Using `zeroize` here tells these crates that they should make
various structures zeroize-on-drop.
(This is not yet implemented in `aes` 0.8.1, but support has been
merged in the repository for `aes`, so it should go out in the next
release.)
No corresponding feature flag is needed to enable zeroize-on-drop
for `rsa` and `*25519-dalek` private keys.
Do _not_ bump the dependency versions on crates that have had no
changes since arti 0.0.5, since those crates do not depend on the
new APIs.
```
cargo set-version -p tor-basic-utils --bump patch
cargo set-version -p tor-llcrypto --bump patch
git restore crates/tor-checkable
git restore crates/tor-consdiff
git restore crates/tor-rtmock
```
This performs the transitive closure of the last operation:
everything that depends on a crate with a breaking change gets the
version which it depends on bumped.
```
cargo set-version -p tor-proto --bump minor
cargo set-version -p tor-netdoc --bump minor
cargo set-version -p arti-hyper --bump minor
cargo set-version -p arti-bench --bump minor
cargo set-version -p arti-testing --bump minor
cargo set-version -p tor-config --bump minor
```
This allows us to give better errors in the case where bootstrapping
succeeds at first, but fails thereafter for long enough to make our
directory expire.
Over the years we've found that most callers who want a netdir want
what C Tor calls a "reasonably live" network directory: One that is
not expired by too much, or too far in the future. But a few want a
_strictly_ live directory: one that says it is valid now, with no
tolerances. And a few want _any_ directory, no matter how expired
it is.
This commit adds net methods to NetDirProvider to provide these
directories. I think that most use cases will want to explicitly
think about what kind of directory they want, so I've made `netdir`
the simplest method. I might remove `timely_netdir` by the end of
this branch; see TODO comments.
Part of #518.
This name is more accurate because we aren't only dealing with
clock skew here: we're also trying to tolerate the case where the
authorities fail to reach consensus for a while.
This logic can now be adjusted via the config object so that it does
its own overriding by looking at the environment as appropriate.
Removing these methods helps simplify the code a bit.
Enabled by #483.
Now that configuring the environment variables related to fs
permissions works properly, we don't need to use the "override"
feature any more: we can just add the option to the configuration
when appropriate.
With this design, `--disable-fs-permission-checks` is now mostly an
alias for
`--option storage.permissions.dangerously_trust_everyone=true`
Enabled by #483.
By default we look at `$FS_MISTRUST_DISABLE_PERMISSIONS_CHECKS`.
Optionally, the user can provide another variable as well, or
disable looking at the environment entirely.