arti/_service

<services>
    <service name="obs_scm" mode="manual">
        <param name="url">https://gitlab.torproject.org/tpo/core/arti.git</param>
        <param name="versionformat">@PARENT_TAG@~@TAG_OFFSET@</param>
        <param name="scm">git</param>
        <param name="revision">arti-v1.1.12</param>
        <param name="match-tag">*</param>
        <param name="versionrewrite-pattern">arti-v(\d+\.\d+\.\d+)</param>
        <param name="versionrewrite-replacement">\1</param>
        <param name="changesgenerate">enable</param>
    </service>

    <service name="set_version" mode="manual" />
    <service name="cargo_vendor" mode="manual">
        <param name="srcdir">arti</param>
        <param name="compression">zst</param>
        <param name="update">true</param>

        <!-- From
        https://gitlab.torproject.org/tpo/core/arti/-/blob/3c44d849f4c3332ccbb86328392d54e7c1d8e9b6/maint/cargo_audit
        -->

        <!--
        This is a real but theoretical unaligned read.  It might happen only on
        Windows and only with a custom global allocator, which we don't do in our
        arti binary.  The bad crate is depended on by env-logger and clap.
        This is being discussed by those crates' contributors here:
            https://github.com/clap-rs/clap/pull/4249
            https://github.com/rust-cli/env_logger/pull/246
        -->
        <param name="i-accept-the-risk">RUSTSEC-2021-0145</param>

        <!--
        As of 28 Nov 2023, all versions of the rsa crate have a variable
        timing attack that can leak private keys.
        
        We do not use (yet) do any private-key rsa operations in arti:
        we only use it to verify signatures.
        -->
        <param name="i-accept-the-risk">RUSTSEC-2023-0071</param>
    </service>

    <service name="cargo_audit" mode="manual">
        <param name="srcdir">arti</param>
    </service>


    <service name="tar" mode="buildtime" />
</services>