head	1.23;
access;
symbols
	pkgsrc-2026Q2:1.23.0.2
	pkgsrc-2026Q2-base:1.23
	pkgsrc-2026Q1:1.20.0.2
	pkgsrc-2026Q1-base:1.20
	pkgsrc-2025Q4:1.17.0.2
	pkgsrc-2025Q4-base:1.17
	pkgsrc-2025Q3:1.14.0.2
	pkgsrc-2025Q3-base:1.14
	pkgsrc-2025Q2:1.12.0.2
	pkgsrc-2025Q2-base:1.12
	pkgsrc-2025Q1:1.11.0.2
	pkgsrc-2025Q1-base:1.11
	pkgsrc-2024Q4:1.8.0.2
	pkgsrc-2024Q4-base:1.8
	pkgsrc-2024Q3:1.7.0.4
	pkgsrc-2024Q3-base:1.7
	pkgsrc-2024Q2:1.7.0.2
	pkgsrc-2024Q2-base:1.7
	pkgsrc-2024Q1:1.6.0.4
	pkgsrc-2024Q1-base:1.6
	pkgsrc-2023Q4:1.6.0.2
	pkgsrc-2023Q4-base:1.6
	pkgsrc-2023Q3:1.5.0.4
	pkgsrc-2023Q3-base:1.5
	pkgsrc-2023Q2:1.5.0.2
	pkgsrc-2023Q2-base:1.5
	pkgsrc-2023Q1:1.4.0.2
	pkgsrc-2023Q1-base:1.4;
locks; strict;
comment	@# @;


1.23
date	2026.06.05.22.16.09;	author wiz;	state Exp;
branches;
next	1.22;
commitid	EvfuDFRgvV1GWEIG;

1.22
date	2026.05.08.07.43.53;	author wiz;	state Exp;
branches;
next	1.21;
commitid	wJiByTjnJKFe1ZEG;

1.21
date	2026.04.01.19.34.53;	author wiz;	state Exp;
branches;
next	1.20;
commitid	PyX2NyYb2jNS8iAG;

1.20
date	2026.03.05.15.08.28;	author wiz;	state Exp;
branches;
next	1.19;
commitid	btMEXoXd4Cf5xNwG;

1.19
date	2026.02.04.09.12.20;	author wiz;	state Exp;
branches;
next	1.18;
commitid	hFRC7kGWB2NQu2tG;

1.18
date	2026.01.14.12.34.21;	author wiz;	state Exp;
branches;
next	1.17;
commitid	qvdPMd0tbP85imqG;

1.17
date	2025.12.03.23.27.40;	author wiz;	state Exp;
branches;
next	1.16;
commitid	gxprJmP5hHkRf1lG;

1.16
date	2025.11.04.09.58.23;	author wiz;	state Exp;
branches;
next	1.15;
commitid	srr0zZ2xzCW3IdhG;

1.15
date	2025.10.07.14.07.41;	author wiz;	state Exp;
branches;
next	1.14;
commitid	Zc9diStyzj2pZDdG;

1.14
date	2025.08.29.21.38.24;	author wiz;	state Exp;
branches;
next	1.13;
commitid	Ke20WD6KlyjKJF8G;

1.13
date	2025.08.06.17.09.34;	author wiz;	state Exp;
branches;
next	1.12;
commitid	PJ8aD8evEWqmZG5G;

1.12
date	2025.05.13.14.43.12;	author wiz;	state Exp;
branches;
next	1.11;
commitid	YVHGBzyqTLWuUKUF;

1.11
date	2025.03.04.10.25.13;	author wiz;	state Exp;
branches;
next	1.10;
commitid	FMI1c45jG3jtJJLF;

1.10
date	2025.02.07.19.51.11;	author wiz;	state Exp;
branches;
next	1.9;
commitid	eAt8QNYDc1ywFzIF;

1.9
date	2025.01.09.10.07.49;	author wiz;	state Exp;
branches;
next	1.8;
commitid	vAqPd1B4e0ccnNEF;

1.8
date	2024.11.01.08.34.39;	author wiz;	state Exp;
branches;
next	1.7;
commitid	tUVlNUwNhery3VvF;

1.7
date	2024.06.07.23.52.41;	author nikita;	state Exp;
branches;
next	1.6;
commitid	JnRxgW7GxDjBS6dF;

1.6
date	2023.10.24.22.10.12;	author wiz;	state Exp;
branches;
next	1.5;
commitid	MTsrqKm6aGrQAVJE;

1.5
date	2023.04.28.16.58.42;	author nikita;	state Exp;
branches;
next	1.4;
commitid	bxwKynzl8tFdDTmE;

1.4
date	2023.03.09.18.19.40;	author nikita;	state Exp;
branches;
next	1.3;
commitid	C8UqBehzQQ0UGtgE;

1.3
date	2023.03.02.07.49.22;	author nikita;	state Exp;
branches;
next	1.2;
commitid	yTTBTRUwiElAqwfE;

1.2
date	2023.02.21.22.02.09;	author nikita;	state Exp;
branches;
next	1.1;
commitid	dcODhF95gbYkrreE;

1.1
date	2023.02.21.20.53.12;	author nikita;	state Exp;
branches;
next	;
commitid	EF47bks5YseU2reE;


desc
@@


1.23
log
@arti: update to 2.4.0.

# Arti 2.4.0 — 1 June 2026

Arti 2.4.0 continues our work on relay and directory authority development,
and brings us even closer to a working middle relay.

This release also includes a number of important
bug fixes in our onion service client implementation,
and a number of breaking changes in the `arti-client` APIs.
@
text
@# $NetBSD: Makefile,v 1.22 2026/05/08 07:43:53 wiz Exp $

DISTNAME=	arti-arti-v2.4.0
PKGNAME=	${DISTNAME:S/arti-v//}
CATEGORIES=	net
# TODO: modify gitlab fetch to allow hosted gitlab instances
MASTER_SITES=	https://gitlab.torproject.org/tpo/core/arti/-/archive/arti-v${PKGVERSION_NOREV}/

MAINTAINER=	pkgsrc-users@@NetBSD.org
HOMEPAGE=	https://gitlab.torproject.org/tpo/core/arti/
COMMENT=	Implementation of tor in Rust
LICENSE=	mit

.include "cargo-depends.mk"

USE_LANGUAGES=		c c++
RUST_REQ=		1.89.0

.include "../../mk/bsd.prefs.mk"
ARTI_USER?=		arti
ARTI_GROUP?=		arti
PKG_HOME.${ARTI_USER}=	${VARBASE}/chroot/arti
BUILD_DEFS+=		VARBASE
PKG_SYSCONFSUBDIR=	arti

PKG_GROUPS_VARS+=	ARTI_GROUP
PKG_USERS_VARS=		ARTI_USER

RCD_SCRIPTS=		arti
RCD_SCRIPT_SRC.arti=	${FILESDIR}/arti.in
PKG_GROUPS=		${ARTI_GROUP}
PKG_USERS=		${ARTI_USER}:${ARTI_GROUP}
USER_GROUP=		${ARTI_USER} ${ARTI_GROUP}

OWN_DIRS_PERMS+=	${PKG_HOME.${ARTI_USER}} ${USER_GROUP} 0700

EGDIR=			${PREFIX}/share/examples/${PKGBASE}
CONF_FILES+=		${EGDIR}/arti.toml ${PKG_SYSCONFDIR}/arti.toml
FILES_SUBST+=		PKG_HOME=${PKG_HOME.${ARTI_USER}}
FILES_SUBST+=		ARTI_USER=${ARTI_USER}
FILES_SUBST+=		ARTI_GROUP=${ARTI_GROUP}
MAKE_DIRS+=		${VARBASE}/chroot/arti
AUTO_MKDIRS=		yes

SUBST_CLASSES+=		var
SUBST_FILES.var+=	crates/arti/src/arti-example-config.toml
SUBST_SED.var+=		-e 's,$${ARTI_CACHE}'",${VARBASE}/chroot/arti/,"
SUBST_SED.var+=		-e 's,$${ARTI_LOCAL_DATA}'",${VARBASE}/chroot/arti/,"
SUBST_STAGE.var=	post-patch
SUBST_MESSAGE.var=	Adapt some paths for pkgsrc.

MAKE_ENV+=		OPENSSL_DIR=${BUILDLINK_PREFIX.openssl}

INSTALLATION_DIRS=	${EGDIR}

.if ${INIT_SYSTEM} == "rc.d"
DEPENDS+=		daemonize-[0-9]*:../../sysutils/daemonize
.endif

do-install:
	${INSTALL_PROGRAM} ${WRKSRC}/target/release/arti ${DESTDIR}${PREFIX}/bin
	${INSTALL_DATA} ${WRKSRC}/crates/arti/src/arti-example-config.toml ${DESTDIR}${EGDIR}/arti.toml

.include "../../lang/rust/cargo.mk"
.include "../../security/openssl/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
@


1.22
log
@arti: update to 2.3.0.

# Arti 2.3.0 — 6 April 2026

Arti 2.3.0 continues development on relay, directory authority, and RPC functionality.
It also adds a couple new logging-related features, including the ability to log to syslog.
We have also made improvements in memory usage, by moving the GeoIP database out of the
heap and optimizing the format it's stored in.

Users of the `arti-client` crate should note that in the release following this one,
`TorClient` will be explicitly wrapped in an `Arc`, rather than implicitly having
Arc-like semantics. Be prepared for this breaking change next release, and feel free
to comment in [#2469] if you have any thoughts on this change.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.21 2026/04/01 19:34:53 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v2.3.0
@


1.21
log
@arti: update to 2.2.0.

Arti 2.2.0 continues our work on relay development,
and brings us even closer to a working middle relay.

This release also adds some useful client-side features,
and includes various bugfixes and cleanups.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.20 2026/03/05 15:08:28 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v2.2.0
@


1.20
log
@arti: update to 2.1.0.

# Arti 2.1.0 — 2 March 2026

Arti 2.1.0 continues work on relay development,
and introduces a new RPC backend with non-blocking IO
in the `arti-rpc-client-core` library.

As usual, there are also various under-the-hood improvements and bug fixes.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.19 2026/02/04 09:12:20 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v2.1.0
@


1.19
log
@arti: update to 2.0.0.

# Arti 2.0.0 — 2 February 2026

Arti 2.0.0 deprecates library functionality in the `arti` crate
(which should only be used as a binary),
deprecates some legacy features and configuration formats,
and adds support for using the `inet-auto` socket type
to automatically pick an unused TCP port for the RPC server.
As usual, there is also a significant amount of behind-the-scenes work on
relay and directory authority functionality.

While "2.0" may sound like an exciting release number, it's actually fairly mundane.
[Semver](https://semver.org) requires us to bump our major version number when making breaking changes,
and we had a couple breaking changes we wanted to make in order to keep our APIs tidy.
The only people who should notice significant changes in this release are developers
who are building applications using the `arti` crate directly,
rather than the recommended `arti-client` crate or other lower-level crates.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.18 2026/01/14 12:34:21 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v2.0.0
d17 1
a17 1
RUST_REQ=		1.86.0
@


1.18
log
@arti: update to 1.9.0.

# Arti 1.9.0 — 13 January 2026

Arti 1.9.0 continues some behind-the-scenes work on relay and
directory authority development, and adds improved support for
running with dynamically assigned ports.  For example Arti now
accepts `proxy.socks_listen = "auto"` to configure its SOCKS proxy
with an operating-system-assigned port, and writes the assigned
port to a structured JSON file in Arti's data directory.

As usual, there are also various under-the-hood improvements and
bug fixes.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.17 2025/12/03 23:27:40 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v1.9.0
@


1.17
log
@arti: update to 1.8.0.

# Arti 1.8.0 — 1 December 2025

Arti 1.8.0 continues work on relay and directory authority development.
This release introduces a new, usage-based timeout for strongly isolated circuits,
experimental [`tokio-console`] support, a new `arti hsc ctor-migrate` command,
and a configuration option for controlling which onion services to launch.

As usual, there are also various under-the-hood improvements and bug fixes.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.16 2025/11/04 09:58:23 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v1.8.0
@


1.16
log
@arti: update to 1.7.0.

Arti 1.7.0 continues high-level and low-level work on relay development.

It also includes new experimental support for running as a `HTTP CONNECT`
proxy, and numerous smaller fixes and infrastructure improvements.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.15 2025/10/07 14:07:41 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v1.7.0
@


1.15
log
@arti: update to 1.6.0.

Arti 1.6.0 brings experimental support for circuit padding,
mitigations for DropMark side channel attacks, improvements to
congestion control, a new `arti keys check-integrity` command, and
experimental support for exporting debugging information via
OpenTelemetry.

It also includes behind-the-scenes work towards enabling Arti to
act as a directory authority, a directory mirror, and a relay.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.14 2025/08/29 21:38:24 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v1.6.0
d17 1
a17 1
RUST_REQ=		1.85.0
@


1.14
log
@arti: update to 1.5.0.

# Arti 1.5.0 — 28 August 2025

Arti 1.5.0 continues development on important client features,
including Counter Galois Onion encryption, Conflux, flow control
and congestion control, and onion service proof of work.  It also
includes significant preliminary work for Arti relay support.

Additionally, this release mitigates a longstanding bug that could
prevent Arti clients from bootstrapping.

Arti 1.5.0 increases our MSRV (Minimum Supported Rust Version)
to 1.85, in accordance with our MSRV policy.

As usual, there are also various under-the-hood improvements and
bug fixes.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.13 2025/08/06 17:09:34 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v1.5.0
@


1.13
log
@arti: update to 1.4.6.

# Arti 1.4.6 — 4 August 2025

Arti 1.4.6 continues development on xon-based ([Proposal 324]) flow
control, [Conflux], and improved cryptography (CGO,. ([Proposal 359])

Arti 1.4.6 also contains two improvements to help resist two different
kinds of denial-of-service attack, relating to Hidden Services, and
some other bugfixes.  Especially, users who operate `.onion` services
are advised to upgrade.

# Arti 1.4.5 — 7 July 2025

Arti 1.4.5 continues development on xon-based ([proposal 324]) flow control and
[Conflux]. In addition, we have drafted an initial design for the directory
cache storage model, which will be needed for the core relay functionality, and
for the directory authority implementation.

# Arti 1.4.4 — 5 June 2025

Arti 1.4.4 continues our development efforts to support multi-legged tunnels in
Arti via our Conflux feature. In addition to Conflux, we continue preparing
support for our [Counter Galois Onion proposal][cgo] feature.

# Arti 1.4.3 — 1 May 2025

Arti 1.4.3 adds adds the framework for measuring metrics
(which will be used to allow service and relay operators to use Prometheus
or similar tools to monitor the health of their services),
initial groundwork for the [Counter Galois Onion proposal][cgo],
and some of the groundwork for congestion control, in the form of handshake negotiation code.

We are also publishing the new `arti-ureq` crate,
which allows Arti to be used with the Rust `ureq` library for making HTTP request via Tor.

# Arti 1.4.2 — 31 March 2025

Arti 1.4.2 marks a significant milestone: Arti's RPC subsystem is now stable
and ready for use!

This release continues development on [Conflux],
and also fixes a number of bugs and security issues.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.12 2025/05/13 14:43:12 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v1.4.6
d17 1
@


1.12
log
@arti: fix typos

Reported by Robert Bagdan on tech-pkg.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.11 2025/03/04 10:25:13 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v1.4.1
@


1.11
log
@arti: update to 1.4.1.

# Arti 1.4.1 — 3 March 2025

Arti 1.4.1 contains
significant behind-the-scenes groundwork for [Conflux],
a feature that improves performance and reliability
by allowing data streams to tunnel over multiple circuits.

It also adds client-side support for an
[improved representation of family membership][prop321].

### Major features

- Arti now implements the client side of ID-based families
  (a.k.a. ["Happy Families"][prop321]).
  When deployed everywhere on the network,
  this feature will allow us
  to remove around 80-90% of the data from microdescriptors,
  and save some administrative complexity.
  ([#1848], [!2792])

### Breaking changes in lower-level crates

- Removed the deprecated experimental `DataStream::circuit` API. ([!2794])
- Removed the `ClientCirc::channel` API. ([!2783])
- Functions in `tor-netdir` and `tor-relay-selection` related to families
  now take a new `FamilyRules` argument,
  to represent relevant network parameters. ([!2792])

### Conflux development

- Major simplification and refactoring in the `tor-proto` crate,
  to lay the groundwork for [Conflux] in Arti.
  ([#1839], [!2772], [!2774], [!2783], [!2786], [!2796], [!2800], [!2804])
- Implemented message types that will be used for Conflux.
  ([#1852], [!2789])
- Added types for identifying hops within a Conflux tunnel.
  ([!2799], [!2803])

### Onion service development

- Refactored `ReplayLog` code so it can be used to detect replays
  in both INTRODUCE messages and proof-of-work solutions. ([!2688])

### Testing

- Added thread-management support to our testing mock runtime.
  ([#1835], [!2793])

### Documentation

- Fixes and cleanups to examples on website. ([!2775])
- Fixed a typo. ([!2795])
- Documentation for experimental features in the `tor-keymgr` README.
  ([!2806])

### Network updates

- Updated to the latest list of Tor fallback directories. ([!2787])

### Cleanups, minor features, and bugfixes

- Upgraded to the latest versions of [`hickory-proto`],
  [`derive-deftly`], and several other crates.
  ([#1847], [!2784], [!2788], [!2809])
- Fixed new clippy warnings that appeared in Rust 1.85.
  ([!2801])
- Do not emit ANSI color to our stdout log
  when that log is not being sent to a terminal. ([#1763], [!2802])
- The `DataStream` type now implements `Sync`. ([#1859], [!2808])
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.10 2025/02/07 19:51:11 wiz Exp $
d25 2
a26 2
PKG_GROUP_VARS+=	ARTI_GROUP
PKG_USER_VARS=		ARTI_USER
@


1.10
log
@arti: update to 1.4.0.

