Files
eranos/android
Alex Gleason 7ce1ca87e9 Pin arti dependency and reconcile Tor activation docs
Address two follow-ups from the Tor (arti) MR review.

Supply-chain hardening for the arti-mobile AAR, a native artifact with
network-proxy privileges:

- Pin the gpmaven Maven source to an immutable commit SHA
  (guardianproject/gpmaven@b3ee2a6) instead of the mutable `master`
  branch, so a force-push or new commit can't silently change what we
  resolve.
- Verify the resolved AAR's SHA-256 at build time
  (verifyArtiChecksum, wired ahead of assemble/bundle). A mismatch fails
  the build before any APK is produced. Scoped to the one privileged
  artifact rather than enabling global dependency verification, which
  would force-verify every transitive dep.

Reconcile stale "apply on relaunch" / "next app launch" doc comments in
AppContext.ts, tor.ts, useTor.ts, TorController.java, and TorPlugin.java
with the actual behavior: the Advanced Settings toggle activates Tor
live via start/stop (arti starts/stops immediately, relay layer
remounts); the persisted flag only governs cold-launch auto-start.
2026-06-13 14:32:28 -05:00
..
2026-02-19 07:58:45 -06:00
2026-02-19 06:18:02 -06:00