From 875de204e9d004b66b81203b6335b4abb7365202 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 14 Aug 2023 14:15:15 -0400
Subject: [PATCH] cargo_audit: Add an exception for RUSTSEC-2022-0093.

This is the API deficiency in ed25519-dalek v1 that allows you to
mismatch public and private keys, leading to a (fatal)
double-signing attack.  We have worked around this in our current
design, so it's appropriate to suppress this warning for now.
---
 maint/cargo_audit | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/maint/cargo_audit b/maint/cargo_audit
index 78af299da..43be51ec8 100755
--- a/maint/cargo_audit
+++ b/maint/cargo_audit
@@ -20,6 +20,14 @@ IGNORE=(
     #     https://github.com/clap-rs/clap/pull/4249
     #     https://github.com/rust-cli/env_logger/pull/246
     --ignore RUSTSEC-2021-0145
+    # This is an API vulnerability in ed25519-dalek v1.x.x, to the
+    # extent that it does not force you to store private and public
+    # keys as a single keypair.
+    #
+    # We have desigend our APIs to work around this, and believe we
+    # are not affected.  We should eventually upgrade to
+    # ed25519-dalek >= 2, however.
+    --ignore RUSTSEC-2022-0093
 )
 
 ${CARGO:-cargo} audit -D warnings "${IGNORE[@]}"