Accepting request 1296609 from network

- Add "AND LGPL-3.0-only" to the spec license tag, as arti links
  with Rust crates crates/equix and crates/hashx which are
  licensed under LGPL-3.0-only
- Update to version 1.4.5:
  * Breaking: Console logging now goes to stderr instead of stdout.
  * Arti 1.4.5 continues development on xon-based (proposal 324)
    flow control and Conflux. In addition, we have drafted an
    initial design for the directory cache storage model, which
    will be needed for the core relay functionality, and
    for the directory authority implementation.
  * Decreased the minimum allowed duration of the hsdir_interval to
    5 minutes
  * New experimental arti keys list and arti keys list-keystores
    subcommands for listing the existing keys and configured
    keystores
  * More work and bug fixes on the conflux implementation
  * Experimental support for launching a SOCKS proxy from a set of
    already bound listeners.
  * For a full changelog see
    /usr/share/doc/packages/arti/CHANGELOG.md

OBS-URL: https://build.opensuse.org/request/show/1296609
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/arti?expand=0&rev=15

_constraints

@@ -1,8 +1,8 @@
 <constraints>
   <hardware>
-    <memory>
-     <size unit="G">20</size>
-    </memory>
+    <physicalmemory>
+     <size unit="G">16</size>
+    </physicalmemory>
     <disk>
       <size unit="G">35</size>
     </disk>

_service

@@ -1,35 +1,23 @@
 <services>
-    <service name="obs_scm" mode="manual">
-        <param name="url">https://gitlab.torproject.org/tpo/core/arti.git</param>
-        <param name="versionformat">@PARENT_TAG@~@TAG_OFFSET@</param>
-        <param name="scm">git</param>
-        <param name="revision">arti-v1.2.5</param>
-        <param name="match-tag">*</param>
-        <param name="versionrewrite-pattern">arti-v(\d+\.\d+\.\d+)</param>
-        <param name="versionrewrite-replacement">\1</param>
-        <param name="changesgenerate">enable</param>
-    </service>
+    <service name="download_files" mode="manual" />
 
-    <service name="set_version" mode="manual" />
     <service name="cargo_vendor" mode="manual">
-        <param name="srcdir">arti</param>
+        <param name="srcdir">arti-*.tar.gz</param>
         <param name="compression">zst</param>
         <param name="update">true</param>
 
         <!--
-        From https://gitlab.torproject.org/tpo/core/arti/-/blob/2db5ccf16d2f977c073ba3f142513b920fb7b6a1/maint/cargo_audit
+        From https://gitlab.torproject.org/tpo/core/arti/-/blob/arti-v1.4.2/maint/cargo_audit
         -->
 
         <!--
-        This is a real but theoretical unaligned read.  It might happen only on
+        This is a real but theoretical unaligned read. It might happen only on
         Windows and only with a custom global allocator, which we don't do in our
-        arti binary.  The bad crate is depended on by env-logger and clap.
+        arti binary. The bad crate is depended on by env-logger.
         This is being discussed by those crates' contributors here:
-            https://github.com/clap-rs/clap/pull/4249
             https://github.com/rust-cli/env_logger/pull/246
         -->
         <param name="i-accept-the-risk">RUSTSEC-2021-0145</param>
-
         <!--
         As of 28 Nov 2023, all versions of the rsa crate have a variable
         timing attack that can leak private keys.
@@ -38,21 +26,37 @@
         we only use it to verify signatures.
         -->
         <param name="i-accept-the-risk">RUSTSEC-2023-0071</param>
-
-
         <!--
-        This is not a vulnerability but an unmaintained warning for
-        `generational-arena`. It is only used by arti-rpcserver (which is
-        experimental).
-        -->
-        <param name="i-accept-the-risk">RUSTSEC-2024-0014</param>
+        instant is unmaintained.
 
