Bump github.com/spacemeshos/go-spacemesh from 1.0.2 to 1.0.3

[dependabot[bot]]

Bumps github.com/spacemeshos/go-spacemesh from 1.0.2 to 1.0.3.

Release notes

Sourced from github.com/spacemeshos/go-spacemesh's releases.

v1.0.3

Zip Files

• Windows: https://storage.googleapis.com/go-spacemesh-release-builds/v1.0.3/Windows.zip
• macOS: https://storage.googleapis.com/go-spacemesh-release-builds/v1.0.3/macOS.zip
• macOS arm64: https://storage.googleapis.com/go-spacemesh-release-builds/v1.0.3/macOS_ARM64.zip
• Linux: https://storage.googleapis.com/go-spacemesh-release-builds/v1.0.3/Linux.zip
• Linux arm64: https://storage.googleapis.com/go-spacemesh-release-builds/v1.0.3/Linux_ARM64.zip

2132d132a48447f1ddac9c5d5dad1eec8aac82b631f0cbdda1dae169f78ae2ef  Linux.zip
f77317bf4a51e43c57d8cad3f16f83e294dfd187f1938db8a339f470ba6d1e16  Linux_ARM64.zip
483ea6b6d9ebed53dee0bae0808c4f257307ba429e411d11270571218402c15e  Windows.zip
1d34bb7d4b1d3bccfc62fad41b7e39b33054442dda893aa3c984276e0a874a26  macOS.zip
37a44f879b2a0fe53ea7e14658922dafd6aaa34a9d0d7787cb7dd65e4cee71d9  macOS_ARM64.zip

Notable changes

Temporary reduction of PoST proving difficulty

Spacemesh smeshers must generate a PoST proof as part of their activation process once every two-week epoch. To prevent a certain kind of exploit, where an adversary with cheap processing power can replace some storage with much more computation, we've introduced a small amount of additional computation to the PoST proving process making this attack too expensive to carry out. We had plans to offload this additional work and delegate it to other servers that can do it once for all smeshers they serve, but didn't think it was urgent.

After the launch of the Spacemesh mainnet we've talked to users and realized that the time this work would take on many users' actual setup would make it hard (sometimes impossible) to generate a proof in the limited time available for it. As a temporary measure, until we can implement our long term solution, we're considerably reducing the amount of work required, so that no home smesher will be hurt by this.

As a consequence a powerful adversary could take advantage and slightly increase their power beyond their resource allocation. This would still require implementing some complex logic, putting in place specialized hardware and taking some statistical risk. This attack would also potentially be detectable.

To minimize the incentive to take advantage and the possible long term upside, we're committing to re-raise the difficulty within 10 epochs (5 months). We hope to finish implementing the delegation of this work much sooner and the difficulty increase back to safe levels will then be expedited. But regardless of the time to roll this out - the temporary reduction will end automatically after 5 months. This temporary change is part of our unwavering commitment to make smeshing at home effortless and effective.

Commits

• e91d735 fix flaky test: TestSpacemeshApp_NodeService (#4728)
• 68d196b Bump post-rs to v0.4.1 - more logs during initialization (#4730)
• 89c0f60 Lower the post k2pow in mainnet (#4727)
• ec9e4ca Proving opts metrics (#4726)
• 43986af Fix misleading error (#4725)
• 0a9b323 public metrics (#4723)
• 3889e3a p2p: set resource manager conn limits relative to high peers (#4707)
• c418ee5 post: update to latest version with inflight verification (#4716)
• 618aae2 Verify self-generated POST proofs to catch errors early (#4721)
• c40a4ab validate genesis before using (#4719)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot[bot]]

Superseded by #70.