This release offers a new RPC interface, which is Arti's replacement
for C Tor's control port with many improvements.

There has also been a lot of preparatory work for relay support,
bugfixes, and work towards service-side onion service denial-of-service
resistance.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.9 2025/01/09 10:07:49 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v1.4.0
@


1.9
log
@arti: update to 1.3.2.

# Arti 1.3.2 — 7 January 2025

Arti 1.3.2 continues development on RPC,
and includes preparatory work for relay support and
service-side onion service denial-of-service resistance.

# Arti 1.3.1 - 2 December 2024

Arti 1.3.1 continues development on onion services,
the RPC subsystem, and relay infrastructure.

Additionally, this release fixes a major bug in Arti's channel management code,
where in some circumstances, canceled pending channel entries
were not being cleaned up properly, preventing Arti from building new channels
to their target relays.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.8 2024/11/01 08:34:39 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v1.3.2
@


1.8
log
@arti: update to 1.3.0.

# Arti 1.3.0 - 31 October 2024

Arti 1.3.0 is a significant milestone: we have achieved parity on most
major client features with C Tor.  The last big security feature needed for
Onion Services (resistance to out-of-memory DoS) landed in this release.
And, in Arti client 1.3.0, connecting to `.onion` domains is enabled by
default.

Much other major work is taking place, too!  We have continued our work on
Arti Relay.  The work-in-progress RPC system is significantly more clearly
defined and implementation is proceeding.

### Breaking changes

 * **Reject (managed) pluggable transport on non-localhost address:** If a
   pluggable transport we spawn tells us it is listening on a non-localhost
   address, reject that transport, since this is almost certainly a
   security risk.  (The goal is to detect buggy PTs.  We aren't aware of
   any such PTs.)  ([!2454], [#1636])

 * **API:** Several methods (mostly in `tor-chanmgr` and `tor-proto`)
   take new memory quota tracking arguments.  If memory tracking is not
   required, you can create a no-op memory quota account with
   `SpecificAccount::new_noop()` or `Account::new_noop().

 * **API:** New API for `tor-socksproto`, which is more robust and avoids
   many kinds of misuse, including bugs like TROVE-2024-010.  The old
   `.handshake` method still available, but deprecated, and now part of the
   new `Handshake` trait.  ([#1590], [#1627], [#1592], [!2436])

 * **API:** Many places where a `SleepProvider` bound was used now also
   require `CoarseTimeProvider`.  In-tree `SleepProvider`s all implement
   `CoarseTimeProvider`, so for most callers this can be fixed by
   propagating the bounds.  ([!2482])

 * **cargo features:** Some cargo features of lower-layer crates are no
   longer enabled by implication by higher-layer crates.  External callers
   may need to add feature requesgts to `Cargo.toml`s.  ([!2498])

### Major new features

 * **Support memory quota tracking.**  (Feature compiled in by default.)
   Specifically: Arti can now try to limit the amount of memory it uses for
   data that might be originated by untrusted parties.  This is currently
   useful as DoS resistance measure for Hidden Services (`.onion`
   services).  To actually enable this, a specific limit must be imposed in
   the `[system]` section of of the Arti configuration.  ([!2459], [!2461],
   [!2484], [!2493], [!2508], [!2509], [!2518], [!2531], [!2536], [!2537], [!2545],
   [!2555], [!2560], [!2569], [#1682], [#351])
 * **Enabled connecting to `.onion` addresses (Hidden Services) by
   default,** by making `allow_onion_addrs` default to `true` in the
   configuration.  (This is appropriate now that we have Vanguard support.)
   [#1402], [!2506])

### Bugfixes

 * Fixed the build of `arti-client` with just the features `experimental-api`
   and `onion-service-client` enabled.  ([!2457], [#1638])
 * Fixed the build on FreeBSD.  ([!2533], [#1686])
 * Fixed the build on NetBSD.  ([!2540], [rust-pwd-grp#4], [rust-pwd-grp!25])
 * Fixed config file watching (file notifier) on non-Windows platforms
   without inotify.  ([!2547], [#1644], [notify-rs#644])
 * Fixed a bug that rendered Arti unable to connect to the Tor network
   when built with certain library combinations.
   This could occur
   when an out-of-tree user of the Arti libraries ends up enabling
   `time-rs`'s `large-dates` cargo feature, by replacing `simple_asn1`
   dependency with `der-parser` in `tor-llcrypto`.  ([!2462], [#1632],
   [simple_asn1#34], [simple_asn1!35], [time-rs#683])
 * Fixed the logging of backtraces, when an internal error occurs.
   (Bug first appeared in Arti 1.2.7.)  [!2588], [#1713])
 * Removed a false claim that we don't support pluggable transports.  ([!2507])
 * Documented the `vanguards` cargo feature flag.  ([!2507])

### Other user-facing improvements

 * Warn if we're configured to listen for SOCKS or DNS queries on a
   non-localhost address, or if we're configured to use an
   externally-managed pluggable transport with a non-localhost address,
   These are very questionable configurations, but there may be unusual
   situations where this is a sensible setup.  ([!2454], [#1636])
 * Use new "restricted discovery" terminology throughout (for Hidden
   Services, aka `.onion` services), replacing previous (misleading)
   "client authorization".  ([!2495], [#1476])
 * Experimental ability to read private keys from C Tor's on-disk keystore.
   ([!2481], [!2514])
 * Experimental proof-of-work client-side support for Hidden Services
   (`.onion` services).  ([!2486], [!2026])

### New library and API features

 * Added `general::SocketAddr` type for unifying IP and AF\_UNIX (and
   potentially other) sockets.  ([!2519], [#1681], [!2553], [!2554], [#1701],
   [!2592])
 * Added type-erased `DynTimeProvider` in `tor-rtcompat`.  ([!2460], [!2500])
 * Added `SinkTrySend` and `SinkCloseChannel` traits, making the
   functionality of `mpsc::Sender::try_send` and `::close` available as a
   trait method and implementable for other types.  ([!2468], [!2485], [!2490])
 * Added `SometimesUnboundedSink::as_inner` method.  ([!2483])
 * Guarantee that `Slug`s will never contain colons (`:`), and explain why.
   ([!2576])
 * Moved `tor-config`'s `path` module to a new crate `tor-config-path`.
   ([!2590])
 * Added `default-runtime` feature in `arti`, to simplify building without
   default features.  ([!2551])

### Relay development

 * Support multiple channels for a single relay ID.  ([!2442], [#1633])
 * Improved channel selection code.  ([!2477], [#1602], [!2544])
 * Much other cleanup and refactoring in `tor-chanmgr`.  ([!2523], [!2538],
   [#1654], [!2566])
 * Made `arti-relay` be a binary crate only, for now at least, and abolish
   the `relay` subcommand of the main `arti` CLI.  ([!2525], [#1674], [!2542])

### RPC system development

 * Reorganised RPC documentation; soon it will be a mdbook.  ([!2581])
 * Improved documentation for writing RPC callers, including a new Python
   tool to build RPC method and type documentation.  ([!2479], [!2489]
   [!2574])
 * Finalised specifications for how RPC clients should find the Arti RPC
   server, how the server should decide where to listen, and how
   authentication will be done.  ([!2439], [!2440], [!2439], [#1521], [!2563],
   [#1702], [!2582], [#1711])
 * Finalised specifications for version compatibility (interworking of
   newer/older Arti with newer/older RPC clients).  ([!2475], [#1634], [!2510],
   [#1665], [!2511], [#1662], [!2512])
 * Improvements to error handling, especially in the client library.
   ([!2556])
 * Improved and clarified objectid/isolation rules in SOCKS interaction.
   ([!2474], [torspec!292], [proposal 351], [socks-extensions.md])
 * Clarified (and weakened) guarantees provided on request cancellation.
   ([!2564], [#818])
 * Changed `release` method to be a method on the object itself.  ([!2573],
   [#1663])
 * Other specification fixes/improvements.  ([#1678], [!2539])
 * Fixed the shared library extension on OSX and Windows.  ([!2469])
 * Removed the `Echo` testing/demo method.  ([!2549], [#1525])
 * Started a Python client API, and adopted it for some integration
   tests.  ([!2515], [#1295], [!2567])
 * Reduced the dependencies of the client library.  ([!2522], [!2524])
 * Internal cleanups.  ([!2456], [#1587], [!2558])

### Documentation

 * Clarified `launch_onion_service_with_hsid()`.  ([!2494], [#1626])
 * Use new "circuit stem" terminology.  ([#1479], [!2410])
 * Added missing docs for `keypair_specifier`.  ([!2532])

### Testing

 * Much better testing for the CircMgr.  ([!2444], [!2513])
 * Fixed the flaky `circuit::test::accept_valid_sendme` CI test.  ([!2501])
 * Added more miri tests.  ([!2502])
 * Avoid writing `_ => panic!()` even in tests.  ([!2534])
 * Allow more precise testing of conditional compilation which affects the
   configuration reader.  ([!2561])
 * Updated to the latest version of Shadow.  ([!2585], [shadow!3428], [!2587])
 * Include more output from Shadow in CI artifacts.  ([!2586])
 * Pin the version of Chutney used in Shadow tests to make arti.git CI more
   hermetic.  ([!2596])

### Cleanups and housekeeping

 * Updated the list of fallback directories. Clients use these to fetch
   directory information when they have no cached directory or guard
   nodes.  ([!2589])
 * Updated some previous entries in `CHANGELOG.md` to more fully document
   changes in `tor-circmgr` 0.23.0.
 * Now we run a typechecker, linter, and autoformatter, on all our Python
   scripts (and fix the issues identified).  ([!2476], [!2578], [!2579],
   [#1689], [!2584])
 * Minor cleanups and reformatting in `tor-key-forge`.  ([!2552])
 * Commented out (temporarily) ill-shaped `RelaySigningKeySpecifier`.  ([!2527])
 * Reduced the number of "unused" warnings arising from conditional
   compilation (eg, cargo features).  ([!2431], [!2463], [#1645], [!2551])
 * In `Cargo.toml`, avoid updating to a `typed-index-collections` which
   would break our MSRV by requiring Rust 1.81.  ([!2471], [#1647])
 * Tidied up the sealing of a pair of traits.  ([!2472])
 * Use `{u64,usize}::div_ceil` where applicable.  ([!2473])
 * Now we avoid some warnings about certain elided lifetimes.  ([!2478], [!2575])
 * Fixed docs-rs cargo feature decorations on certain items.  ([!2487])
 * Forbid hard tabs (in most files) in tree.  ([!2488])
 * Fixed `no_default_features = true` typo in many `Cargo.toml`.  ([!2498])
 * Bumped dependency requirements for `futures-*` `notify`.  ([!2499])
 * Fixed indentation in a doc comment to address a new clippy lint.  ([!2516],
   [!2520])
 * Changed to depend on `slotmap-careful` instead of `slotmap`.  ([!2530],
   [#1531])
 * Abolished unneeded use of `python-is-python3` package in CI.  ([!2535])
 * Reinstated the `tor-proto` circuit hop check in `test_create()`.  ([!2546])
 * Updated download size numbers (for Project 101 Q3-2024).  ([!2571])
 * Simplified `tor-config` path handling by using `path` feature of
   `shellexpand`.  ([!2583])
 * Work around a bug in `cargo license` by permitting a weird licence
   string.  ([!2591], [cargo-license#78])
 * Removed an obsolete TODO.  ([!2562])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Morgan, and Neel Chauhan.
Also, our welcome to Clara Engler as they join the team!

Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!


# Arti 1.2.8 — 1 October 2024

Arti 1.2.8 continues development on onion services,
the RPC subsystem, key management, and relay infrastructure.
It also includes fixes for two security issues in
handling the SOCKS protocol, the most severe of which is rated at
"medium" according to our [security policy].

Arti 1.2.8 also increases our MSRV (Minimum Supported Rust Version)
to 1.77, in accordance with our [MSRV policy].

### Breaking changes

- Arti now requires Rust 1.77 or later. ([!2421], [!2451])
- The `arti hsc` subcommand is now gated behind the experimental `hsc`
  feature until it is ready for general use. ([ab41a9d330ed1db])

### Security fixes

- Temporarily reject attempts to send optimistic data before
  the SOCKS handshake is complete.
  Previously, we would discard data in this case,
  which has the potential to cause mis-framing bugs that could enable
  cross-protocol attacks under some circumstances.
  This is tracked as TROVE-2024-010.
  We intend to add full support for optimistic data soon;
  this is a temporary workaround.
  ([#1627], [!2443])
- Prevent an infinite loop that could occur in our SOCKS code
  if a local connection was closed at the wrong time.
  This is tracked as TROVE-2024-011.
  ([#1635], [!2447])

### Breaking changes in lower-level crates

- The `tor-bytes` crate now reports `Incomplete` rather than `Truncated`
  for most reader types. ([#1614], [!2407])
- Removed some deprecated code in `tor-hsservice`. ([7a838da0ff2359f9])
- The "ephemeral keystore" feature in `tor-keymgr` is now marked as
  experimental, and available behind an `ephemeral-keystore` feature.
  ([!2426])
- The `tor-rtcompat` crate now supports AF_UNIX sockets,
  and provides a more generic API
  for opening and listening for network streams.
  To this end, several of its APIs have been renamed or refactored,
  and the `Runtime` trait now depends on more supertraits.
  ([#1152], [!2437])
- In `tor-rtcompat`, `TcpListener::accept()` no longer exists.
  Use `NetStreamListener::incoming()` instead.
  ([168f55df05f4b56f])
- In `arti-client`, the type for `StorageConfig::keystore` has changed.
  ([5e4e7b69b8cd2791])
- In `tor-circmgr`, the `CircMgr` `reload_persistent_state`,
  `store_persistent_state`, and `upgrade_to_owned_persistent_state` functions
  have been removed. ([!2420])
- In `tor-circmgr`, the function `CircMgr::new` now returns a `CircMgr` rather
  than an `Arc<CircMgr>`. ([!2420])
- In `tor-circmgr`, the deprecated `CircMgr::update_network_parameters`
  function has been removed. ([!2420])
- In `tor-hsservice`, numerous types related to initialization and status
  have been renamed or refactored.
  ([!2397], [!2413])
- In `tor-keymgr`, several types have been renamed.
  ([5e4e7b69b8cd279], [80095da1aa47978])
- In `tor-netdir`, several test-network construction callbacks
  now take an extra parameter.
  ([b2b75302ab095bc])

### Onion service development

- Remove the number of cases in which an onion service needs to know
  its secret identity key `KS_hs_id`.
  This will help with implementing offline key support.
  ([#1194], [!2393])
- Add support for adding externally generated keys;
  this will also help with offline key support.
  ([#1613], [!2396])
- Report onion service status correctly based on upload results.
  This includes major refactoring to onion service status reporting,
  and significant tests.
  ([#1572], [!2397])
- Remove setting for non-anonymous ("single onion") services.
  We don't actually support them yet.
  ([!2413])
- Defer generating service identity keys (`K_hs_id`)
  until the service is actually launched.
  This allows tools like `onion-name` to check whether these keys are present.
  ([!2417])
- The `arti hss onion-name` subcommand now has support for generating
  identity keys on demand. ([#1621], [!2419])
- Experimental support for launching onion service with user-provided
  identity keys. ([#1612], [!2402])
- Allow arti to run with onion services only, and SOCKS/DNS ports  disabled.
  ([#1569], [!2423])
- Move onion service client key management functionality
  into a new `arti hsc key` sub-command,
  which supports key inspection, rotation, and deletion.
  The old `arti hsc get-key` subcommand is now deprecated.
  ([#1475], [!2432], [!2435])
- Support making an `InertTorClient` with an emphemeral key manager.
  ([#1610], [!2394])
- The "default" keystore has been renamed to "primary".
  ([!2438])

### Relay development

- Give `TorRelay` an instance of `ChanMgr` to keep track of open channels.
  ([!2361])
- Continued development on memory-quota support,
  to prevent memory-based denial-of-service attacks
  against relays and onion services. ([!2374], [!2404])
- New `tor-key-forge` crate
  for defining specific key and keypair wrappers,
  for use with relay keys.
  ([#1137], [#1619], [!2356], [!2430], [!2433])
- Define a set of high-level error wrappers for use by the `TorRelay` code.
  ([!2392])
- The channel manager now has (partial) support for receiving and handling
  incoming channels. ([!2389])
- Initial key generation and management support for relays.
  ([#1604], [!2411])
- Move Arti's (in-progress) `relay` subcommand to its own module. ([!2455)

### RPC development

- Add support throughout the RPC stack
  for opening data streams and registering them with the RPC system,
  using the protocol developed in [proposal 351].
  ([#1524], [!2373], [!2401], [!2406], [!2409], [!2434], [!2452])
- Update RPC specification draft to match current reality and plans.
  ([!2386], [!2453])
- Refactor the way that the RPC service handles errors,
  to ensure that framing errors are never silently tolerated,
  and other errors are handled uniformly.
  ([#1591], [!2400])
- Expose a list of object delegation types,
  to make it possible to generate full documentation
  of which objects support which methods.
  ([#1624], [!2418])
- Add a (work-in-progress! unstable! experimental!) Python wrapper
  for our similarly unstable RPC client library.
  ([!2446])

### Testing

- Partially fix test nondeterminism in the `reload_cfg::watch_single_file` test.
  ([#1549], [!2375], [!2391])
- Improve performance for the `reload_cfg::watch_multiple` test.
  ([#1589], [!2387])
- [Chutney] network integration tests are now
  run inside the [Shadow] discrete event simulator.
  ([!2427])

### Documentation

- Typo fixes in our documentation. ([!2403])
- Improved documentation for onion service descriptor publication.
  ([#1216], [b87b9f44ae05d4f0])
- Clean up documentation for `InertTorClient`. ([!2414])
- Clarify behavior of `ArtiEphemeralKeystore`. ([!2424])
- New example: running an axum router as an onion service.
  ([!2445])
- Add an example for an onion service's `reject` option to our
  sample configuration ([!2458])

### Infrastructure

- Clean-ups to CI jobs that generate debian packages.
  ([!2368])
- Adjust exceptions for `downgrade-dependencies` script.
  ([!2398], [!2451], [cf7f25851ac0319f])

### Cleanups, minor features, and bugfixes

- Move Arti's `proxy` subcommand to its own module. ([!2416])
- Clean up needless abstraction, and add smarter abstraction,
  to make `tor-circmgr` easier to test.
  ([!2412], [!2420])
- When encountering truncated data, the `tor-bytes` crates now
  gives a lower-bound estimate for how much more data would be needed
  in order produce a successful parse. ([!2390])
- The `tor-bytes` crate now tracks whether its inputs are possibly
  incomplete, and only reports "Truncated" data as a recoverable error
  on a possibly incomplete data.
  This helps to prevent a category of bug
  (which it appears our code doesn't actually have)
  where we might erroneously
  keep reading more data without limit.
  ([#1614], [!2407])
- Fix a bug in our SOCKS handling
  that would cause us to exceed the bounds of a buffer,
  causing the SOCKS task to exit with a panic.
  ([dceeb82f7d115489])
- Upgrade to the latest versions of `float-cmp` and `derive-more`.
  ([!2450])
- Keystore configuration options have been significantly revised;
  there is now a `keystore.primary.kind` option
  to configure the primary keystore.
  ([!2441])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Adam Joseph, Alexander Hansen Færøy, Anonym, Morgan,
Pier Angelo Vendrame, Steven Engler, tidely, and Wesley Aptekar-Cassels.
Also, our welcome to Wesley Aptekar-Cassels as they join the team!

Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!


# Arti 1.2.7 — 3 September 2024

Arti 1.2.7 continues development on onion service client authorization,
the RPC subsystem, and relay infrastructure.

### Breaking changes in lower-level crates
- In [`tor-hsservice`],
  `OnionServiceProxyConfigBuilder` no longer derives `Eq` and `PartialEq`,
  and `DescEncryptionConfig`, `DescEncryptionConfig`,
  `AuthorizedClientConfig,` and `AuthorizedClientParseError` are removed.
  ([!2266])
- In [`tor-ptmgr`], `PtClientMethod` is now exported from the top-level.
  ([5774dd456265ef4cb8771342538a07ba76e5a5d9])

### RPC development
- Expose the OS errno of the FFI error types that have one. ([!2311])
- Fix typos in an FFI comment. ([!2310])
- Always re-encode requests and responses, and preserve unrecognized struct fields.
  ([#1491], [!2312])
- Expose the object ID for the session object. ([!2318])
- Use `JsonValue` to re-encode responses and requests.
  ([#1512], [#1511], [!2315])
- Add support for request handles in our FFI code. ([!2317])
- Add an unstable RPC method to list every RPC method. ([!2332])
- Build [`arti-rpc-client-core`] as a C dynamic library. ([!2331])
- Use more sophisticated handling for `ConnectionError`s in `arti-rpcserver`.
  ([#1517], [!2335])
- New `slotmap-careful` crate to use when we mustn't re-use keys. ([!2298])
- Rename various identifiers in our FFI code. ([!2344])
- Use the new `slotmap-careful` instead of `generational-arena` in
  `arti-rpcserver`. ([#1282], [!2343])
- Implement RPC method delegation support. ([#1523], [!2342])
- Allow simultaneous calls to `arti_rpc_handle_wait()`.
  ([#1532], [!2360])
- Add experimental method to list SOCKS proxy addresses. ([#1523], [!2359])

### Relay development
- Add initial support for relay configuration. ([#1534], [!2352])

### Internal cleanup and refactoring
- Major refactoring to the `tor-proto` circuit reactor code,
  which simplifies the implementation and will enable us to support
  opportunistic packing for [proposal 340].
  Introduce `StreamPollSet` for polling streams in priority order.
  ([!2285], [#1513], [!2319], [!2334])
- Refactoring in our key management code to prevent accidental misuse
  of relative key paths. ([#1494], [!2291])
- Refactor `KeyedFuturesUnordered` so that the underlying futures
  are accessible. ([!2321])
- Allow access to the inner streams of `StreamPollSet`,
  refactor `StreamMap` ([#1421], [!2326], [!2333]).
- Make `GuardMgr` mandatory throughout our circuit management code.
  ([#1465], [!2339], [!2347])
- Encapsulate flow-control into a separate object,
  abstracting away the difference between window-based (legacy) flow control and
  xon-based ([proposal 324]) flow control. ([!2340], [!2358])
- Introduce a `PeekableStream` trait to get rid of redundant buffering.
  ([!2345])

### Onion service development
- Implement hidden service restricted discovery mode (previously known as
  "client authorization"). ([#1292], [!2266], [!2336], [!2316])
- Add support for live-reloading the restricted discovery configuration.
  ([#1505], [!2329], [!2353], [!2369])
- Provide an MPSC queue with memory quota tracking. ([#351], [!2292])
- Make arrangements in `tor-memquota` for memory tracking to be optional,
  and gate `MemoryQuotaTracker::new` behind the `memquota` feature.
  ([!2351])

### Minor features
- Stop requiring the TRANSPORT key in pluggable transport STATUS messages.
  ([#1488], [!2307])
- In [`fs-mistrust`], add a `CheckedDir::metadata()` function
  for retrieving file metadata.
  ([72c3a1a661284844806b34e9ca5e81a43b8d0913], [!2324])
- In [`tor-ptmgr`], make managed pluggable transports optional.
  ([#1334], [!2354])
- Add an `InertTorClient` for accessing client state. ([#1496], [!2370],
  [!2314])
- Move `tor_async_utils::oneshot` into a new [`oneshot-fused-workaround`] crate.
  ([!2371], [!2383])

### Testing
- Make the `hsc` subcommand documentation serve as a test case. ([!2304])
- In the expected output of the CLI tests,
  match any number of lines in the `-c` help.
  ([#1509], [!2313])
- Fix broken reference to `apt-install` script in the Shadow integration tests.
  ([!2309])
- Add a Shadow integration test for restricted discovery mode. ([#1292],
  [!2272])
- Don't explicitly set `storage.keystore.enabled` in the Shadow CI tests.
  ([222b0eae48ae88d1a64cf5f0c11e662bf61dda4d])
- Test `cbindgen` correctness in CI. ([#1502], [!2320], [!2322], [!2330])
- Add `LogState` tests in `tor-log-ratelim`. ([!2349])
- Fix `arti_socket_closed` RPC test, which was previously flakey on OSX.
  ([#1510], [!2348])
- Add an arti obfs4 managed pluggable transport client and a tor obfs4
  server to the Shadow CI tests ([#1538], [!2355]).
- Temporarily disable a flaky configuration watcher test. ([!2364])
- Add circuit reactor test for stream handling fairness. ([!2365])
- Rewrite the `hsc` tests using `InertTorClient`.
  ([#1496], [1d3e59f2e9572a9710de2c2a9c925c5c38a6874c])
- Set the `COLUMNS` env var in the CLI tests.
  ([#1574], [f1779cfbb3e27b04ba3cca9206170f1e1ea904db])

### Documentation
- Remove obsolete documentation from [`tor-proto`]. ([!2366])
- Discourage use of `tor_rtmock_test_with_*` macros. ([!2372])

### Infrastructure
- Add a few more Tor employees to exclude from our acknowledgments. ([!2306])
- Remove the no-longer-necessary `--cfg docsrs` flag from our rustdoc invocation.
  ([!2308])
- Fix handling of items ending in `;` in `check_doc_features`
  maintenance script. ([!2316])
- Use the `via-cargo-install-in-ci` maintenance script to cache `grcov`
  in the `coverage-aggregated` job. ([!2325])
- Add initial support for building an Arti deb package. ([!2323], [!2367])
- Add script for testing without any features enabled.
  ([7a9bf49870533cc052b12680336f067f77d87b34])
- Run tests of every crate, with all features disabled. ([!2350])
- Explicitly specify the deployment target of macOS to 10.7
  to fix the failing `build-repro-macos` job.
  ([#1394], [#1507], [!2377], [!2346])
- Rename "Sponsor 101" to "Project 101". ([!2379])

### Cleanups, minor features, and bugfixes
- Make `arti hss onion-name` return a non-zero status if the service doesn't
  exist. ([!2305])
- Use `std::backtrace` instead of the [`backtrace`] crate. ([!2301])
- Add missing `docsrs` `cfg_attr` to fix a `cargo doc` warning. ([!2337])
- Resolve `unreachable_patterns` warnings from nightly. ([!2338])
- Make `blind_keypair` build without the `hsv3-client` feature.
  ([#1504], [!2341])
- Move `Qty` to [`tor-basic-utils`] as `ByteQty` and significantly improve it.
  ([!2363])
- Move `stream_peek` to [`tor-async-utils`]. ([!2362], [!2357])
- Various typo fixes in comments and messages. ([!2380])

### Acknowledgments

Thanks to everybody who's contributed to this release, including Alexander
Hansen Færøy, ambiso, Dimitris Apostolou, kn0sys, Kunal Mehta, NoisyCoil, opara,
Robin Leander Schröder, and Steven Engler.
Also, our welcome to Steven Engler as he joins the team!

Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!


# Arti 1.2.6 — 1 August 2024

Arti 1.2.6 continues development on onion service client authorization,
the RPC subsystem, and relay infrastructure.

### Security fixes

- Update `openssl` to avoid undefined behavior in `MemBio::get_buf`.
  ([RUSTSEC-2024-0357], [TROVE-2024-009], [#1495], [!2276])

### Major bugfixes

- When opening a SQLite directory cache in read-only mode, do not attempt to
  create it. This bug would sometimes prevent Arti from starting correctly
  when running multiple processes at once.
  ([#1497], [!2283])

### RPC development

- Initial work on a [wrapper library][arti-rpc-client-core]
  for invoking Arti RPC functionality from other processes.
  ([!2270], [!2277], [!2279])
- Initial work on [FFI support][arti-rpc-client-core-header]
  for invoking Arti RPC functionality from other languages.
  ([#737], [!2273])
- Clean up the RPC method dispatch implementation,
  remove some unneeded functions, and refactor the syntax
  for declaring error types. ([!2284])

### Relay development

- Infrastructure work for out-of-memory prevention.
  ([#351], [!2280], [!2281])

### Onion service development

- New `arti hsc` command for managing client state and keys for connecting
  to onion services. ([#1281], [#1291], [!2212], [!2257])
- Support parsing client restricted discovery (a.k.a. "client authorization") keys
  from C Tor's `descriptor:x25519:<base32-encoded-x25519-public-key>` key format.
  ([!2246])
- Ensure that `hsc` subcommand can build correctly with unusual combinations
  of features. ([!2254])
- Remove some unused code for publishing and authentication support.
  ([!2251])
- Add an `OnionServiceBuilder` API; deprecate `OnionService::new()`.
  ([#1490], [!2262])

### Minor features

- The obsolete and unused "TAP" keys are now optional
  when parsing network documents.
  This is phase one of [our plan][prop350] to eventually remove them entirely.
  ([!2227], [prop350])
- New `TorClient::wait_for_stop` method, for code that needs to wait
  until a TorClient instance has definitely shut down.
  ([#1418], [!2259], [!2278])
- In `tor-netdoc`, expose fields from `AnnotatedRouterDesc` and
  `RouterAnnotation` when `dangerous-expose-struct-fields is set.
  ([#1469], [!2213])

### Testing

- Exclude `maint` and `examples` from coverage reports. ([!2256])
- More tests throughout RPC codebase. ([!2264])
- Improvements and clean-ups to circuit reactor tests. ([!2287])
- CLI tests for the `arti hss` and `arti hsc` subcommands. ([#1250], [!2275])

### Documentation

- Clarify meaning of `peer_cert` in `UnverifiedChannel`. ([!2260])
- Improve documentation for mocked time in `tor-rtmock`. ([!2286])

### Infrastructure

- Improvements in release process and utilities for managing the changelog.
  ([!2240])
- Fix gitlab CI to always use `amd64` architecture images.
  Previously, it would sometimes choose a docker image for the wrong
  architecture. ([!2249])
- Split and refactor reproducible-build CI job. ([!2252])
- Improvements to script for detecting crate ownership problems.
  ([#1485], [!2255])
- Script to make sure that every crate has a valid set of crates.io
  categories. ([#1481], [!2256])
- Move our commonly used rust maintenance scripts to a separate repository,
  imported with `git-subtree`. ([#1300], [!2267])
- In gitlab CI, pin the compiler version we use to build cargo-audit
  and some other tools. ([!2289], [!2290])


### Cleanups, minor features, and bugfixes

- Remove an unused constant from `equix`. ([!2243])
- Suppress and resolve a few warnings about documentation and dead code.
  ([!2244])
- Fix parsing time-periods from "key slug" identifiers. ([!2248])
- Fix error messages related to filesystem access failures,
  so that they do not all erroneously claim to be permissions failures.
  ([#1473], [!2253])
- Return correct error type when trying to extend a circuit via `ntor` to a
  relay with no known RSA identity. ([!2261])
- Fix a bug in the implementation of
  `ArtiNativeKeystore::contains()` that caused it to always return false.
  ([#1492], [!2274])
- Fixes for various new warnings from the nightly version of `clippy`.
  ([!2288])
- Disallow the error-prone `Path::exists()` function in our code,
  and use `try_exists()` instead. ([#1493], [!2293])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Clara Engler, Jim Newsome, and trinity-1686a!

Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!


# Arti 1.2.5 — 27 June 2024

### Breaking

- `TorClientBuilder::create_*` now take `&self`.
  ([!2198])
- Stop publishing the obsolete `arti-hyper` crate.
  ([!2225], [#1204])

### Security fixes

- Update curve25519-dalek to avoid a low-severity timing vulnerability.
  ([TROVE-2024-007], [#1468], [!2211])
- With full vanguards, client rendezvous circuits
  do not reuse the final vanguard as the rendezvous point.
  ([TROVE-2024-008], [#1474], [!2230])

### RPC development

- New overview document, at the crate root for `tor-rpcbase`.
  ([!2210])
- Much improvement to method invocation arrangements.
  ([!2190])
- Change approach to method invocation on data-stream-like objects.
  ([!2192])

### Relay development

- Add skeleton, including (experimental): arti-relay crate,
  `relay` cargo feature in `arti-client`,
  `relay` command line argument to `arti`.
  ([!2182])
- Add a key material export facility for some of our TLS implementations.
  ([IETF RFC 5705], [#1432], [!2185])

### Bugfixes

- Tolerate removal of files from Arti's cache directory.
  Fixes
  `Bad permissions in cache directory: File or directory ${HOME}/.cache/arti/dir_blobs/... not found`.
  ([#1466], [!2200])
- Ensure that obsolete files are removed from Arti's cache directory.
  ([!2200])

### New features and other improvements

- Add `TorClientBuilder::local_resource_timeout` feature,
  asking Arti to wait (a short while) for a previous instance to exit.
  ([#1464], [!2198])
- Improve memory usage by disabling built-in X.509 root certificates
  when building `tor-rtcompat` with openssl.
  ([!2203], [#1027])
- Improve memory usage by limiting the batch size
  when reading directory information from the on-disk cache.
  ([!2202], [#1027])

### Documentation

- Documentation tweaks in `tor_persist::StorageConfig`.
  ([!2197])

### Testing

- Use a new version of [Shadow].
  ([!2195])
- Improvements to the tests to prevent a recurrence of
  [TROVE-2024-003] /
  [TROVE-2024-006].
  ([!2199])
- Stop build-testing the `gsoc2023/download-manager` example
  (it uses an obsolete version of `hyper` and the obsolete `arti-hyper` crate).
  ([!2225], [#1471])
- Fixes to test builds on MacOS,
  ([#1394], [!2226], [#1472], [!2234])
- Disable test builds on x32 (the not-widely-used Linux x86_64 32-bit hybrid ABI)
  ([#1480], [!2235], [!2236],
  [num-bigint#311](https://github.com/rust-num/num-bigint/issues/311))

### Internal cleanup and refactoring

- Improve the path construction logic to try to help avoid future bugs like
  [TROVE-2024-003] and
  [TROVE-2024-004].
  ([#1459], [!2199], [!2205])
- Refactoring in the circuit reactor, including new `SometimesUnboundedSink`.
  ([!2172])
- Refactoring in the arti command line utility,
  pursuant to client support for hidden services with restricted discovery
  (previously misleadingly known as "client authorisation").
  ([!2206])
- Rename the internal type `OptTimestamp` to `AtomicOptTimestamp` in `tor-proto`.
  ([!2218], [#1412])
- Fix a rustdoc warning.
  ([!2215])
- Update to new syntax for [`derive-deftly`] 0.12.1.
  ([!2209])

### Infrastructure and support

- Portability improvement to the script for maintaining links in this changelog.
  ([!2194], [#1460])
- New script for checking crate ownership on crates.io.
  ([!2196], [!2201], [!2220], [#1462])
- Try to work around bugs where container systems
  use images of the wrong architecture.
  ([!2207],
  [docker](https://github.com/docker/cli/issues/2590),
  [podman](https://github.com/containers/podman/issues/22998))

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Gaba, Jim Newsome, juga, pinkforest, and trinity-1686a!

Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!



# Arti 1.2.4 — 5 June 2024

Arti 1.2.4 continues development on onion services,
and on the RPC subsystem.

This release restores the `faravahar` directory authority, which has a new
location and keys.

We have also fixed two-medium security issues, tracked as [TROVE-2024-005]
and [TROVE-2024-006], respectively, and a number of other, smaller bugs.