+        The current dependency path is:
+        arti -> signal-hook-async-std -> futures-lite -> fastrand -> instant
+
+        The 'signal-hook-async-std' lib hasn't been updated in three years and depends on `futures-lite = "~1"`.
+        The latest 'futures-lite' 2.6.0 uses a version of 'fastrand' that does not depend on instant.
+
+        We should consider trying to upstream patches for 'signal-hook-async-std',
+        or remove arti's dependence on it.
+
+        https://gitlab.torproject.org/tpo/core/arti/-/issues/1867
+        -->
+        <param name="i-accept-the-risk">RUSTSEC-2024-0384</param>
+        <!--
+        paste is unmaintained.
+
+        We depend on it directly in crates like tor-error, tor-persist, tor-config,
+        and also transitively, for example via
+        futures-rustls -> rustls -> aws-lc-rc -> paste
+        and slotmap-careful -> paste.
+
+        In the long run, we should consider replacing it with another crate
+        (concat-idents?).
+        -->
+        <param name="i-accept-the-risk">RUSTSEC-2024-0436</param>
     </service>
 
     <service name="cargo_audit" mode="manual">
         <param name="srcdir">arti</param>
     </service>
 
-
-    <service name="tar" mode="buildtime" />
 </services>

_servicedata

@@ -1,4 +0,0 @@
-<servicedata>
-<service name="tar_scm">
-                <param name="url">https://gitlab.torproject.org/tpo/core/arti.git</param>
-              <param name="changesrevision">ef4a4d3774ddf77eba7f23611dfea3c160fa77ef</param></service></servicedata>

arti-1.2.4~0.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5a0dbd802da3a948fb2a36c87acd209d1ba64e930612b810fd34361e20acc519
-size 60828686

arti-1.2.5~0.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fecb37af7202137f2bcca66242a7cb4f48b94cf66fe79d7a51614985902c0817
-size 60880910

arti-1.4.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:34870670962a50ae68d6c240a79f1d2729fd1b6617006518f9d42a0575cd87b9
+size 5548807

