 2.6.0 uses a version of 'fastrand' that does not depend on instant.
We should consider trying to upstream patches for 'signal-hook-async-std',
or remove arti's dependence on it.
https://gitlab.torproject.org/tpo/core/arti/-/issues/1867
-->
<param name="i-accept-the-risk">RUSTSEC-2024-0384</param>
<!--
paste is unmaintained.
We depend on it directly in crates like tor-error, tor-persist, tor-config,
and also transitively, for example via
futures-rustls -> rustls -> aws-lc-rc -> paste
and slotmap-careful -> paste.
In the long run, we should consider replacing it with another crate
(concat-idents?).
-->
<param name="i-accept-the-risk">RUSTSEC-2024-0436</param>
</service>
<service name="cargo_audit" mode="manual">
<param name="srcdir">arti</param>
</service>
</services>