[TROVE-2024-005] affects hidden service circuits using non-default vanguard
configurations (where the vanguard mode is set to 'disabled' or 'full'),
causing hidden service circuits to be built from circuit stubs that are
incompatible with the circuit target, and to have an incorrect length.

[TROVE-2024-006] affects hidden services and clients using non-default
vanguard configurations, where the vanguard mode is set to 'disabled', or that
have the `vanguards` feature compiled out. In some circumstances, this bug can
lead to building hidden service circuits that contain the same relay in
multiple positions.

Both issues make users of this code more vulnerable to traffic analysis when
running or accessing onion services.

### Network updates

- Restore the `faravahar` directory authority, with new location and keys.
  ([!2175])

### Major bugfixes

- Ensure that `DataWriter::close()` actually closes its associated stream.
  Previously, this `close()` method would have no effect until the
  `DataReader` was also dropped. ([#1368], [!2170])
- Fix a bug where the vanguard circuit stub selection code would fail to ensure
  that the last two hops of the selected circuit stub are different from the
  circuit target. ([#1417], [!2167], [!2181])
- Fix a medium-severity issue causing the hidden service circuit pool code to
  ignore the configured vanguard mode.
  This is also tracked as [TROVE-2024-005]. ([#1424], [!2168])
- Use `HasRelayIds::has_any_relay_id_from` to check for relay equality
  when checking if a circuit contains duplicate relays. ([!2181])
- Fix a medium-severity issue, which would, in some circumstances, cause
  hidden service circuits to be built without applying the necessary same-hop
  restrictions.
  This is also tracked as [TROVE-2024-006]. ([#1425], [!2179])

### Breaking changes in lower-level crates

- The `Channel` type in `tor-proto` has been significantly refactored:
  it is now always wrapped in an explicit `Arc`, it no longer implements
  `Sink` on its own, and it can no longer be used to send raw cells
  from outside the `tor-proto` crate. ([!2163])
- `HsCircPool::reconfigure` has been removed
- `VanguardConfig` and `VanguardConfigBuilder` are now reexported from
  the root of the `tor-guardmgr` crate. ([!2146])
- `SshKeyData` is now an opaque type
- `SshKeyData::into_public` and `SshKeyData::into_private` have been removed

### Deprecated functionality

- The `arti-hyper` example crate is now deprecated and unmaintained.
  ([!2127])

### Onion service development

- Major refactoring to reduce technical debt in key manager code.
  ([#1362], [#1367], [!2131], [!2141])
- Address various pending "TODO" items in the vanguard code.
  ([!2139])
- Adjust terminology for vanguard stub circuits. ([#1339], [!2161])
- Add tests for vanguard configuration, and configuration backend logic as
  needed to simplify some of the vanguard configuration code. ([!2146])

### RPC development

- Expose methods on TorClient to get and observe the status of the client
  object. ([#1384], [!2110], [!2130])
- Infrastructure to allow the RPC system to interact with SOCKS streams,
  provide them with context, and name them as RPC objects.
  ([!2143])
- Based on difficulties encountered with earlier RPC development,
  add an improved facility for RPC methods that can be invoked internally
  without serializing their inputs and outputs ([#1403], [!2152])
- Enforce consistent style and formatting on RPC method names. ([#823], [!2149])
- Other miscellaneous lower-level improvements to the RPC type
  system. ([!2124], [!2140], [!2142])

### Other major features

- If the circuit manager has retired all of its circuits,
  unconditionally retire all the circuits from the hidden service circuit pool.
  ([!2168])

### Testing

- Improved test layout in `tor-keymgr`. ([#1363], [!2125])
- Automate enforcement of our convention that scripts not be named with
  their implementation languages. ([!2153])
- Include script needed to generate `keymgr` test data. ([!2121])
- Add tests for vanguard state file serialization. ([!2167])
- Add a [Shadow] CI test involving an onion service that uses full vanguards.
  ([!2167])
- Add a test that ensures the hidden service circuit pool reads the vanguard mode
  from the configuration. ([!2168])
- Make the Shadow CI tests fail if any internal errors are reported in the logs.
  ([!2186])

### Documentation

- New example in arti-client for creating a one-hop circuit. ([!2148])
- Recommend `cargo --locked` in our examples, to encourage people
  to get audited versions of our dependencies. ([!2157])
- Clean up old changelogs to have a more uniform style, based on
  our updated `gen_md_links` script. ([!2126], [!2165])

### Infrastructure

- Disable automated Chutney tests in coverage CI. ([#1299], [!2120])
- Improve our `add_warning` script so that it can adjust our warnings during
  CI.  Previously we used a compiler `--cfg` flag for conditional warnings,
  but unrecognized `cfg` flags now provoke a warning. ([#1395], [!2129])
- Use `add_warning` to maintain the list of lints in our examples. ([!2132])
- Improved scripts to list our crates, and publish our crates,
  to make accidents less likely while
  we're trying to release.  ([#1390], [!2118], [!2138], [!2158])
- Improve our `gen_md_links` script to provide more uniform output,
  and generate its results in a more useful format. ([#1388], [!2126], [!2169])
- Ensure that our CI scripts delete unnecessary data on completion.
  (This helps keep us from running our infrastructure out of disk space
  and making the other gitlab users sad.) ([!2159])
- Adjust our license-checking code to accommodate
  license clarifications in `priority-queue` and `tinystr`.
  ([!2177])

### Cleanups, minor features, and bugfixes

- Resolve several Clippy warnings from the latest version of Rust. ([!2128])
- Clarify control-flow in our (currently convoluted) circuit reactor code.
  ([!2122])
- Refactor to avoid most use of `cfg(fuzzing)`. ([#1395], [!2134])
- The `DataStream` type now has a method to wait for a connection to
  complete. ([489aa72d1eee8a56])
- Clarify or resolve several dead-code warnings. ([#1383], [!2151])
- Explicitly enforce maxima on SENDME windows.  (Formerly, we did this
  implicitly.)  ([#1383], [!2150])
- Avoid the appearance of an infinite loop in
  `engage_padding_activities`. ([!2164])
- Refactor the `Channel` type to be more explicitly `Arc`,
  better documented, and to have less information shared between its
  front-end and reactor pieces. ([!2163])
- Refactor the `poll_ready` method on `ChannelSender` to
  have a more conventional interface. ([!2171])
- Replace debug assertions with internal errors
  in the post-build checks for vanguard circuits,
  to prevent issues such as [TROVE-2024-003] and [TROVE-2024-004].
  ([!2167])
- When building vanguard circuits, ensure the target relay does not occur
  as one of the last two hops. ([!2186]]
- Upgrade to the latest versions of [priority-queue]. ([!2177])
- Validate the properties of the circuits retrieved
  from the hidden service circuit pool. ([97868349ed695ec8])
- Fix hidden service circuit stubs sometimes being unnecessarily extended
  when lite vanguards are in use. ([#1458], [!2183])
- Refactor vanguards configuration handling to be less error-prone.
  ([#1456], [!2183])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Gaba, Jim Newsome, juga, and pinkforest!

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!



# Arti 1.2.3 — 15 May 2024

Arti 1.2.3 fixes a high-severity issue affecting onion services and clients
connecting to onion services with 'lite' vanguards (the default) enabled:
when building anonymizing circuits to or from an onion service
the circuit manager code would build the circuits with one hop too few.
This makes users of this code more vulnerable to some kinds of traffic analysis
when they run or visit onion services.

This release also fixes a medium-severity issue affecting 'full' vanguards.
With 'full' vanguards enabled, client HsDir circuits, client introduction
circuits and service rendezvous-circuits are extended with an extra hop to
minimize the linkability of the guard nodes.
In some circumstances, the circuit manager would build circuits with one
hop too few, making it easier for an adversary to discover the L2 and L3
guards of the affected clients and services.

In Arti 1.2.1 and earlier, vanguards were still an experimental feature, or
absent, so those versions are classified as "not affected", even though
downgrading does not fix the security problem.

### Major bugfixes

- Fix a high-severity issue affecting onion service circuits using 'lite'
  vanguards. Previously, with 'lite' vanguards enabled, any circuit to or from
  an onion service was one hop too short, making clients and services vulnerable
  to certain types of traffic analysis. This is also tracked as
  [TROVE-2024-003]. ([#1409])

- Fix a medium-severity issue affecting onion service circuits using 'full'
  vanguards. Previously, with 'full' vanguards enabled, *some* circuits to or from
  an onion service were one hop too short, making linkability attacks more
  likely to succeed.
  [TROVE-2024-004]. ([#1400])

[#1400]: https://gitlab.torproject.org/tpo/core/arti/-/issues/1400
[#1409]: https://gitlab.torproject.org/tpo/core/arti/-/issues/1409
[TROVE-2024-003]: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
[TROVE-2024-004]: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE



# Arti 1.2.2 — 30 April 2024

Arti 1.2.2 continues improvements on previous releases,
by improving onion service security with [Vanguards].
This release also includes an as-yet-unused backend
to help resist memory-exhaustion attacks,
and numerous other smaller improvements.

### Breaking changes in lower-level crates

- Refactor our [`Relay`] code to move low-level information
  into a [`RelayDetails`] type.
  ([#504], [!2057], [!2073])
- The internal API for the RPC object system has been greatly revised.
  ([!2079])

### Network updates

- Update to use the new identity key
  for the `tor26` directory authority.
  ([!2080])

### Major bugfixes

- Fix an inadvertent recursion bug when converting
  ` TorAddrError` to `arti_client::Error`.
  ([#1379], [3f2dcaca31992018f825])
- Improve reliability of bootstrap status reporting.
  ([!2107])

### Onion service development

- Arti now supports [Vanguards] for improved security
  against guard discovery for onion service circuits.
  By default, we use the `vanguards-lite` algorithm;
  the `vanguards-full` algorithm can be configured.
  ([#1272], [#1273], [#1275], [#1340], [#1353], [#1364], [#1366],
  [!2075], [!2082], [!2083], [!2088], [!2090], [!2093], [!2099],
  [!2102], [!2104], [!2105], [!2109], [!2111])
- Export `KeyMgrBuilderError` as a public type,
  to help external code construct its own [`KeyMgr`].
  ([!2078])
- Initial implementation for
  an in-memory ephemeral key store, which will be useful
  in implementing ephemeral onion services.
  ([#1358], [!2076])
- Fix a bug that prevented reporting of onion service status updates.
  ([#1361], [!2086])
- Fix a bug that would cause onion service circuit pools
  to pre-build fewer circuits than actually desired.
  ([!2101])

### RPC development

- The RPC object system has been refactored to use `derive-deftly`
  and an improved system of method invocation.
  Together, these changes make it easier to write RPC methods,
  and allow support for RPC methods on generic types.
  ([#838], [#1380], [!2079], [!2084], [!2103])

### Other major features

- Convert to use [`figment`] instead of [`config-rs`]
  as our configuration backend,
  for improved error messages.
  ([#1267], [#1268], [!2041])
- New `tor-memquota` backend crate to keep track of our memory usage,
  and to help us react appropriately when we are out of memory.
  We will use this as part of our DoS-resistance system.
  ([#1381], [!2091], [!2100])


### Documentation

- Add cross-references to explain limitations of [`NetDir::by_ids`].
  ([#1365], [!2081])
- Fix a link to our Code of Conduct.
  ([!2085])
- Miscellaneous documentation fixes.
  ([!2087])
- Document some tricky assumptions and requirements in `tor-proto`'s
  circuit reactor code.
  ([#1373], [!2089])
- Improve documentation and license presence for our two
  LGPL-licensed crates.
  ([#1375], [!2094], [!2106])

### Testing

- Add high-level tests for pluggable transport configuration.
  ([#1333])

### Infrastructure

- Adjust our license-checking code to accommodate
  license clarifications in `rustls-webpki` and `option-ext`.
  ([!2070])
- Fix compilation breakage in our relaymsg fuzzing code.
  ([#1349], [!2069])
- Add an option to the `fuzz_it_all` script
  for it to run only against the static corups.
  ([#1350], [!2071])

### Cleanups, minor features, and bugfixes

- Remove unused dependencies from several crates.
  ([!2068])
- Expose `BridgesConfig` from `TorClientConfig`
  so it can be inspected by other modules.
  ([c5a91130fff6af25])
- Refactor code for scheduling events in onion service code.
  ([#1259], [!2064])
- Update our code to use [`derive-deftly`],
  formerly called `derive-adhoc`.
  ([!2066])
- Refactor `same_relay_ids` to be automatically derived.
  ([!2072])
- Refactor `StreamMap`'s stream-counting code to be less
  error-prone.
  ([#1344], [!2058])
- Add an experimental method to expose the HS circuit pool
  from `TorClient`.
  ([!2077])
- Clean up new warnings from the nightly version of Clippy.
  ([!2096], [!2097])
- Upgrade to rustls version 0.23.
  ([#1377], [!2095])
- Suppress or resolve some dead-code warnings. ([!2098])


### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Jim Newsome, Richard Pospesel, trinity-1686a,
Wiktor Kwapisiewicz, and VaiTon.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!


# Arti 1.2.1 — 2 April 2024

Arti 1.2.1 continues development on onion services,
and adds several important security features.
More such improvements are on the way.
See [`doc/OnionService.md`] for instructions and caveats about running
onion services with Arti today.

This release also adds support for
[unmanaged pluggable transports][#755],
and begins work to improve Tor's relay cell protocol
with support for [packed and fragmented messages][prop340].

### New versioning policy

Starting with this version,
we are no longer independently tracking
breaking and non-breaking version changes
for the `arti-client` crate and each of the `tor-*` crates below it.
Instead, we will _assume_
that every release of these crates breaks API compatibility
with the one before, and update our semantic versioning accordingly.
(We will continue not to make gratuitous API compatiblity breaks
on purpose.)

Previously, our efforts to track
which changes in these crates were breaking
and which were not
created a great deal of overhead in our development process,
and tended to be somewhat error-prone.

This change affects developers only; users should not be affected.
This does not affect crates already at version `1.x` or higher,
or published utility crates whose names don't start with `tor-` or `arti-`.

See [`doc/Semver.md`] for more information on this policy.
([#1005], [!2051])

### Breaking changes in lower-level crates

- Refactored `tor-config` to hide implementation details.
  This will eventually allow us to migrate from `config-rs`
  to a configuration provider with better error handling.
  ([!2040])
- Renamed several types in `tor-ptmgr`
  to reflect new support for unmanaged pluggable transports.
  ([d63d966d79f0f988])
- The `tor_circmgr::path` module is now crate-private.
  ([4c1eb94173521bc5])
- The [`Runtime`] trait now includes functionality for "coarse" time,
  backed (by default) by the [`coarsetime`] crate.
  We use these timestamps in cases
  where we need fast time checking more than precision.
  Putting them into `Runtime` lets us replace them with mock functions
  for testing purposes.
  ([!2050], [!2052])
- The `tor-cell` relay cell API is significantly revised.
  ([!2034], [!2045], [prop340])
- The `allow_stream_requests()` method in `tor-proto`
  now takes an extra argument.
  ([!2047])

### Onion service development

- Reorganize onion service code,
  to remove an unnecessary (and inconsistently used) internal module,
  to simplify needless imports,
  and to generally tidy up the implementation.
  ([#1212], [!2020])
- Avoid using `futures::oneshot`:
  our own `tor_basic_utils::oneshot` is safer to use
  when `select!` may be involved.
  ([95ed432c13c2c4b2])
- Design work for out-of-memory handling,
  which is necessary for onion service security.
  ([!1997])
- Onion services have now support a `max_concurrent_streams_per_circuit` option.
  ([#1124], [!2047])
- Initial implementation work
  for onion service [vanguards],
  which are needed to improve onion service security.
  This is not yet complete.
  ([#1272], [#1275], [#1276], [#1277], [#1340],
  [!2035], [!2038], [!2046], [!2049], [!2053])

### Other major features

- New relay cell decoding API, in order to eventually handle
  packed and fragmented messages.
  ([!2034], [!2045], [prop340])
- We now support unmanaged pluggable transports.
  Previously, Arti only supported _managed_ pluggable transports:
  that is, ones that it launched itself.
  Now you can configure Arti to use a pluggable transport
  running at a known SOCKS port.
  ([#755], [!2043])

### Documentation and examples

- Improve windows documentation in `fslock-guard` and `test-temp-dir`.
  ([!2011])
- More documentation for our internal build and release tools.
  ([!2028])
- Fixed broken links in the documentation for `NetParameters`.
  ([!2054])
- Fixed the disclaimer about onion services in our configuration file.
  ([!2055])

### Testing

- More unit tests in `fslock-guard`.
  ([!2013])
- More tests for `arti_client::address`.
  ([!2029])

### Cleanups, minor features, and bugfixes

- We've fixed a bug in our arguments parser
  that previously caused `arti` to panic when run without arguments.
  ([#1311], [!2021])
- The `tor-checkable` module now uses checked time arithmetic,
  to avoid overflows or panics when extending tolerances.
  ([!2031])
- We now enforce Clippy's [`unchecked_duration_subtraction`] lint by default.
  ([#1304], [!2008])
- Refactor configuration watcher to receive a `Runtime`.
  Previously it took an entire `TorClient`, unnecessarily.
  ([!2017])
- We now ban `std::Path::display`,
  since it is lossy in an easy-to-overlook way.
  We've given it a `PathExt::display_lossy` implementation
  to be used instead.
  ([!2027])
- The `tor-bytes` module now behaves more sensibly
  (typically panicking)
  if someone tries to use `write_zeros` to extend a buffer beyond `usize::MAX`.
  Previously it might truncate its buffer.
  ([!2033])
- Refactoring and improvements on the `BackoffSchedule` logic.
  ([#1259], [!2024])
- Moved logic for picking relays into a new `tor-relay-selection` crate,
  to avoid duplicated code
  and the risk of missing necessary checks when picking or examining relays.
  ([#504], [#789], [!2002])
- Clarify implementation of onion service timeout calculation logic,
  to avoid possible confusion about the `hs_hops` variable.
  ([#1332], [!2044])
- Simplified logic and API for creating relay encryption layers.
  ([!2048])
- Various typo fixes in comments and messages. ([!2030], [!2032], [!2036])


### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Brady Fomegne, Dimitris Apostolou, Jim Newsome,
Neel Chauhan, Tobias Stoeckmann, and trinity-1686a.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!



