Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package arti for openSUSE:Factory checked in at 2025-06-05 20:33:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/arti (Old) and /work/SRC/openSUSE:Factory/.arti.new.19631 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "arti" Thu Jun 5 20:33:56 2025 rev:13 rq:1282900 version:1.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/arti/arti.changes 2024-12-15 12:40:42.927015020 +0100 +++ /work/SRC/openSUSE:Factory/.arti.new.19631/arti.changes 2025-06-05 20:36:32.398783774 +0200 @@ -1,0 +2,91 @@ +Tue Jun 3 22:50:55 UTC 2025 - Eyad Issa <eyadlore...@gmail.com> + +- Re-run vendoring via obs-service-cargo +- Increment rustc memory to 8GB/worker + +------------------------------------------------------------------- +Tue May 6 11:33:05 UTC 2025 - Eyad Issa <eyadlore...@gmail.com> + +- Use source urls to fetch sources + +- Update to version 1.4.3: + * Arti 1.4.3 adds adds the framework for measuring metrics + * Initial groundwork for the Counter Galois Onion proposal + * Some of the groundwork for congestion control, in the form of + handshake negotiation code + * The arti hsc flags --quiet and --force have been consolidated + into a single --batch flag + * Arti now exits by default when it does not support a + recommended or required protocol + * Cleanup, minor fixes and documentation enhancements + +------------------------------------------------------------------- +Thu May 01 16:20:51 UTC 2025 - Eyad Issa <eyadlore...@gmail.com> + +- Update to version 1.4.2: + * Arti's RPC subsystem is now stable and ready for use! + * This release continues development on Conflux, + and also fixes a number of bugs and security issues. + * Upgraded to ring version 0.17.13: fixes RUSTSEC-2025-0009 + * Upgraded to rand version 0.9.0 + * Longer-lived keys are now derived using a CautiousRng, + which combines inputs from several sources, + including OsRng, to minimize the likelihood of falling + to a vulnerability in any particular one + * Arti now imposes a maximum on its fallback estimated timeout, + to prevent integer overflow + * More Conflux development + * More RPC development + + * For a full changelog see + /usr/share/doc/packages/arti/CHANGELOG.md + +- Update to version 1.4.1: + * Arti 1.4.1 contains + significant behind-the-scenes groundwork for Conflux, + a feature that improves performance and reliability + by allowing data streams to tunnel over multiple circuits. + * Arti now implements the client side of ID-based families + (a.k.a. "Happy Families"). When deployed everywhere on the + network, this feature will allow us to remove around 80-90% + of the data from microdescriptors, and save some administrative + complexity. + + * For a full changelog see + /usr/share/doc/packages/arti/CHANGELOG.md + + +- Update to version 1.4.0: + * Arti 1.4.0 offers a new RPC interface, continues work on the + relay implementation, includes an overhaul of the in-tree + documentation. + + * Relay: Major refactoring of the circuit reactor, to use + select!, lifting it from async Rust's low-level "poll" to + "async fn" + * Relay: Improved CLI and add config loading + * Relay: Initial KIST support (Linux-only) in tor-proto + * Relay: Congestion control + + * RPC: Cookie authentication + * RPC: Implement request cancellation + * RPC: Other improvements + + * For a full changelog see + /usr/share/doc/packages/arti/CHANGELOG.md + +- Update to version 1.3.2: + * Arti 1.3.2 continues development on RPC, + and includes preparatory work for relay support and + service-side onion service denial-of-service resistance. + * The key-manager code can now store certificates as well as keys + * Initial implementation for RPC connect points, which will + provide a mechanism for applications to discover where Arti is + running, and connect to it securely. + This implementation is now working, but not yet fully + conformant to its specification. + + * For a full changelog see + /usr/share/doc/packages/arti/CHANGELOG.md + +------------------------------------------------------------------- Old: ---- _servicedata arti-1.3.1~0.obscpio arti.obsinfo New: ---- arti-1.4.