arti.changes

@@ -1,9 +1,195 @@
+-------------------------------------------------------------------
+Thu Jul 24 19:49:00 UTC 2025 - Eyad Issa <eyadlorenzo@gmail.com>
+
+- Add "AND LGPL-3.0-only" to the spec license tag, as arti links
+  with Rust crates crates/equix and crates/hashx which are
+  licensed under LGPL-3.0-only
+
+- Update to version 1.4.5:
+  * Breaking: Console logging now goes to stderr instead of stdout.
+  * Arti 1.4.5 continues development on xon-based (proposal 324)
+    flow control and Conflux. In addition, we have drafted an
+    initial design for the directory cache storage model, which
+    will be needed for the core relay functionality, and
+    for the directory authority implementation.
+  * Decreased the minimum allowed duration of the hsdir_interval to
+    5 minutes
+  * New experimental arti keys list and arti keys list-keystores
+    subcommands for listing the existing keys and configured
+    keystores
+  * More work and bug fixes on the conflux implementation
+  * Experimental support for launching a SOCKS proxy from a set of
+    already bound listeners.
+  * For a full changelog see
+    /usr/share/doc/packages/arti/CHANGELOG.md
+
+-------------------------------------------------------------------
+Sat Jun 14 13:19:34 UTC 2025 - Eyad Issa <eyadlorenzo@gmail.com>
+
+- Use %global instead of %define in arti.spec
+
+- Update to version 1.4.4:
+  * Arti now requires Rust 1.83
+  * Arti now supports Circuit Handshake Extensions
+  * arti-ureq: We no longer enable the rustls feature by default
+  * Continued development towards supporting Conflux tunnels in
+    Arti
+  * Continued development towards supporting Counter Galois Onion
+    relay cell encryption in Arti
+  * Arti no longer uses MiddleOnly relays for rendezvous points or
+    introduction points
+  * Continued progress on service-side Proof-of-Work (PoW) support
+  * Arti no longer uses the ".z" suffix in directory URLs
+  * tor-rtcompat: We no longer bundle an unused copy of the Lets
+    Encrypt root certificate
+
+-------------------------------------------------------------------
+Tue Jun  3 22:50:55 UTC 2025 - Eyad Issa <eyadlorenzo@gmail.com>
+
+- Re-run vendoring via obs-service-cargo
+- Increment rustc memory to 8GB/worker
+
+-------------------------------------------------------------------
+Tue May  6 11:33:05 UTC 2025 - Eyad Issa <eyadlorenzo@gmail.com>
+
+- Use source urls to fetch sources
+
+- Update to version 1.4.3:
+  * Arti 1.4.3 adds adds the framework for measuring metrics
+  * Initial groundwork for the Counter Galois Onion proposal
+  * Some of the groundwork for congestion control, in the form of
+    handshake negotiation code
+  * The arti hsc flags --quiet and --force have been consolidated
+    into a single --batch flag
+  * Arti now exits by default when it does not support a
+    recommended or required protocol
+  * Cleanup, minor fixes and documentation enhancements
+
+-------------------------------------------------------------------
+Thu May 01 16:20:51 UTC 2025 - Eyad Issa <eyadlorenzo@gmail.com>
+
+- Update to version 1.4.2:
+  * Arti's RPC subsystem is now stable and ready for use!
+  * This release continues development on Conflux,
+    and also fixes a number of bugs and security issues.
+  * Upgraded to ring version 0.17.13: fixes RUSTSEC-2025-0009
+  * Upgraded to rand version 0.9.0
+  * Longer-lived keys are now derived using a CautiousRng,
+    which combines inputs from several sources,
+    including OsRng, to minimize the likelihood of falling
+    to a vulnerability in any particular one
+  * Arti now imposes a maximum on its fallback estimated timeout,
+    to prevent integer overflow
+  * More Conflux development
+  * More RPC development
+
+  * For a full changelog see
+    /usr/share/doc/packages/arti/CHANGELOG.md
+
+- Update to version 1.4.1:
+  * Arti 1.4.1 contains
+    significant behind-the-scenes groundwork for Conflux,
+    a feature that improves performance and reliability
+    by allowing data streams to tunnel over multiple circuits.
+  * Arti now implements the client side of ID-based families
+    (a.k.a. "Happy Families"). When deployed everywhere on the
+    network, this feature will allow us to remove around 80-90%
+    of the data from microdescriptors, and save some administrative
+    complexity.
+
+  * For a full changelog see
+    /usr/share/doc/packages/arti/CHANGELOG.md
+
+
+- Update to version 1.4.0:
+  * Arti 1.4.0 offers a new RPC interface, continues work on the
+    relay implementation, includes an overhaul of the in-tree
+    documentation.
+
+  * Relay: Major refactoring of the circuit reactor, to use
+    select!, lifting it from async Rust's low-level "poll" to
+    "async fn"
+  * Relay: Improved CLI and add config loading
+  * Relay: Initial KIST support (Linux-only) in tor-proto
+  * Relay: Congestion control
+
+  * RPC: Cookie authentication
+  * RPC: Implement request cancellation
+  * RPC: Other improvements
+
+  * For a full changelog see
+    /usr/share/doc/packages/arti/CHANGELOG.md
+
+- Update to version 1.3.2:
+  * Arti 1.3.2 continues development on RPC,
+    and includes preparatory work for relay support and
+    service-side onion service denial-of-service resistance.
+  * The key-manager code can now store certificates as well as keys
+  * Initial implementation for RPC connect points, which will
+    provide a mechanism for applications to discover where Arti is
+    running, and connect to it securely.
+    This implementation is now working, but not yet fully
+    conformant to its specification.
+
+  * For a full changelog see
+    /usr/share/doc/packages/arti/CHANGELOG.md
+
+-------------------------------------------------------------------
+Sat Dec 14 01:54:45 UTC 2024 - Eyad Issa <eyadlorenzo@gmail.com>
+
+- Update to version 1.3.1:
+  * Continues development on onion services, the RPC subsystem,
+    and relay infrastructure.
+  * This release fixes a major bug in Arti's channel management
+    code, where in some circumstances, canceled pending channel
+    entries were not being cleaned up properly, preventing Arti
+    from building new channels to their target relays.
+
+-------------------------------------------------------------------
+Thu Nov 21 11:11:22 UTC 2024 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Increase %limit_build value to 5000 to avoid OOM seen on aarch64
+
+-------------------------------------------------------------------
+Sat Nov 16 15:39:59 UTC 2024 - Eyad Issa <eyadlorenzo@gmail.com>
+
+- Update to version 1.3.0:
+  * Achieved parity on most major client features with C Tor.
+  * Continued work on Arti Relay.
+  * The work-in-progress RPC system is significantly more clearly
+    defined and implementation is proceeding.
+  * More details can be found in the installed package changelog
+    (/usr/share/doc/packages/arti/CHANGELOG.md)
+
+
+- Update to version 1.2.8:
+  * Arti 1.2.8 continues development on onion services,
+    the RPC subsystem, key management, and relay infrastructure.
+    It also includes fixes for two security issues in
+    handling the SOCKS protocol, the most severe of which is rated at
+    "medium" according to our security policy.
+  * Increased MSRV to 1.77
+  * More details can be found in the installed package changelog
+    (/usr/share/doc/packages/arti/CHANGELOG.md)
+
+- Update to version 1.2.7:
+  * Arti 1.2.7 continues development on onion service client
+    authorization, the RPC subsystem, and relay infrastructure.
+  * More details can be found in the installed package changelog
+    (/usr/share/doc/packages/arti/CHANGELOG.md)
+
+- Update to version 1.2.6:
+  * Arti 1.2.7 continues development on onion service client authorization,
+    the RPC subsystem, and relay infrastructure.
+  * More details can be found in the installed package changelog
+    (/usr/share/doc/packages/arti/CHANGELOG.md)
+
 -------------------------------------------------------------------
 Sun Jul 14 18:25:45 UTC 2024 - Eyad Issa <eyadlorenzo@gmail.com>
 