# Arti 1.2.0 — 4 March 2024

Arti 1.2.0 continues work on support for running onion services.
You can now launch an onion service and expect it to run,
although you may well encounter bugs.

We have fixed a number of bugs and security issues,
and have made the `onion-service-service` feature non-experimental.

In the next releases, we will focus on implementing
the missing security features and on improving stability.

Don't rely on this onion service implementation for security yet;
there are a number of [missing security features]
we will need to develop before we can recommend them
for actual use.

See [`doc/OnionService.md`] for instructions and caveats.

### Major bugfixes

- Empty DATA messages are a way to inject an undetected traffic signal, so we
  now reject empty DATA messages, and prevent them from being constructed
  through the [`tor-cell`] API.  This is tracked as [TROVE-2024-001].
  ([!1981], [#1269])

### Breaking changes in lower-level crates

- In [`tor-circmgr`], `Error::GuardNotUsable`, `Error::CircTimeout`,
  and `Error::Protocol` now contain the process-unique identifier of the circuit
  that caused the error. ([!2003])
- In [`tor-hsclient`], remove `HsClientNickname` and the nickname argument from
  `HsClientDescEncKeypairSpecifier::new`. ([!1998], [#1283])
- In [`tor-hsrproxy`], add a `String` representing the error message to
  `ProxyConfigError::UnrecognizedTargetType`,
  `ProxyConfigError::InvalidTargetAddr`, `ProxyConfigError::InvalidPort`
  ([!1973], [#1266])
- In [`tor-hsservice`], remove the unimplemented `max_concurrent_streams_per_circuit`
  configuration option from `OnionServiceConfigBuilder`.  We may implement and
  reinstate it in a future release. ([!1996])
- In [`tor-keymgr`], rename `KeyInfoExtractor` to `KeyPathInfoExtractor`.
  ([bd85bffd0a388f57])
- In [`tor-keymgr`], rename `{to,from}_component()` to `{to,from}_slug()`.
  ([1040df929f643a2f])

### Onion service development

- Improve the key manager APIs. ([!1952], [#1115])
- Add more context to [`tor-hsrproxy`] configuration error messages. ([!1973])
- Design an API for vanguards. ([!1970])
- Make the descriptor publisher conform with the specification, by periodically
  republishing the hidden service descriptor.  This fixes a serious reachability
  bug. ([!1971], [#1241], [#1280])
- Rotate old introduction point relays even if they are not working.
  ([72c021555e1095f1])
- Expire old on-disk introduction point state. ([!1977], [!1982], [#1198])
- Expose `HsNickname::new`. ([f3720ac2c0f16883])
- Design the client and service configuration, and a CLI subcommand, for hidden
  service client authorization. ([!1987])
- Improve the ergonomics of our key listing and removal APIs. ([!1988], [#1271])
- Include the `ArtiPath` in key path errors. ([!1960], [#1115])
- Improve circuit error logging by including the process-unique identifier of
  the circuit in error messages. ([!2003], [#1297])
- Improve status reporting from onion services. ([!1966], [#1083])
- Design an API for bandwidth rate limiting. ([!1965])
- Improve descriptor publisher error reporting. ([!1991])
- Remove the client nickname from onion service client key specifiers. ([!1998],
  [#1283])
- When reconfiguring an onion service, reject any changes that are inappropriate
  or would put the service in a bad state. ([!1996], [#1209])
- Remove the keystore directory configuration option, pending design work
  relating to RPC and multi-user Arti. ([!1995], [#1202])
- Mark `onion-service-service` and every feature it depends on as
  non-experimental. ([!1993], [#1182])
- Fix a bug that prevented the descriptor publisher from fully processing the
  results of publish tasks, causing it to republish the descriptor unnecessarily
  in some circumstances. ([!1983])

### Other major new features in our Rust APIs

- [`tor-persist`] now provides new `state_dir` APIs for instance iteration and
  expiry needed for onion service state expiry.  ([!1968], [#1163])

### Documentation and examples

- Fix the casing of our recognized key paths. ([1a900081e945679e])
- Minor updates to the release process. ([!1959], [!1963])
- Fix typos in the [`tor-guardmgr`] README. ([!1980])
- Reword the [`tor-keymgr`] README for clarity. ([489a2555f28daa6d])
- Update onion service documentation. ([!1994], [#1287])
- Clarify the onion service configuration instructions from
  `doc/OnionService.md`, remove unsupported "unix:" example ([!1972], [#1266])

### Testing

- Improve replay log fork test. ([!1974], [!2010], [#1264])
- In the introduction point manager tests, avoid reusing the RNG seed.
  ([b515baf27f194470])
- Our [Shadow] CI tests now use the latest versions of `shadow` and `tgen`, and
  no longer pull `libigraph` from bullseye. ([!1958])
- Upgrade docker image for reproducible builds. ([!2016])
- Fix several tests on Windows. ([!2015])

### Cleanups, minor features, and bugfixes

- Allow overriding `cargo` in [`semver-checks`]. ([83c29b0d805f908e])
- Introduce a [`list_crates_publish`] script. ([b03e5d5e11c52faf])
- Fix compilation with musl. ([!1961], [#1264])
- Add `fixup-features` to the main workspace, make various improvements to
  `fixup-features`, `check_toposort`, `list_crates` ([!1969], [#1263])
- Use `std::default::Default` instead of [educe]'s `Default` in a number of
  places in preparation for the upgrade to educe 0.5. ([!1975], [#1257])
- Require the Fast and Stable flags as appropriate. ([!1976], [#1100])
- Refactor and improve error hinting in [`arti`] and [`arti-client`]. ([!1986],
  [#1165])
- Do not output ANSI escape codes when logging to file. ([!1999], [#1298])
- Upgrade our dependency on [curve25519-dalek] from 4.1.1 to 4.1.2 ([!2000])
- Upgrade to the latest versions of [event-listener], [rusqlite],
  [async-broadcast], [signature], [config]. ([!2001], [!2004], [!2451])
- Fix `ArtiPath` creation on Windows. ([!2012])
- Fix compilation and warnings on Windows. ([!2014], [!2009])
- Gate `RpcConfig` behind `rpc` feature. ([6c9e70e39ab279aa]])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Jim Newsome, Tobias Stoeckmann, and trinity-1686a.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!


# Arti 1.1.13 — 5 February 2024

Arti 1.1.13 continues work on support for running onion services.
You can now launch an onion service and expect it to run.

We have fixed a number of bugs.  The user experience is still not
great, and the onion-service-service feature is still experimental.
We have reorganised the on-disk state and key storage, to make it more
sensible; we hope (but don't promise!) it's now the final layout.
Don't rely on this onion service implementation for security yet;
there are a number of [missing security features]
we will need to develop before we can recommend them
for actual use.

See `doc/OnionService.md` for instructions and caveats.

### Breaking changes in lower-level crates

- [`tor-hsclient`]\: Replaced `HsClientKeyRole`,
  `HsClientSecretKeySpecifier` with `HsClientDescEncKeypairSpecifier`.
  Renamed `HsClientSpecifier` to `HsClientNickname`.
  ([!1864], [!1931])
- [`tor-hscrypto`]\: `AesOpeKey::encrypt` now takes a
  `SrvPeriodOffset`; Replaced `TimePeriodOffset` with
  `SrvPeriodOffset`; Removed `TimePeriod::offset_within_period`.
  ([!1904], [#1166])
- [`tor-netdir`]\: `hs_dirs_download` parameters changed;
  `hs_intro_*_lifetime` parameters renamed.
  ([!1903], [!1904], [#1254])

### Onion service development

- Complete overhaul of the way the hidden service code stores non-key
  persistent state.  Pathnames have changed as a result.
  ([!1853], [#1183], [!1941])
- Many improvements to keystore, key and `KeySpecifier` handling,
  including incompatible changes to on-disk key paths.
  ([!1864], [!1863], [!1883], [#1260], [!1949], [#1074], [!1948])
- Fix "service fails after approx 12 hours" bug.
  ([#1242], [!1901])
- Fix time period processing bugs including `HSS: "internal error"
  "current wallclock time not within TP?!"`.
  ([#1155], [#1166], [#1254], [!1903], [!1904], [!1914])
- Correctly rate-limit descriptor publication.
  ([!1951])
- Fixes to services shutdown.
  ([!1875], [!1895], [!1897], [#1236], [!1899], [!1917], [!1921])
- Improve error and corner case handling in descriptor publisher.
  ([!1861])
- Work on expiring keys: we expire descriptor keys now (although we
  don't actually properly delete all keys when we need to, yet).
  ([!1909])
- Only choose Stable relays for introduction points.
  ([!1884], [#1240], [#1211])
- Better handling of introduction point establishment failures.
  ([!1889], [!1915])
- Better handling of anomalous situations (including excessive
  requests) on introduction circuits.
  ([#1188], [#1189], [!1892], [!1916])
- Tolerate `INTRO_ESTABLISHED` messages with (unknown) extensions.
  ([!1898])
- Correct and improve various timing and tuning parameters.
  ([!1911], [!1924])
- Improve status reporting from hidden services.
  ([!1902])
- Public API of `tor-hsservice` crate overhauled.
  ([#1227], [#1220], [!1887])
- Mark lower-level hs-service features non-experimental.
  ([!1908])
- Defend against partial writes of introduction point replay log
  entries.
  ([!1920])
- Corrections to error handling, including to handling of introduction
  point failures, and attempts to launch the same service
  concurrently.
  ([!1906], [#1237], [#1225], [#1255])
- Detect and reject configurations with onion services, when
  onion-service-server support has been compiled out.
  ([!1885], [#1184])
- Temporarily disable parsing of AF_UNIX socket addresses (which
  aren't implemented right now anyway).
  ([!1886])
- Rate limit one log message, downgrade one, and remove another.
  ([!1871], [!1951])
- Add higher-level documentation to tor-hsservice (and fix a broken
  docs link).
  ([!1918], [!1945])
- Hide the `OnionServiceState` type.
  ([!1946], [#1261])
- Many internal cleanups including much triage of TODO comments in the code.
  ([!1859], [!1862], [!1861], [!1868], [!1866], [!1863], [!1870], [!1874])
  ([!1872], [!1869], [!1876] !1867 [!1873], [!1877], [!1878], [!1875])
  ([!1879], [!1882], [!1881], [!1880], [!1894], [!1888], [!1887], [!1896])
  ([!1864], [!1951])

### Other major new features in our Rust APIs

- New `fslock-guard` crate for on-disk lockfiles which can be deleted,
  and which have a Rust API that returns a guard object.
  [fslock!15](https://github.com/brunoczim/fslock/pull/15)
  !1900 !1910
- `tor-persist` has a `Slug` type which is used for nicknames, key
  paths, etc., unifying the rules used for different kinds of name.
  ([!1912], [#1092], [#1193], [!1926], [!1929], [!1922], [!1933], [#1092])
  ([!1931], [!1934])
- `tor-persist` has `StateDirectory` for handling persistent state
  relating to particular instances of a facility (used for hidden
  serivces).
  ([!1853], [#1205], [!1913], [#1163], [!1935])

### Documentation and examples

- New examples using `hyper v1`.
  ([!1845])
- Fix a broken link.
  ([!1938])

### Testing

- New `test-temp-dir` crate for convenient handling of temporary files
  in tests.
  ([!1925])

### Cleanups, minor features, and bugfixes

- `fs-mistrust`: Expose `CheckedDir::verifier`
  and provide `CheckedDir::make_secure_dir`.
  ([!1927], [!1928])
- Instructions for building `arti-extra` in `tests/shadow/README.md`.
  ([!1891])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Jim Newsome, and ramidzkh.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!


# Arti 1.1.12 — 9 January 2024

Arti 1.1.12 continues work on support for running onion services.
You can now launch an onion service and expect it to run,
though the user experience leaves a lot to be desired.
Don't rely on this onion service implementation for security yet;
there are a number of [missing security features]
we will need to develop before we can recommend them
for actual use.

### Breaking changes

### Breaking changes in lower-level crates

- In `tor_dirmgr`, rename the `cache_path` parameter to `cache_dir`
  for consistency. ([!1789])
- In `tor-error`, the `ErrorReport` trait is now sealed.
  ([00903e22bb978295])
- Change the domain name used to tag our extended SSH key types.
  This will break any keys created using earlier releases,
  though it is unlikely that anybody actually managed to do so.
  ([#1108], [!1838])
- In `tor-netdoc`, `HsDescBuilder::auth_clients` now takes an
  `Option`, to distinguish the case where no clients are allowed from
  the case where all clients are allowed. ([#1019], [!1840])

### Onion service development

- Fix a set of bugs bug that caused onion services to upload far too
  many descriptors. ([#1130], [#1142], [!1787], [!1806])
- Improve reporting of descriptor upload failures. ([#1132],
  [f26b00b3179a7e13], [1990bbdffd87abaa], [!1799])
- Ensure that the list of published introduction points is
  recorded correctly.  ([#1097], [!1805])
- Implement persistence for introduction point information,
  so that onion services can restart with the same introduction points
  and behave correctly. ([#967], [!1782])
- Refactor key manager code to prevent the creation of invalid
  `KeySpecifier`s, and extend the `KeySpecifier` macro to also
  generate `KeyInfoExtractor` implementations for extracting
  information out of `&KeyPath`s ([#1127], [f7772f127e895d96]).
- Add lower-level support for deleting expired keys and associated information.
  ([#1043], [!1784], [!1796])
- Onion services can now be stopped, started, or reconfigured while
  arti is running. ([#1089], [!1798])
- Implement an API for onion services to report their
  status. ([#1083], [!1797], [!1808])
- Produce useful, rate-limited log messages on certain kinds of
  onion service failures. ([!1809])
- Warn on some onion service configurations that are unlikely to be
  intentional. ([!1822])
- Add documentation for how to run an onion service, in
  [`doc/OnionService.md`].  This documentation also records areas where
  the implementation is lacking, and notes areas where the current
  process has bad usability. ([!1825], [!1826], [!1841])
- Fix a bug that would occur when trying to create an onion service
  descriptor for a time period that had not yet begun. ([#1155],
  [!1828])
- Always log the onion sevice's `.onion` address, when starting with
  `log_sensitive_information` enabled. ([!1830])
- Ensure that no extra features beyond `onion-service-service` are
  needed in `arti` to enable onion service support. ([49ece08bafc115ce])
- Use our regular sub-builder pattern for key-manager configuration,
  so that default option values can be omitted. ([4d7aeeab57577c98])
- Various improvements to descriptor publisher error
  handling. ([#1129], [!1812], [!1821])
- Record a replay-log of incoming `INTRODUCE2` requests, to prevent
  replay attacks. ([!1824])
- Add a CLI for learning the `.onion` address for a given onion service.
  ([#1071], [!1837])
- Refactor the `KeySpecifier` macro and its implementations to improve
  usability and reduce the API surface. ([#1151], [#1147], [#1126],
  [!1851])

### Other major features

- Arti now supports the [`ntor_v3`] circuit extension handshake, which
  enables clients to send circuit paramaters to the relays on their paths.
  ([#1084], [!1766])

### Documentation

- Improve documentation of state and cache directories. ([!1789])
- Improve internal documentation about how we implement the onion
  service specifications. ([!1795], [!1813])
- Various typo fixes. ([!1852])

### Testing

- Fix an (unreached) bug in test_tmp_dir code. ([!1792])
- Include an onion service in our [Shadow] CI tests. ([!1827])


### Cleanups, minor features, and bugfixes

- Various cleanups enabled by our transition to requiring
  Rust 1.70.  ([!1785])
- Refactor high-level reconfiguration code so that it sends its
  configuration to each of a set of modules, rather than hardcoding a
  list of functions to call. ([1ac515c183bf8c1d])
- The `traits` module is now unconditionally present in
  the `tor-llcrypto` crate. ([!1815])
- In `tor-error`, the `ErrorReport` is now implemented for `dyn StdError`,
  which allows us to use it with `anyhow::Error`. ([#1157], [!1818])
- Fix a busy-loop that would occur if a channel was due to expire in
  less than a second, and another race condition when expiring
  channels. ([!1834])
- In `tor-cell`, `{Any}RelayCell` has been renamed to `{Any}RelayMsgOuter`,
  in order to prepare for work on [proposal 340]. This name is a placeholder;
  eventually, there will be a followup renaming. ([#775], [!1839], [!1840])
- Improve the output of `tokio`'s tracing feature when used with our
  `tor-rtcompat` wrappers. ([!1843])
- Expose a `dir_mgr_config()` accessor from `TorClientConfig`.
  ([#1175], [!1847])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Dimitris Apostolou, Emil Engler, and Jim Newsome.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!



# Arti 1.1.11 — 4 December 2023

Arti 1.1.11 continues work on support for running onion services.
Onion services are now working in our testing, and we expect we'll
have something testable by others in our next release.

Arti 1.1.11 also increases our MSRV (Minimum Supported Rust Version)
to 1.70, in accordance with our [MSRV policy].

