kvdb-rocksdb uses an old rocksdb, leading to two separate security issues

[kayabaNerve]

paritytech/parity-common#659 for its usage of owning_ref, which is also used by prometheus-client (prometheus/client_rust#77).

paritytech/parity-common#437 was closed 6 months ago as wontfix due to how rocksdb would be "deprecated" for paritydb, despite there still being no timeline on when and a lack of further reasoning directly stated (which would've been appreciated, albeit may just be available elsewhere and accordingly fine).

kvdb-rocksdb also uses rocksdb 0.18, which has a vulnerability in a certain API. While that may not be relevant, I'd appreciate using 0.19 to close out the advisory.

We'd have to fork parity-common to resolve this while staying on rocksdb, and we're reliant on prometheus's update anyways so there's no reason to yet. They thankfully are handling this properly.

Relevant to #28.

[kayabaNerve]

prometheus-client has updated. libp2p has yet to update to the new prometheus client, and I don't care to fork libp2p to do so.

fixed-hash = { git = "https://github.com/paritytech/parity-common", rev = "26d712dbc401f6065250baca41663c0c8298e60a" }
kvdb = { git = "https://github.com/paritytech/parity-common", rev = "26d712dbc401f6065250baca41663c0c8298e60a" }
kvdb-memorydb = { git = "https://github.com/paritytech/parity-common", rev = "26d712dbc401f6065250baca41663c0c8298e60a" }
kvdb-rocksdb = { git = "https://github.com/paritytech/parity-common", rev = "26d712dbc401f6065250baca41663c0c8298e60a" }
rlp = { git = "https://github.com/paritytech/parity-common", rev = "26d712dbc401f6065250baca41663c0c8298e60a" }
uint = { git = "https://github.com/paritytech/parity-common", rev = "26d712dbc401f6065250baca41663c0c8298e60a" }
parity-util-mem = { git = "https://github.com/paritytech/parity-common", rev = "26d712dbc401f6065250baca41663c0c8298e60a" }
primitive-types = { git = "https://github.com/paritytech/parity-common", rev = "26d712dbc401f6065250baca41663c0c8298e60a" }

The following patch DOES use the new code. substrate/client/db/src/upgrade.rs has conflicts though. We'd have to update at the substrate level as well, or wait a bit longer as we already have to for libp2p.

[kayabaNerve]

libp2p is up to date and can be patched if we're willing to patch our copy of substrate. It's not an immediate priority, yet good to see.

[kayabaNerve]

https://github.com/paritytech/parity-common issues 677

[kayabaNerve]

https://github.com/paritytech/substrate/tree/polkadot-v0.9.29 is available. It doesn't address the above issues but we should still update to match these releases with parity.

[kayabaNerve]

The new kvdb-rocksdb was just tagged 🎉

[kayabaNerve]

prometheus-client was updated by libp2p yet they haven't released the version with it (0.8.0 for libp2p-metrics).

[kayabaNerve]

Updating kvdb requires updating all of parity-common's crates. Best to wait a bit longer, I guess.

[kayabaNerve]

paritytech/substrate@fc67cbb has been merged into their master.