 - Update to version 1.2.5:
   * Stop publishing the obsolete arti-hyper crate
-  * Update curve25519-dalek to avoid a low-severity timing 
+  * Update curve25519-dalek to avoid a low-severity timing
     vulnerability. (TROVE-2024-007)
   * With full vanguards, client rendezvous circuits
     do not reuse the final vanguard as the rendezvous point.
@@ -12,10 +198,10 @@ Sun Jul 14 18:25:45 UTC 2024 - Eyad Issa <eyadlorenzo@gmail.com>
   * Add skeleton, including (experimental): arti-relay crate,
     relay cargo feature in arti-client,
     relay command line argument to arti
-  * Add a key material export facility for some of our TLS 
+  * Add a key material export facility for some of our TLS
     implementations.
   * Tolerate removal of files from Arti's cache directory.
- 
+
 -------------------------------------------------------------------
 Thu Jun 27 13:19:29 UTC 2024 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 

arti.obsinfo

@@ -1,4 +0,0 @@
-name: arti
-version: 1.2.5~0
-mtime: 1719502875
-commit: ef4a4d3774ddf77eba7f23611dfea3c160fa77ef

arti.spec

@@ -1,7 +1,8 @@
 #
 # spec file for package arti
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 Eyad Issa <eyadlorenzo@gmail.com>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,17 +17,20 @@
 #
 
 
+%global git_hash aa7207f270f82b6d59cce26f4e49610b90447ebf
+
 Name:           arti
-Version:        1.2.5~0
+Version:        1.4.5
 Release:        0
 Summary:        An implementation of Tor, in Rust.
-License:        Apache-2.0 OR MIT
+License:        (Apache-2.0 OR MIT) AND LGPL-3.0-only
 URL:            https://gitlab.torproject.org/tpo/core/arti
-Source0:        %{name}-%{version}.tar
+Source0:        https://gitlab.torproject.org/tpo/core/arti/-/archive/arti-v%{version}/%{name}-%{version}.tar.gz
 Source1:        vendor.tar.zst
 BuildRequires:  cargo-packaging
 BuildRequires:  memory-constraints
 BuildRequires:  pkgconfig
+BuildRequires:  rust >= 1.83
 BuildRequires:  pkgconfig(openssl)
 BuildRequires:  pkgconfig(sqlite3)
 ExclusiveArch:  %{rust_tier1_arches}
@@ -35,10 +39,10 @@ ExclusiveArch:  %{rust_tier1_arches}
 An implementation of Tor, in Rust
 
 %prep
-%autosetup -p1 -a1
+%autosetup -p1 -a1 -n arti-arti-v%{version}-%{git_hash}
 
 %build
-%limit_build -m 4400
+%limit_build -m 8000
 %{cargo_build}
 
 %install

vendor.tar.zst

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:efe8d480e1894c2d445f06ba00c2def5dbe61dd2bf0c552157ddb891154bb90e
-size 58065960
+oid sha256:fafae8855f1c9a1cada6e96713264d8ee8d287dbd99bda887054d3555b60cfaf
+size 60322758