### Breaking changes

- Arti now requires Rust 1.70 or later. ([!1773])

### Breaking changes in lower-level crates

- The `LockStatus` type in tor-persist is now `#[must_use]`. ([#1753])
- The `tor-dirclient` crate now exposes `http::Error` from
  http 1.0. ([c5b386fb1009a1d9])
- The `tor-dirclient` crate's `RequestError` type now includes status text
  from the directory server, to help diagnose problems. ([!1780])
- We've upgraded to the latest versions of [dalek-cryptography].  This
  is a breaking change to every internal Arti API that takes a
  curve25519 or ed25519 key as its input. ([#808], [!1767])
- In `tor-cell`, `HandshakeType` is now used in several places
  in place of `u16`. ([5d7f70c0fe515aee])

### Onion service development

- Correct our handling of BEGIN and END messages to bring them
  into conformance with the C Tor implementation and the specification.
  ([#1077], [!1694], [!1738])
- In our key manager, use macros to define key specifiers, instead of
  repeating the same boilerplate code. ([#1069], [#1093], [!1710],
  [!1733])
- Refactoring and refinement on the definitions of onion-service-related
  errors. ([!1718], [!1724], [!1750], [!1751], [!1779])
- Add a "time-store" mechanism for (as correctly as possible) storing and loading
  future timestamps, even in the presence of system clock skew ([!1723], [!1774])
- Implement a replay-log backend to prevent INTRODUCE replay attacks
  against onion services. ([!1725])
- Improved encoding for key-denotators in the key manager. ([#1063],
  [#1070], [!1722])
- Allow a single key to have more than one denotator in its path.
  ([#1112], [!1747])
- Use an order-preserving-encryption back-end to generate
  monotonically increasing revision counters for onion service
  descriptors.  We do this to ensure a reproducible series of counters
  without leaking our clock skew.  ([#1053], [!1741], [!1744])
- Deprecate key types for INTRODUCE-based authentication:
  C tor has never implemented this, and we do not plan to implement it
  without additional specification work. ([#1037], [!1749])
- When establishing an introduction point, send the `intro_dos`
  extension as appropriate. ([#723], [!1740])
- Added conversion functions and initial persistence support for
  introduction point keys. ([!1756])
- Start work on introduction point persistence. ([!1755], [!1765]).
- Make a `Builder` type for key managers. ([#1114], [!1760])
- Revert to our intended configuration format for onion service proxy rules.
  ([#1058], [!1771])
- Resolve miscellaneous "TODO" items throughout the onion service
  code. ([#1066], [!1728], [!1731], [!1732], [!1742])

### Client features

- Backend and API code for the "ntor-v3" circuit-extension handshake.
  This handshake adds the ability to send additional options
  from the client to the relay when creating or extending a circuit,
  and will eventually be used to negotiate protocol features like
  RTT-based congestion control and UDP-over-Tor support.
  ([!1720], [!1739])

### Testing

- Simplify the usage of time-simulating mock runtimes.
  ([ee96e5e454ba5db2])
- Use time-simulating mock runtimes in more circuit-manager tests, to
  make them more reliable. ([#1090], [!1727])
- Add a `spawn_join` method to mock runtimes, to simplify
  tests. ([!1746])
- Prototype a "testing temp dir" facitility to ensure that temporary
  directories used in tests can be persistent if desired, and that
  they live for long enough. ([!1762])

### Cleanups, minor features, and bugfixes

- Fix various warnings from Clippy. ([!1719])
- Solve a bug that prevented `Conversation::send_message` from working.
  ([#1085], [!1726])
- Upgrade to version 4 of the `clap` option-parsing library.
  ([!1735])
- New backend to generate rate limited problem reports without
  spamming the logs.  ([#1076], [!1734], [!1752])
- Correct our decisions about sending Content-Length on HTTP
  requests. Previously we had sent it unconditionally. ([#1024],
  [!1671])
- Add directory-listing and file-deletion support to
  `fs-mistrust::CheckedDir`. ([#1117], [!1759])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Andrew, Jim Newsome, rdbo, Saksham Mittal, and
Trinity Pointard.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!

# Arti 1.1.10 — 31 October 2023

Arti 1.1.10 continues work on support for onion services in Arti.
At last, we can (technically) run as an onion service... though
not yet in a useful way. (Onion services don't yet recover correctly
after a restart, outdated keys are not removed,
and we are missing other important security features.)

### Breaking changes in lower-level crates

- The [`IoErrorExt`] trait in [`tor-basic-utils`] is now
  sealed. ([!1654])
- The [`Requestable`] trait in [`tor-dirclient`] is now sealed,
  and most of its members are now private. ([!1679])
- In [`tor-cell`], stream and circuit IDs are now inherently non-zero.
  To represent an ID that might be zero on the wire, we now use
  `Option<StreamId>` or `Option<CircId>`. ([#1080], [!1697])
- In [`tor-cell`], `CREATE2` handshake types are no longer raw
  `u16` values. ([!1703])
- In [`tor-cert`], `encode_and_sign` now returns an
  `Ed25519EncodedCert` rather than a raw `Vec<u8>`. ([!1702])

### Onion service development

- The `arti` binary can now be configured to invoke the code that
  launch onion services, and the code that proxies them to local
  ports. ([!1644])
- Configuration support for onion services, and for the `rproxy`
  facility that directs incoming onion service connections to local
  services. ([!1638], [!1640])
- The introduction points are now exposed by the code that manages
  them to the code that publishes onion service descriptors. ([!1636],
  [!1645])
- Implement reconfiguration support in the lower level onion service
  code. ([!1651])
- Temporarily changed the configuration format for onion service ports
  to work around [a bug in `config-rs`]. ([21605d2c9e601c3a])
- As-yet-unused code to build a list of authorized clients. ([#1051],
  [!1642])
- Auto-generate missing keys rather than failing when we are
  about to publish. ([!1688])
- Log onion service Ids when they are created, so we can test them.
  ([!1689])
- Move responsibility for generating descriptor signing key certificates
  into `tor-hsservice` from `tor-netdoc`; refactor accordingly.
  ([!1702])
- Resolve a number of pending "TODO" items in [`tor-proto`] affecting
  the onion service implementation. ([!1658])
- Resolve a number of pending "TODO" items in [`tor-dirclient`] affecting
  the onion service implementation. ([!1675])
- Sort introduction point lists by ntor public key before publication,
  to avoid leaking information. ([#1039], [!1674])
- Numerous bugfixes, cleanups, and backfills found during testing and
  integrating the pieces of the onion service
  implementation. ([!1634], [!1637], [!1659], [!1673], [!1682],
  [!1684], [!1686], [!1695], [!1711])


### Client features

- Arti can now be configured to listen for connections on multiple arbitrary
  addresses—not just `localhost`. ([!1613])

### Key manager

- The key manager code now has improved support for generating
  keypairs, keys with derived data, and other structures needed for
  onion services. ([!1653])
- The key manager now encodes whether a key is private or public in its
  file extension. ([!1672])
- The key manager now disallows path components that could lead
  (under some programming errors) to directory traversal. ([!1661])
- We can now list keys by path and type; this is important so that
  we can identify disused keys and eventually expire them. ([!1677])

### Documentation and examples

- Correct our example for how to connect to onion services. ([!1653])
- Update download location in `download-manager` example.
  ([!1691])

### Infrastructure

- Our release scripts and processes are now more robust against
  several kinds of mistake that have frustrated previous releases,
  including crates that change only when their dependencies get new
  versions, accidental inclusion of wildcard dependencies, and
  dependencies on unpublished crates.  ([!1646])
- Clean up use of `after_script` in our CI to behave more sensibly
  ([#1061], [!1663])


### Testing

- Even-more-improved support for tests that depend on a simulated view
  of the passage of time. ([!1639], [!1650])

### Cleanups, minor features, and bugfixes

- Refactored the key derivation code for relay cryptography. ([!1629])
- Work around [a bug in `FusedFuture for oneshot::Receiver`] that made
  it dangerous to `select!` on a `oneshot::Receiver` to detect if the
  sender is dropped.  ([#1059], [!1656], [futures-rs#2455](https://github.com/rust-lang/futures-rs/issues/2455))
- Fix handling for escape sequences when talking to a
  pluggable transport. ([!1584])
- Major refactoring and simplifications on the explicit closing of
  pending incoming streams, to prevent double-close bugs and related
  panics. ([#1065], [!1678], [!1681])
- Refactor implementation of ISO-8601 time parsing in descriptors.
  ([#751], [!1693])
- Renamed the function in `tor-hsclient` to launch a circuit to an
  onion service to be less confusing. The old name remains but is
  deprecated. ([#1078], [!1700])
- Do not advertise or accept non-required compression encodings
  when making anonymized requests to an onion service directory:
  to do so is a fingerprinting vector.
  ([#1062], [cfe641613e6b6f4f])
- Use the new typed handshake-type codes when building onion service
  descriptors.  ([!1712])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Emil Engler, gil, halcyon, Jani Monoses, Jim Newsome,
LowLandMink543, Neel Chauhan, and Trinity Pointard!

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!


# Arti 1.1.9 — 2 October 2023

Arti 1.1.9 continues work on support for onion services in arti.
The pieces are now (mostly) connected; the next month of development
will see extensive testing, bugfixing, and refinement.

### Breaking changes in lower-level crates

- In `tor-hsclient` and `tor-netdoc`'s APIs, secret authentication
  keys are now handled as `HsClientDescKeypair`, rather than as
  individual keys.
- In `tor-circmgr`, the `NoExit` error now includes a possible country
  code.
- In `tor-ptmgr`, `ClientTransportGaveError` have been renamed to
  `TransportGaveError`.

### Onion service development

- The onion service descriptor publisher is now in conformance with
  our spec with respect to how it handles time periods.  ([!1564])
- The descriptor publisher now runs in parallel, so that a blocked
  upload doesn't prevent successful uploads from succeeding. ([!1580])
- The descriptor publisher now includes correct retry and timing
  logic. ([!1592], [!1623])
- The introduction point manager code is now able to integrate with
  the descriptor publisher. ([!1575], [!1576], [!1577] [!1578], [!1603])
- The descriptor publisher code is now integrated with the key
  management system. ([#1042], [!1615])
- The introduction point manager is now integrated with the code that
  accepts user requests via introduction points. ([!1597], [!1598])
- The code responsible for selecting and maintaining introduction
  points is now more robust in the presence of relay selection
  failure. ([!1585])
- We now have a `tor-hsrproxy` crate, to handle running an onion
  service that directs incoming connections to local ports.  Users
  will need this if they want their onion services to run in a
  separate process and not use Rust. ([01f954d3782df57a], [!1622])
- Added configuration logic for onion services. ([!1557], [!1599],
  [!1605], [!1611])
- The `downgrade_dependencies` script now honors the `$CARGO` variable.
  ([!1596])
- We now use a keypair type for `hs_ntor` secret keys. ([#1030],
  [!1590])
- There is now a set of (not working yet!) APIs to actually launch and
  run onion services, by invoking the necessary pieces of the backend,
  and pass requests back to the caller ([!1604], [!1608], [!1610],
  [!1616], [!1620], [!1625])


### Client features

- We now have an experimental feature to select exits by country, with
  geoip support. It is Rust-only, and not yet exposed via a
  configuration option. ([!1537])
- When contacting an onion service, we now pad our `INTRODUCE2`
  message payload to a uniform size in order to conceal what kind of
  data and extensions it contains.  ([#1031], [!1602])

### Documentation and examples

- We've merged several example programs from Saksham Mittal's
  project for this year's [Google Summer of Code].  They include a
  downloading tool, a relay checker, and obfs4 checker, a
  tool to lookup DNS over tor, and a program to run a proxy over
  a pluggable transport. You can find them in `examples/gsoc2023`.
  ([!1574])
- Documentation fixes around our description of
  `localhost_port_legacy`.  ([!1588])

### Infrastructure

- Our version-bumping script now allows options to be applied to
  "$CARGO". ([!1573])
- Our CI scripts now use `cargo install --locked` to avoid
  certain compatibility issues in our tools and their dependencies.
  ([!1587])
- The `ArtiPath` types recognized by the key manager are now better
  documented. ([!1586])


### Testing

- New tests for our `tor-ptmgr` string-escaping logic. ([!1579])
- Our runtime mock code now displays more and better information about
  when and where tasks are sleeping. ([!1591], [!1595])

### Cleanups, minor features, and bugfixes

- Refactoring and API revisions to our experimental backend support
  for launching pluggable transports in server mode. ([!1581])
- Our low-level cryptographic wrappers now have a type to represent
  x25519 (Montgomery) keypairs.  Several internal APIs have adapted
  accordingly. ([!1617])
- The key manager system now supports public keys, for cases where the
  secret key is kept offline. ([!1618])
- The key manager system now supports expanded ed25519 keypairs, so that
  it can represent blinded onion identity keys. ([!1619])
- Cleanups to encryption logic in `tor-proto`. ([!1627])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Emil Engler and Saksham Mittal!

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!

[#1030]: https://gitlab.torproject.org/tpo/core/arti/-/issues/1030
[#1031]: https://gitlab.torproject.org/tpo/core/arti/-/issues/1031
[#1042]: https://gitlab.torproject.org/tpo/core/arti/-/issues/1042
[01f954d3782df57a]: https://gitlab.torproject.org/tpo/core/arti/-/commit/01f954d3782df57a4ac1d2cd1d323584ccaaac76
[Google Summer of Code]: https://summerofcode.withgoogle.com/
[Zcash Community Grants]: https://zcashcommunitygrants.org/
[other sponsors]: https://www.torproject.org/about/sponsors/



# Arti 1.1.8 — 5 September 2023

Arti 1.1.8 continues work on support for onion services in arti.  It includes
backend support for nearly all of the functionality needed to launch
and publish an onion service and accept incoming requests from onion
service clients.  This functionality is not yet usable, however: we
still need to connect it all together, test and debug it, and provide
high-level APIs to allow the user to actually turn it on.

### Major bugfixes

- Do not allow the user to set `bridges = true` without having
  configured any bridges.  Previously, this configuration was
  possible, and it caused arti to connect without using any
  bridges. This is tracked as [TROVE-2023-002]. ([#1000], [!1481]).

### Breaking changes in lower-level crates

- In `tor-dirclient`, `Requestable::make_request` now returns
  `Request<String>`. ([cd6c4674dc560d9c1dc3])
- In `tor-ptclient`, `PtParameters` been split, and
  `PluggableTransport` has become a trait. ([bbed17ba4a44a4690ad6])
- Additionally, many unstable APIs (marked with the `experimental-api`
  feature and similar) and APIs in unstable crates (like
  `tor-hsservice` and `tor-keymgr`) have changed.

### Onion service development

- We began laying more groundwork for onion services, with a set of
  low-level API designs, algorithm designs, and data
  structures. ([#970], [#971], [#972], [!1452], [!1444], [!1541])
- Fuzzing support and significant speed improvements to the (still
  unused) [HashX]-based proof-of-work code. ([!1446], [!1462],
  [!1459], [!1513], [!1524], [!1529], [!1538], [!1539], [!1555])
- Added low-level support in [`tor-proto`] for accepting incoming data
  streams on a circuit. Onion services will use this to accept `BEGIN`
  messages. ([#864], [#994], [#998], [#1009], [!1451], [!1474], [!1475],
  [!1476], [!1477], [!1484], [!1519])
- Keystore directory configuration is now derived from the configured
  state directory when using `TorClientConfigBuilder::from_directories`.
  ([#988], [!1498])
- Expose the `KH` circuit-binding material, as needed for the
  rendezvous handshake. ([#993], [!1472])
- Backend code to establish an introduction point, keep it
  established, and watch for `INTRODUCE2` messages. ([!1510], [!1511],
  [!1516], [!1517], [!1522], [!1540])
- Backend code to decode an `INTRODUCE2` message, complete the
  necessary cryptographic handshakes, open a circuit to the client's
  chosen rendezvous point, establish a shared virtual hop, and receive
  `BEGIN` messages. ([#980], [#1013], [!1512], [!1520], [!1521],
  [!1536], [!1547])
- Taught the `tor-dirclient` crate how to upload onion service
  descriptors. ([!1505])
- Revise and debug logic for locating items the HsDir ring when
  publishing. ([#960], [!1494], [!1518])
- Refactor onion service error handling. ([!1515])
- Backend code to select introduction points and keep track of which ones
  are running correctly. ([!1523], [!1549], [!1550], [!1559])
- Refactor HsDesc parsing code to remove `inner::IntroPointDesc`. ([!1528])
- Initial backend code to regenerate and publish onion service descriptors
  as needed. ([#977], [!1545])

### Documentation

- Fix documentation about the [`OnionAddressDisabled`] error: it was
  missing a "not".  ([!1467])
- Correct details about upcoming milestones in our [top-level `README.md`].
  ([!1471])

### Infrastructure

- New release script to bump the patchlevel of a crate without
  treating it as a dependency change. ([#945], [!1461])
- New script to make sure that all checked-in `Cargo.lock` files
  are correct. ([!1468])
- Usability improvements to our coverage script. ([!1485])
- In CI, verify that our scripts are using `/usr/bin/env` to find their
  interpreters in the proper locations. ([!1489], [!1490])

### Testing

- Improve test coverage for the `tor-cert` crate. ([!1495], [!1496],
  [!1497])
- Improve test coverage for the `tor-proto` crate. ([!1501])

### Cleanups, minor features, and smaller bugfixes

- Improved error handling when a `[[bridges.transports]]` section does
  not include any required pluggable transport. ([#880], [!1229])
- Key manager APIs are now less tied to the SSH key format, and no
  longer require that x25519 keys be stored as ed25519 keys. ([#936],
  [#965], [!1464], [!1508])
- Downgrade lints for built-in warnings to "warn". Previously two of
  them (`missing_docs`, `unreachable_pub`) were set to "deny", which
  had a risk of breaking compilation in the future. ([#951], [!1470])
- Expose the `HopNum` type from `tor-proto`, to help avoid off-by-one
  errors. ([eee3bb8822dd22a4], [#996], [!1548])
- Deprecate and replace `ClientCirc::start_conversation_last_hop` with a new
  [`start_conversation`] function that can target any hop. ([#959], [!1469])
- New functions in `tor-proto` to wait for a channel or a circuit
  to shut down. ([!1473])
- Improved error messages and behaviors when we can't decide where to
  look for our configuration files. ([!1478], [!1479], [!1480])
- Deprecated and renamed `download` in `tor-dirclent` to
  `send_request`. ([9a08f04a7698ae23])
- Deprecate [`DropNotifyEofSignallable::is_eof`]. ([f4dfc146948d491c])
- New [`ClientCirc::send_raw_msg`] function for cases where we want
  to send a message without starting a conversation. ([#1010], [!1525])
- Experimental backend support for launching pluggable transports in server
  mode, for testing and example code. ([!1504])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Emil Engler, Jim Newsome, Micah Elizabeth Scott, Saksham Mittal,
and Trinity Pointard.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!


