File _service of Package arti
<services>
<service name="download_files" mode="manual" />
<service name="cargo_vendor" mode="manual">
<param name="srcdir">arti-*.tar.gz</param>
<param name="compression">zst</param>
<param name="update">true</param>
<!--
From https://gitlab.torproject.org/tpo/core/arti/-/blob/arti-v1.4.2/maint/cargo_audit
-->
<!--
This is a real but theoretical unaligned read. It might happen only on
Windows and only with a custom global allocator, which we don't do in our
arti binary. The bad crate is depended on by env-logger.
This is being discussed by those crates' contributors here:
https://github.com/rust-cli/env_logger/pull/246
-->
<param name="i-accept-the-risk">RUSTSEC-2021-0145</param>
<!--
As of 28 Nov 2023, all versions of the rsa crate have a variable
timing attack that can leak private keys.
We do not use (yet) do any private-key rsa operations in arti:
we only use it to verify signatures.
-->
<param name="i-accept-the-risk">RUSTSEC-2023-0071</param>
<!--
instant is unmaintained.
The current dependency path is:
arti -> signal-hook-async-std -> futures-lite -> fastrand -> instant
The 'signal-hook-async-std' lib hasn't been updated in three years and depends on `futures-lite = "~1"`.
The latest 'futures-lite' 2.6.0 uses a version of 'fastrand' that does not depend on instant.
We should consider trying to upstream patches for 'signal-hook-async-std',
or remove arti's dependence on it.
https://gitlab.torproject.org/tpo/core/arti/-/issues/1867
-->
<param name="i-accept-the-risk">RUSTSEC-2024-0384</param>
<!--
paste is unmaintained.
We depend on it directly in crates like tor-error, tor-persist, tor-config,
and also transitively, for example via
futures-rustls -> rustls -> aws-lc-rc -> paste
and slotmap-careful -> paste.
In the long run, we should consider replacing it with another crate
(concat-idents?).
-->
<param name="i-accept-the-risk">RUSTSEC-2024-0436</param>
</service>
<service name="cargo_audit" mode="manual">
<param name="srcdir">arti</param>
</service>
</services>