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ arti.spec ++++++ --- /var/tmp/diff_new_pack.3ZObn2/_old 2025-06-05 20:36:34.470869930 +0200 +++ /var/tmp/diff_new_pack.3ZObn2/_new 2025-06-05 20:36:34.474870096 +0200 @@ -1,7 +1,7 @@ # # spec file for package arti # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,13 +16,14 @@ # +%define git_hash 37c0c70ac5cacf49960b4ad91fddcd695708d6c2 Name: arti -Version: 1.3.1~0 +Version: 1.4.3 Release: 0 Summary: An implementation of Tor, in Rust. License: Apache-2.0 OR MIT URL: https://gitlab.torproject.org/tpo/core/arti -Source0: %{name}-%{version}.tar +Source0: https://gitlab.torproject.org/tpo/core/arti/-/archive/arti-v%{version}/%{name}-%{version}.tar.gz Source1: vendor.tar.zst BuildRequires: cargo-packaging BuildRequires: memory-constraints @@ -35,10 +36,10 @@ An implementation of Tor, in Rust %prep -%autosetup -p1 -a1 +%autosetup -p1 -a1 -n arti-arti-v%{version}-%{git_hash} %build -%limit_build -m 5000 +%limit_build -m 8000 %{cargo_build} %install ++++++ _constraints ++++++ --- /var/tmp/diff_new_pack.3ZObn2/_old 2025-06-05 20:36:34.506871426 +0200 +++ /var/tmp/diff_new_pack.3ZObn2/_new 2025-06-05 20:36:34.510871593 +0200 @@ -1,8 +1,8 @@ <constraints> <hardware> - <memory> - <size unit="G">20</size> - </memory> + <physicalmemory> + <size unit="G">16</size> + </physicalmemory> <disk> <size unit="G">35</size> </disk> ++++++ _service ++++++ --- /var/tmp/diff_new_pack.3ZObn2/_old 2025-06-05 20:36:34.530872424 +0200 +++ /var/tmp/diff_new_pack.3ZObn2/_new 2025-06-05 20:36:34.534872591 +0200 @@ -1,35 +1,23 @@ <services> - <service name="obs_scm" mode="manual"> - <param name="url">https://gitlab.torproject.org/tpo/core/arti.git</param> - <param name="versionformat">@PARENT_TAG@~@TAG_OFFSET@</param> - <param name="scm">git</param> - <param name="revision">arti-v1.3.1</param> - <param name="match-tag">*</param> - <param name="versionrewrite-pattern">arti-v(\d+\.\d+\.\d+)</param> - <param name="versionrewrite-replacement">\1</param> - <param name="changesgenerate">enable</param> - </service> + <service name="download_files" mode="manual" /> - <service name="set_version" mode="manual" /> <service name="cargo_vendor" mode="manual"> - <param name="srcdir">arti</param> + <param name="srcdir">arti-*.tar.gz</param> <param name="compression">zst</param> <param name="update">true</param> <!-- - From https://gitlab.torproject.org/tpo/core/arti/-/blob/2db5ccf16d2f977c073ba3f142513b920fb7b6a1/maint/cargo_audit + From https://gitlab.torproject.org/tpo/core/arti/-/blob/arti-v1.4.2/maint/cargo_audit --> <!-- - This is a real but theoretical unaligned read. It might happen only on + This is a real but theoretical unaligned read. It might happen only on Windows and only with a custom global allocator, which we don't do in our - arti binary. The bad crate is depended on by env-logger and clap. + arti binary. The bad crate is depended on by env-logger. This is being discussed by those crates' contributors here: - https://github.com/clap-rs/clap/pull/4249 https://github.com/rust-cli/env_logger/pull/246 --> <param name="i-accept-the-risk">RUSTSEC-2021-0145</param> - <!-- As of 28 Nov 2023, all versions of the rsa crate have a variable timing attack that can leak private keys. @@ -38,22 +26,38 @@ we only use it to verify signatures. --> <param name="i-accept-the-risk">RUSTSEC-2023-0071</param> + <!-- + instant is unmaintained. + The current dependency path is: + arti -> signal-hook-async-std -> futures-lite -> fastrand -> instant - <!-- - This is not a vulnerability but an unmaintained warning for - `generational-arena`. It is only used by arti-rpcserver (which is - experimental). + The 'signal-hook-async-std' lib hasn't been updated in three years and depends on `futures-lite = "~1"`. + The latest 'futures-lite' 2.6.0 uses a version of 'fastrand' that does not depend on instant. + + We should consider trying to upstream patches for 'signal-hook-async-std', + or remove arti's dependence on it. + + https://gitlab.torproject.org/tpo/core/arti/-/issues/1867 --> - <param name="i-accept-the-risk">RUSTSEC-2024-0014</param> + <param name="i-accept-the-risk">RUSTSEC-2024-0384</param> + <!-- + paste is unmaintained. + + We depend on it directly in crates like tor-error, tor-persist, tor-config, + and also transitively, for example via + futures-rustls -> rustls -> aws-lc-rc -> paste + and slotmap-careful -> paste. + In the long run, we should consider replacing it with another crate + (concat-idents?). + --> + <param name="i-accept-the-risk">RUSTSEC-2024-0436</param> </service> <service name="cargo_audit" mode="manual"> <param name="srcdir">arti</param> </service> - - <service name="tar" mode="buildtime" /> </services> ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/arti/vendor.tar.zst /work/SRC/openSUSE:Factory/.arti.new.19631/vendor.tar.zst differ: char 7, line 1