# Arti 1.1.7 — 1 August 2023

Arti 1.1.7 focuses on maintenance, bugfixing, and cleanups to earlier
releases.  It also lays groundwork for being able to run as an onion
service.

### Major bugfixes

- We now build with onion service client support by default.  It is
  still not enabled by default, but you no longer need any special
  _compile-time_ options in order to be able to use it. ([#948],
  [!1382])
- Fix an over-strict parsing behavior that had prevented Arti
  from connecting to onion services whose descriptors were
  encoded by Stem. ([#952], [!1389])
- We've fixed a bug where we incorrectly marked bridges as having
  directory information where they did not, and tried to build
  circuits through them without fetching descriptors. ([#638],
  [!1408])
- Fix a deadlock in [`TorClient::reconfigure()`]. ([!1432])

### Breaking changes in lower-level crates

- The [`Conversation`] API has been built as a replacement for the old
  "control message" API on circuits, to better support the needs of
  onion services. ([#917], [!1367], [!1402])
- The `tor-config` crate no longer exposes `ItemOrBool`, which was
  not used. ([5b97b0b2ce31b3db])
- The [`RetryError`] type now requires that its members implement
  `AsRef<dyn Error>`. ([36b9d11ecb122e1e])
- The error type of [`tor_hsclient::ConnError::Failed`] has changed.
  ([36b9d11ecb122e1e])

### Onion service development

- Continued improvements to our key manager infrastructure. ([#903], [#937],
  [#939] [#954], [!1372], [!1398], [!1399], [!1404], [!1413], [!1421], [!1433])
- Design work and API backend designs for implementing the service
  side of onion services. ([!1422], [!1429])
- Rust implementations of the [HashX] ASIC-resistant hash function and
  the related [EquiX] proof-of-work function, for eventual use
  in protecting onion services from denial-of-service attacks.
  Note that for now, the license on these crates is "LGPL-3.0-only";
  we hope to relicense under "MIT OR Apache-2.0" if the author
  of the C version of this code approves.
  ([#889], [!1368])

### Documentation

- Improved documentation for how Arti is validated and released.
  ([#942], [!1366])
- Improvement to bridge and transport-related documentation.
  ([#706], [!1370])
- Add documentation to explain how to build an `arti` binary that
  will not include build path details. ([#957], [!1435])

### Infrastructure

- Our [Shadow] CI tests now include support for onion service clients.
  ([!1292])
- Our Runtime logic now has much improved support for test cases that
  need to handle time and waiting, and more consistently generated
  mock implementations.  This has enabled us to clean up various unit
  tests. ([!1375], [!1378], [!1381])
- Fix a compatibility issue that had been preventing our Chutney CI
  tests from passing. ([c98894cebc60e223], [!1391], [!1393])

### Logging improvements

- We now ensure that all panics from `arti` are sent to our logs.
  Formerly, they were only reported on stderr.  ([#921], [!1377])
- Our logfile messages now have a configurable granularity, to avoid
  logging excessive detail that could help with traffic analysis
  attacks.  The default is one second granularity, and can be
  overridden with the `logging.time_granularity` option.  Note that
  this granularity does not apply to systems like `journald` that have
  their own ideas about how to record messages. ([#551], [!1376])
- When logging errors, we now check whether the type of the error
  indicates a bug.  If it does, we always escalate the logging
  severity to "warn" or higher.  ([!1379], [!1383], [!1386], [!1390])
- When reporting errors caused by the failure of multiple retry
  attempts, we take more care to report the source failure
  causes. ([#958], [!1416])

### Cleanups, minor features, and smaller bugfixes

- Rename some mocking-related functions to avoid accidental
  infinite-recursion bugs. ([!1365])
- Fix or disable a series of new warnings from Clippy. ([!1369],
  [!1394], [!1395], [!1396])
- Our (not yet used) GeoIP code now encodes country codes
  as two _nonzero_ bytes, which enables the [niche optimization].
  ([!1384])
- Our (not yet used) GeoIP code now treats zero-values ASNs
  as indicating an unknown ASN, for compatibility with the format
  used by the C tor implementation. ([#961], [!1417])
- We now try to avoid using [`Rng::gen_range()`], due to the
  possibility of panics.  We have instead added a
  `gen_range_checked()` and a `gen_range_infallible()` call. ([#920], [!1385],
  [!1387])
- The `ChanMgr` API now exposes a function to build unmanaged channels,
  in order to support external code that wants to build
  channels that are not managed by or shared with the rest of
  Arti. ([!1374], [!1403], [!1406])
- The [`NetDir`] API now has optional support for recording the
  associated country codes of its relays. ([!1364])
- Bridges no longer contain addresses twice. This prevents us from
  making unnecessary connections. ([!1409])
- In [`fs-mistrust`], we now detect several kinds of errors related
  to failed user or group lookup. ([cdafa2ce0191f612])
- We have migrated our Unix user info lookups from the
  no-longer-maintained `users` crate to the new [`pwd-grp`]
  crate. ([#877], [!1410])
- Add accessors for several bridge-related config builder types.
  ([!1425], [!1426])
- Refactor handling of initial `CREATE` cells when opening a circuit,
  to clean up our reactor loop logic a bit. ([!1441])

### Removed features

- We no longer publish the crate `arti-bench` to crates.io.  It has no
  use outside of development.  ([!1371])
- We no longer publish our as-yet-unused `tor-events` and
  `tor-congestion` crates to crates.io.  They aren't used in the rest
  of Arti yet. ([!1371])
- We no longer validate our code with Clippy's `missing_panics_doc`
  lint, since it has begun to warn about all use of `expect()`
  in nightly. ([#950], [!1380])

### Acknowledgments


Thanks to everybody who's contributed to this release, including
Alexander Færøy, Dimitris Apostolou, Jim Newsome, juga, Kunal Mehta,
Micah Elizabeth Scott, Saksham Mittal, sw1tch, and Trinity Pointard.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!


# Arti 1.1.6 — 30 June 2023

Arti 1.1.6 completes the core of the work needed for a client
to connect to onion services on the Tor network.  This is not yet
enabled by default: we do not yet recommend using this feature for
security-sensitive purposes, because of some
[missing security features][#98].
Instructions for enabling it and trying it out can be found in the
[README.md] file.
(Note that version 1.1.6 also requires a non-default cargo feature to
be enabled: you must build with `--features=arti/onion-service-client`.)

Additionally, this version includes an experimental key manager
implementation. Currently it's used to store the keys needed for
client authentication, but in the future it will store the keys for
onion services themselves, and eventually relays.  In this release it
is still missing some import functionality for interoperability;
the interface is likely to change significantly.

Work on our RPC subsystem has also continued; we have achieved several
prerequisites needed for applications' SOCKS connections to
integrate correctly with the RPC subsystem.

And as usual, there are a large number of smaller fixes and improvements
throughout the codebase.

### Major bugfixes

- Downgrade our dependency on x25519-dalek from "2.0.0-rc.2" to
  "2.0.0-pre.1".  The former had a compatibility bug that made it stop
  working once a newer version of `curve25519-dalek` was released.  We
  hope to [re-upgrade] to a more recent version of this crate in a
  future release. ([#926], [!1317])

### Breaking changes in lower-level crates

- We have removed an empty `relaycell::restrict` module from the
  `tor-cell` crate.  This module was added in error.  This change will
  break any code that (pointlessly) tried to import
  it. ([589fefd581e962a7])

### Onion service development

- Implement the core logic of an onion service client.  Having fetched a
  descriptor for an onion service, we now establish a rendezvous
  circuit, and try to send INTRODUCE1 requests to the service's
  introduction points, while waiting for a RENDEZVOUS2 message in
  response on the rendezvous circuit. Once the message is received, we
  can launch streams to the service over that circuit. ([!1228],
  [!1230], [!1235], [!1238], [!1240])
- Re-launch and retry onion service connection attempts as
  appropriate. ([!1246])
- Onion service descriptors now have accessor functions to enable their
  actual use. ([!1220])
- We can transform the information about relays used in onion service
  descriptors, and in introduce1 cells, into the format needed to connect
  to the relay described. ([!1221])
- Generate random rendezvous cookies to identify circuits at a client's
  rendezvous point. ([!1227])
- Ensure that specific information about onion services, rendezvous
  points, and introduction points are treated as sensitive or redacted
  in our error messages. ([!1326], [!1335])
- Reduce the cost of duplicating HsDir rings in our network
  objects. ([#883], [!1234])
- Refactor and simplify our `hs_ntor` APIs to better reuse state
  information. ([bb6115103aad177c])
- Return a more informative error type from our time-period manipulation
  code. ([!1244])
- Remember our introduction point experiences, and try to use known-good
  ones before ones that have failed recently. ([!1247], [!1295])
- We now adjust the size of our pre-constructed circuit pool dynamically
  based on past demand for onion-service circuits (or lack
  thereof). ([686d5cf2093322e4])
- Speed improvements to the algorithm we use to select pre-constructed
  circuits for onion services, and correctness fixes to those speed
  improvements. ([1691c353924f89cc], [#918], [!1296], [!1301])
- The `StreamPrefs::connect_to_onion_services` method now can be used to
  enable or disable onion service connections, and TorClients can handle
  onion services correctly. ([!1257])
- Provide the extended SOCKS5 error codes as documented in
  [proposal 304]. ([#736], [!1248], [!1279])
- Drop introduction circuits after they are no longer needed. ([!1299],
  [!1303])
- Expire long-unused onion service circuits. ([!1287], [!1302])
- Expire long-unused onion service descriptors. ([!1290])
- Provide a higher-level HsDescError to explain what, exactly, has gone
  wrong with parsing or decrypting an onion service
  descriptor. ([!1289])
- Respect the maximum onion service descriptor size in the consensus and
  change the default maximum from 50 KiB to 50 KB per the specification.
  ([!1323])
- Go through all of our remaining "TODO HS" comments and make sure that
  they are not issues that should block a release. ([#892], [#928], etc)
- We support enabling or disabling onion service connections via a new
  `allow_onion_addrs` option, and configuring these connections through
  other parameters. ([!1305])
- Ensure that our directory ring parameters are taken from the consensus
  parameters, rather than set unconditionally to defaults. ([!1310])
- Enforce upper bounds on the number of introduction points in an
  onion service descriptor. ([!1332])
- Use correct circuit parameters when creating onion service circuits.
  ([#935], [!1340])
- Use more accurate timeout predictions for building and using onion
  service circuits. ([!1342])


### RPC development

- Our RPC engine now supports holds a list of SOCKS connections,
  so that applications can register their SOCKS connections with their
  RPC sessions. ([545984b095119ecc])
- `TorClient`s, and similar RPC-visible, can now be exposed with a
  secure global identifier so applications can refer to them outside of
  an RPC session. This will allow applications to name a `TorClient` from
  e.g. within the parameters of a SOCKS connection. ([#863], [!1208])
- Enable `rpc::Object`s to be downcast to (some of) the `&dyn Trait`s
  that they implement. This is in tension with some of Rust's current
  limitations, but we need it so that we can downcast a `TorClient` from
  an `Object` into a type we can use in the SOCKS code for opening a
  data stream. ([!1225], [!1253])
- Major refactoring to our RPC session initialization code. ([!1254])

### New crates

- New `tor-keymgr` crate to handle persistent cryptographic keys that
  can be stored to disk. In the future this will be used for all client,
  service, and relay keys. ([!1223], [!1255], [!1256], [!1263], [!1267],
  [!1269], [!1278], [!1280], [!1284], [!1319], [!1321], [!1315],
  [!1321], [!1328], [!1337], etc.)
- New `tor-geoip` crate to handle a static in-binary or on-disk
  IP-to-country lookup table. We will use this in the future to support
  country restrictions on selected paths through the network. ([!1239],
  [!1268])

### Documentation

- Clarify behavior of `ClientCirc::send_control_message`. ([#885],
  [!1219], [58babcb756f6427c])
- Clarify required behavior for `NetDocProvider`. ([!1224])
- More information about how to configure snowflake and other pluggable
  transports. ([#875], [#879], [!1216], [!1249])
- New examples and documentation for how to implement error
  reporting. ([!1213])
- Clarify some error cases for onion service descriptor
  validation. ([!1250], [!1252])
- Improve documentation on the channel and circuit lifecycle. ([!1316],
  [!1318])
- Clarify descriptions in `NetDir`'s documentation of what we mean by
  a "usable" Relay. ([a902f320b5b31812])

### Infrastructure

- For now we ignore an "unmaintained crate" warning for the [`users`] crate
  while we work on [finding a replacement][#877]. ([!1217])
- Our CI now tests each crate individually with its default
  features. This helps detect bugs where a crate was only working
  because it had been built with the features required of it by another
  crate. ([!1250])
- We now supplement our existing system for tracking semver-breaking
  issues with the [`cargo-semver-checks`] tool. We require version
  0.22.1 or later. ([!1339])

### Cleanups, minor features, and smaller bugfixes

- We no longer use the [`arrayref`] crate to convert slice-references
  into array references.  In recent versions of Rust, we can simply use
  TryFrom and const generics. ([#872], [!1214])
- Our consensus directory objects now expose accessors that list
  required and recommended protocol versions.  ([205b6d176c4a619b])
- The `tor-error` crate now exposes a convenience macro to derive
  `AsRef<dyn Error>` for our specific error types. ([33c90e5b7243c3b3])
- The formerly experimental `send_control_message` API now takes an
  `AnyRelayMsg` rather than a cell, as does its associated `MsgHandler`
  API. ([#881], [#887], [!1232], [!1236])
- Backend code to more readily display and redact relay
  identities. ([#882], [!1233]).
- `tor-proto` no longer gives an error when trying to use `SENDME`
  messages with a relay digest algorithm with an output length of other
  than 20.  ([!1242])
- `tor-llcrypto` now exposes a method to try to look up an element from
  a slice in constant time. ([25db56777c0042a9])
- Apply two now-universally-available clippy lints to all of our crates.
  ([!1271])
- Add experimental API to expose a `chanmgr` method from
  `TorClient`. ([!1275])
- The `ClientCirc::path_ref()` method now returns an `Arc<Path>` type,
  which can be used to find information about a circuit's path without
  extensive copying.  The old `path()` method still exists, but is
  deprecated. ([#787], [!1286])
- `CircMgr` now exposes its estimates for good timeouts for circuit
  operations. ([!1281].)
- Fix a compilation warning on Windows. ([!1294])
- Make sure DirProviderBuilder is `Send + Sync`, so that
  TorClientBuilder is always `Send + Sync`. ([#924], [!1307])
- Implement conversion from ed25519 private keys to curve25519 private
  keys, as part of our eventual compatibility with ssh's key storage
  format. ([!1297])
- Numerous improvements and fixes to our configuration handling tests.
  ([!1320], [!1330])
- Refactor some duplicate logic in our circuit-retention code. ([!1322])
- Experimentally expose some of `NetDir`'s information about whether
  a relay is in the consensus (independent of whether we have full
  information about it). ([!1325])


### Removed features

- We no longer support ancient (pre-0.3.6) versions of Tor without
  support for authenticated SENDME messages. ([#914], [!1283])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Andy, Jim Newsome, nate\_d1azzz, pinkforest,
Saksham Mittal, and Trinity Pointard.

Also, our deep thanks to [Zcash Community Grants] for funding the
development of Arti!



# Arti 1.1.5 — 1 June 2023

Arti 1.1.5 fixes a local-only denial-of-service attack, and continues
our work towards support for providing a working RPC mechanism and an
onion service client.

### Major bugfixes (service)

- Fix a local-only CPU denial-of-service bug. Previously, an attacker
  with access to our SOCKS port (only open by default on localhost)
  could cause Arti to loop forever, consuming CPU. This issue was
  discovered by Jakob Lell. This is also tracked as
  TROVE-2023-001. ([#861], [!1196])

### Breaking changes in lower-level crates

- In [`tor-netdoc`], the `ParseErrorKind` and `ParseErrorSource` types
  have been renamed to `NetdocErrorKind` and `NetdocErrorSource`
  respectively, to better reflect their meaning. ([!1176], [!1179])
- In [`tor-linkspec`] and [`tor-cell`], we have renamed
  `UnparsedLinkSpec` to `EncodedLinkSpec` to correctly reflect its
  purpose. ([02785ca6505572bd])
- In [`tor-cell`], the `Extend2` message now takes a list of `EncodedLinkSpec`.
  ([7ce808b75bb500f2])
- In [`tor-linkspec`], `CircTarget::linkspecs()` now returns an encoded
  list instead of a `Vec` of unencoded link specifiers. This is needed
  for passing linkspecs verbatim in the onion service
  implementation. ([7ce808b75bb500f2])
- `ClientCirc` no longer implements `Clone`.  In various crates,
  functions that used to return `ClientCirc` now return
  `Arc<ClientCirc>`.  This allows us to be more explicit about how
  circuits are shared, and to make circuits visible to our RPC
  code. ([#846], [!1187])

### Onion service development

- Improved API for parsing onion service descriptors. ([#809], [!1152])
- More APIs for deriving onion service keys from one another.
  ([18cb1671c4135b3d])
- Parse onion service descriptors after receiving them. ([!1153])
- When fetching an onion service descriptor, choose the HS
  directory server at random. ([!1155])
- Refactoring and improvements to our handling for sets of link
  specifiers (components of a Tor relay's address) in order to support
  lists of link specifiers that we receive as part of an INTRODUCE2
  message or onion service descriptor. ([#794], [!1177])
- Code to enforce rules about consistency of link specifier lists.
  ([#855], [!1186])
- Correctly handle onion service descriptor lifetimes, and introduce
  necessary helper functions to handle overlapping sets of lifetime
  bounds. ([!1154])
- Additional design and specification about a key management system.
  ([!1185])
- Finish, refactor, debug, and test the hs-ntor handshake used to
  negotiate keys with onion services ([#865], [!1189])
- Export the unencrypted portion of an INTRODUCE1 message as needed
  to implement the hs-ntor handshake. ([#866], [!1188])
- Add support for adding the "virtual" hop for an onion service
  rendezvous circuit based on a set of cryptographic material negotiated via
  the `hs-ntor` handshake. ([#726], [!1191])

### RPC development

- Improved description of our work-in-progress RPC API design.
  ([!1005])
- Expose an initial TorClient object to our RPC sessions.
  ([d7ab388faf96f53e])
- Implement object-handle management backend for RPC sessions,
  so that RPC commands can refer to objects by a capability-style
  ID that doesn't make objects visible to other sessions.
  This has required significant design refinement, and will likely
  need more in the future.
  ([#820], [#848], [!1160], [!1183], [!1200])
- Add an experimental `StreamCtrl` mechanism to allow code (like the RPC
  module) that does not own the read or write side of a data stream to
  nonetheless monitor and control the stream. ([#847], [!1198])

### Infrastructure

- Our license checking code now allows the MPL-2.0 license on an
  allow-list basis. ([#845], [e5fa42e1c7957db0])
- Our [`fixup-features`] script now works correctly to enforce our rules
  about the `full` feature (notably, that it must include all
  features not labelled as experimental or non-additive).
  ([!1180], [!1182])
- The script that generates our Acknowledgments section now
  looks at various Git trailers in order to better acknowledge bug reporters.
  ([!1194])
- Use the latest version of Shadow in our integration tests ([!1199])

### Cleanups, minor features, and smaller bugfixes

- Improved logging in directory manager code when deciding what to
  download and when to download it. ([#803], [!1163])
- Downgrade and clarify log messages about directory replacement time.
  ([#839])
- Revise and downgrade other directory-manager logs. ([#854], [!1172])
- When listing the features that are enabled, list static features
  correctly. ([!1169])
- Refactor the `check_key` function in `tor-cert` to provide a more
  reasonable API. ([#759], [!1184])
- Improve or downgrade certain verbose log messages in `tor-guardmgr`
  and `tor-proto`. ([!1190])
- Throughout our codebase, avoid the use of ed25519 secret keys without
  an accompanying public key. Instead, store the two as a
  keypair. (Using ed25519 secret keys alone creates the risk of using
  them with mismatched public keys, with
  [catastrophic cryptographic results].)  ([#798], [!1192])

### Network updates

- Update to the latest list of Tor fallback directories. ([!1210])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Jakob Lell, Jim Newsome, Saksham Mittal, and Trinity
Pointard.
Also, our deep thanks to [Zcash Community Grants] for funding the
development of Arti!

# Arti 1.1.4 — 3 May 2023

Arti 1.1.4 fixes a major bug in the directory downloading code that
could cause clients to stay stuck with an old version of the
directory.

Additionally, this version advances our efforts on onion services:
we have implementations for descriptor downloading, and a design for
improved key management.

For this month and the next, our efforts are divided between onion
services and work on a new RPC API (a successor to C Tor's "control
port") that will give applications a safe and powerful way to work
with Arti without having to write their code in Rust or link Arti as
a library (unless they want to).  We have an early version of this
protocol implemented, but it does not yet expose any useful
functionality.

Arti 1.1.4 also increases our MSRV (Minimum Supported Rust Version)
to Rust 1.65, in accordance with our [MSRV Policy], and renames a
few other inconsistently-named APIs.


### Major Bugfixes

- Download directories correctly in the case where we start with our cache
  containing all the microdescriptors from the previous directory.
  Previously, we had a bug where we only checked whether it was time
  to fetch a new consensus when we added a new microdescriptor from
  the network.  This bug could lead to Arti running for a while
  with an expired directory. ([#802] [!1126])

### Breaking changes

- We now require Rust 1.65 or later for all of our crates.
  This change is required so that we can work correctly with several
  of our dependencies, including the [`typetag`] crate which we
  will need for RPC. ([#815] [!1131] [!1137])
- In all crates, rename `*ProtocolFailed` errors to `*ProtocolViolation`.
  This is a more correct name, but does potentially break API users
  depending on the old versions. ([#804] [!1121] [!1132])


### Breaking changes in lower level crates

- Convert the DirClient request type for `RouterDesc`s into an enum,
  and remove its `push()` method.
  ([!1112])
- Rename `BridgeDescManager` to `BridgeDescMgr` for consistency
  with other type names. ([#805] (!1122))
- In `tor-async-utils`, rename `SinkExt` to `SinkPrepareExt`, since it is not
  actually an extension trait on all `Sink`s. ([5cd5e6a3f8431eab])

### Onion service development

- Added and refactored some APIs in `tor-netdir` to better support onion
  service HSDir rings. ([!1094])
- Clean up APIs for creating encrypted onion service descriptors. ([!1097])
- Support for downloading onion service descriptors on demand.  ([!1116]
  [!1118])
- Design an API and document on-disk behavior for a
  [key-management subsystem], to be used not
  only for onion services, but eventually for other kinds of keys. ([#834]
  [!1147])

### RPC/Embedding development

- New specification for our capabilities-based RPC meta-protocol in
  [`rpc-meta-draft`]. ([!1078] [!1107] [!1141])
- An incomplete work-in-progress implementation of our new RPC framework,
  with a capabilities-based JSON-encoded protocol that allows for
  RPC-visible methods to be implemented on objects throughout our
  codebase.  For now, it is off-by-default, and exposes nothing useful.
  ([!1092] [!1136] [!1144] [!1148])

### Documentation

- Better explain how to build our documentation. ([!1090])
- Explain that we explicitly support `--document-private-items`. ([!1090])
- Fix incorrect documentation of OSX configuration location. ([!1125])
- Document some second-order effects of our semver conformance. ([!1129])


### Cleanups, minor features, and minor bugfixes

- Improvements to [`TimerangeBound`] API. ([!1105])
- Fix builds with several combinations of features. ([#801] [!1106])
- Code to join an `AsyncRead` and `AsyncWrite` into a single object
  implementing both traits. ([!1115])
- Expose the `MiddleOnly` flag on router status objects, for tools that want
  it. ([#833] [!1145] [!1146])
- Only run doctest for `BridgesConfig` when the `pt-client` feature
  is enabled; otherwise it will fail. ([#843], [!1166])
- Refactoring in and around `RelayId`. ([!1156])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, juga, Neel Chauhan, tranna, and Trinity Pointard.
Also, our deep thanks to [Zcash Community Grants] for funding the
development of Arti!
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.6 2023/10/24 22:10:12 wiz Exp $
d3 1
a3 1
DISTNAME=	arti-arti-v1.3.0
@


1.7
log
@arti: minor cosmetic changes and comments
@
text
@d3 2
a4 3
PKGNAME=	arti-1.1.3
PKGREVISION=	1
DISTNAME=	arti-arti-v${PKGVERSION_NOREV}
d44 7
a58 1
# error: found a virtual manifest at `/usr/work/net/arti/work/arti-arti-v1.1.3/Cargo.toml` instead of a package manifest
d60 1
a60 3
	${INSTALL_PROGRAM} ${WRKSRC}/target/release/${PKGBASE} ${DESTDIR}${PREFIX}/bin

pre-install:
@


1.6
log
@*: bump for openssl 3
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.5 2023/04/28 16:58:42 nikita Exp $
a5 1
PKGVERSION=	1
a44 1
# TODO: how can we avoid this repetion for rust packages?
d53 1
a53 1
# TODO: as well as this...
@


1.5
log
@arti: update to version 1.1.3

Changelog:

# Arti 1.1.3 — 31 March 2023

Arti 1.1.3 continues our work on onion services.  We can now parse all
of the relevant message types, build circuits as needed to target
relays, build and sign onion service descriptors, and deliver onion service
requests to our `hsclient` code.

We've also solved a few annoying bugs, made our CI more bulletproof against
certain programming mistakes, and exposed a few APIs that had been missing
before elsewhere in our code.

### Major bugfixes

- Prevent a fatal error when finding a usable consensus in a read-only
  directory store. ([#779], [!1055])

### Breaking changes in lower level crates

- Moved futures-related utilities from `tor-basic-utils` to a new
  `tor-async-utils` crate. ([!1091])
- When the `expand-paths` Cargo feature is not enabled, we now reject
  paths in our configuration containing unescaped `$` and `~` strings.
  Previously we would treat them as literals, which would break
  when `expand-paths` was provided. ([#790], [!1069])

### Onion service development

- We now have working implementations for all of the message types that Tor
  uses to implement onion services. These are included in our fuzzing, and
  are cross-validated against the C Tor implementation. ([!1038], [!1043],
  [!1045], [!1052])
- Our onion service descriptor parsing code now validates the inner
  certificates embedded in the descriptors, for parity with C Tor's behavior.
  ([#744], [!1044])
- Refactor responsibility for HS circuit management out of `CircMgr`
  ([!1047])
- Revise APIs and outline implementations for the initial parts of a state
  manager and client implementation.  ([!1034], [!1086])
- Handle requests for `.onion` addresses by routing them to our onion service
  code.  (This code does not yet do anything useful.) ([!1060], [!1071],
  [!1098])
- Our circuit implementation now has APIs needed to send special-purpose
  messages and receive replies for them.  We'll use this to implement
  onion service handshakes outside of the `tor-proto` module. ([!1051])
- Implement functionality to pre-construct and launch circuits as needed for
  onion service directory, introduction, and rendezvous
  communications. ([#691], [!1065])
- Implement code to construct, encrypt, and sign onion service
  descriptors. ([#745], [!1070], [!1084])
- More work on usable APIs for HSDir ring. ([!1095])

### Infrastructure

- Add a new `check_env` script to detect whether the environment is set
  up correctly to build Arti. ([!1030])
- We have the beginnings of a `fixup-features` tool, to make sure that our
  "full" and "experimental" Cargo features behave in the way we expect,
  and eventually to enable us to use [`cargo-semver-checks`] on our
  non-experimental features only.  This tool is not yet ready for
  use; its semantics are subtly wrong. ([#771], [!1059])
- Our CI scripts now rejects merges containing the string
  "XX<!-- look, a squirrel -->XX";
  we use this string to indicate places where the code must be fixed
  before it can be merged. ([#782], [!1067])

### Testing

- More of our tests now specify times using [`humantime`] (rather than as
  a number of seconds since the Unix epoch). ([!1037])
- Our fuzzers now compile again.
  ([53e44b58f5fa0cfa], [!1063])

### Documentation

- New example code for building a `BridgeConfig` and launching a TorClient
  with bridges, without having a config file. ([#791], [!1074])


### Cleanups, minor features, and minor bugfixes

- Our `caret` macro now works correctly for uninhabited
  enumerations. ([841905948f913f73])
- Defend against possible misuse of [`tor_bytes::Reader::extract_n`].
  This wasn't a security hole, but could have become one in the
  future. ([!1053])
- Do not ask exits to resolve IP addresses: we already know the IP address
  for an IP address. ([!1057])
- Fix a bunch of new warnings from Rust 1.68. ([!1062])
- Expose builder for [`TransportConfigList`] as part of the public
  API. ([455a7a710917965f])
- Enforce use of blinded keys in places where they are required. ([!1081])
- Add accessors for the [`Blockage`] type, so other programs can
  ask what has gone wrong with the connection to the network. ([#800],
  [!1088]).


### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Dimitris Apostolou, Emil Engler, Saksham Mittal, and
Trinity Pointard. Also, our welcome to Gabi Moldovan as she joins
the team!

Also, our deep thanks to [Zcash Community Grants] for funding the
development of Arti!
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.4 2023/03/09 18:19:40 nikita Exp $
d4 1
@


1.4
log
@arti: make rc service use daemonize, fix it.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.3 2023/03/02 07:49:22 nikita Exp $
d3 1
a3 1
PKGNAME=	arti-1.1.2
@


1.3
log
@arti: update to version 1.1.2

ChangeLog:

Arti 1.1.2 — 28 February 2023

Arti 1.1.2 continues our work on onion services, and builds out more of the necessary infrastructure, focusing on backend support for the onion service directories.

We've also done a significant revision on our handling of incoming messages on circuits, to avoid a fair amount of unnecessary copying, and defer message parsing until we're certain that the message type would be acceptable in a given context. Doing this turned up several bugs, which are now fixed too.
Breaking changes in lower level crates

    The APIs for tor-cell have changed significantly, to help implement #525 and prepare for #690. This has no downstream implications outside of tor-proto.
    Our IntegerMinutes type no longer has an erroneous days() accessor. (This accessor did not work correctly, and actually returned a number of minutes!) (bb2ab7c2a3e0994bb43)
    The PartialNetDir::fill_from_previous_netdir() function has changed its argument types and semantics. (f69d7f96ac40dda5)

(Breaking changes in experimental APIs are not noted here.)
New features

    We now have the facility to give a helpful "error hint" in response to a given failure. Right now, we use this to improve the error message given for file-system permission errors, so that it suggests either changing the permissions on a directory, or suppressing the error. (#578, #579, !976, !994, !1018)
    When we log an error message from inside our code (at "info" or higher), we now make sure to log a full error report, including the cause of the error, its cause, and so on. (#680, !997)
    When receiving messages on channels, circuits, and streams, we now defer parsing those messages until we know whether their types are acceptable. This shrinks our attack surface, simplifies our code, and makes our protocol handling less error-prone. (#525, !1008, !1013, !1017)
    We now copy relay cell bodies much less than previously. (#7, ca3b33a1afc58b84)
    We have support for handling link specifier types verbatim, for cases when we need to use them to contact a rendezvous point or introduction point without checking them. (!1029)

Onion service development

    We can now parse onion service descriptors, including all encrypted layers, with support for descriptor-based client authentication. (#744, !999, !1015)
    Our network directory code now supports deriving the HsDir directory ring, to find out where onion service descriptors should be uploaded and downloaded. (#687, !1012)
    We've refactored our implementation of onion service message extensions into a single place, to save on code and avoid type confusion. (5521df0909ff7afa)
    Our internal onion-service Cargo features have been renamed to start with hs-*. We're still using onion-* as the prefix for our high-level onion-service features. ([#756], [!1033])

Infrastructure

    All our shell scripts now work when bash is somewhere other than /bin. (!990)
    Our check_doc_features script is now a little more reliable. (!1023)
    Our coverage tools now perform better checks to make sure they have all of their dependencies. (#776, !1025)

Cleanups, minor features, and bugfixes

    The internal data structures in tor-netdir now use the typed_index_collections crate to ensure that the indices for one list are not mis-used as indices into another. (!1004)
    We no longer reject authority certificates that contain an unrecognized keyword. (#752, 266c61f7213dbec7)
    Our tor-netdoc parsing code now requires the caller to specify handling for unrecognized keywords explicitly, to avoid future instances of bug #752. (!1006)
    Several internal APIs and patterns in tor-netdoc have been streamlined. (#760, !1016, !1021)
    Make extension-handling code in for onion service message decoding more generic, since we'll reuse it a lot. (!1020)
    We now kill off circuits under more circumstances when the other side of the circuit violates the protocol. (#769, #773, !1026)
    We now expire router descriptors as soon as any of their internal expiration times has elapsed. Previously, we expired them when all of their expiration times had elapsed, which is incorrect. (#772, !1022)
    We are much more careful than previous about validating the correctness of various message types on half-closed streams. Previously, we had separate implementations for message validation; now, we use a single object to check messages in both cases. (#744, !1026)
    We now treat a RESOLVED message as closing a half-closed resolve stream. Previously, we left the stream open. (!1026)

Thanks to everyone who has contributed to this release, including Dimitris Apostolou, Emil Engler, and Shady Katy.

Also, our deep thanks to Zcash Community Grants for funding the development of Arti!
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.2 2023/02/21 22:02:09 nikita Exp $
d5 1
d50 4
@


1.2
log
@arti: fix homepage
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.1 2023/02/21 20:53:12 nikita Exp $
d3 1
a3 1
PKGNAME=	arti-1.1.1
@


1.1
log
@net/arti: Import as arti version 1.1.1

Arti is a project to produce an embeddable, production-quality implementation
of the Tor anonymity protocols in the Rust programming language.

Arti is more flexible than the C tor implementation. Unlike the C tor, which
was designed as SOCKS proxy originally, and whose integration features were
later "bolted on", Arti is designed from the ground up to work as a modular,
embeddable library that other applications can use.

Current Status
Arti can connect to the Tor network, bootstrap a view of the Tor directory,
and make anonymized connections over the network. Now that Arti has reached
version 1.0.0, we believe it is suitable for actual use to anonymise
connections.

There are a number of areas (especially at the lower layers) where APIs
(especially internal APIs) are not stable, and are likely to change them.
Right now that includes the command line interface to the arti program.

And of course it's still very new so there are likely to be bugs.
@
text
@d1 1
a1 1
# $NetBSD$
d10 1
a10 1
HOMEPAGE=	https://arti.torproject.org/
@

