Arch Linux User Repository

Search Criteria

Enter search criteria

Search by

Keywords

Out of Date

Sort by

Sort order

Per page

Package Details: tor-browser-bin 15.0.5-1

Package Actions

Git Clone URL:	https://aur.archlinux.org/tor-browser-bin.git (read-only, click to copy)
Package Base:	tor-browser-bin
Description:	Tor Browser Bundle: anonymous browsing using Firefox and Tor
Upstream URL:	https://www.torproject.org/projects/torbrowser.html
Licenses:	MPL-2.0
Conflicts:	tor-browser
Provides:	tor-browser
Submitter:	FabioLolix
Maintainer:	grufo (jugs)
Last Packager:	grufo
Votes:	1301
Popularity:	3.17
First Submitted:	2023-09-24 17:45 (UTC)
Last Updated:	2026-02-14 18:31 (UTC)

Dependencies (19)

alsa-lib
dbus-glib
desktop-file-utils (desktop-file-utils-git^AUR)
hicolor-icon-theme (hicolor-icon-theme-git^AUR)
hunspell (hunspell-git^AUR)
icu (icu-git^AUR)
libevent (libevent-git^AUR)
libvpx (libvpx-full-git^AUR, libvpx-git^AUR)
libxt
mime-types (mailcap)
nss (nss-hg^AUR)
sqlite (sqlite-fossil^AUR)
startup-notification
gst-libav (gst-libav-git^AUR) (optional) – H.264 video
gst-plugins-good (gst-plugins-good-git^AUR) (optional) – H.264 video
kdialog (kdialog-git^AUR) (optional) – KDE dialog boxes
libnotify (libnotify-git^AUR) (optional) – Gnome dialog boxes
libpulse (pulseaudio-dummy^AUR, libpulse-git^AUR) (optional) – PulseAudio audio driver
zenity (zenity-gtk3^AUR, zenity-git^AUR, qarma-git^AUR, zenity-rs-bin^AUR) (optional) – simple dialog boxes

Required by (0)

Sources (8)

Pinned Comments

grufo commented on 2019-08-15 02:22 (UTC)

Before running makepkg, you must do this (as normal user):

$ gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

If you want to update tor-browser from AUR without AUR helpers you can run in a terminal:

$ tor-browser -u

Latest Comments

1 2 3 4 5 6 .. 78 Next › Last »

Maxr commented on 2026-02-14 20:40 (UTC)

The PKGBUILD fetches SHA256 checksums at build time via _dist_checksum(), which downloads them from torproject.org. This defeats the purpose of checksum verification - a compromised server could serve both malicious archives AND matching checksums. Additionally, the fallback to sha256sums-unsigned-build.txt further weakens security if the signed version is unavailable.

This breaks makepkg's security model where checksums should be hardcoded in the PKGBUILD. While GPG signature verification provides some protection (if users import the key as instructed), relying solely on runtime-fetched checksums is problematic.

Do I miss something? If not, is it really necessary to let it fetch the checksums instead of hardcoding them?

dataprolet commented on 2025-12-14 14:45 (UTC)

@LaughingMan Well the package is basically broken at this point too.

james7132 commented on 2025-12-13 04:02 (UTC)

The desktop file lacks MIME type associations and proper web browser category. For example, Mullvad Browser has the following lines:

Categories=Network;WebBrowser;Security;
MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;application/x-xpinstall;application/pdf;application/json;

Was this exclusion intentional?

LaughingMan commented on 2025-12-12 15:22 (UTC)

@renegat The dist subdomain was used in the past and resulted in the build being broken whenever a new Tor Browser version was released.

renegat commented on 2025-12-12 15:14 (UTC)

The PKGBUILD contains the wrong _urlbase:

_urlbase="https://archive.torproject.org/tor-package-archive/torbrowser/${pkgver}"

It has to be:

_urlbase="https://dist.torproject.org/torbrowser/${pkgver}"

mgd commented on 2025-12-12 10:37 (UTC) (edited on 2025-12-12 10:46 (UTC) by mgd)

I've downloaded the current version 15.0.3-1 but the build fails:

    [tor-browser-bin]$ makepkg
    ==> FEHLER: sha256sums does not allow empty values.
    ==> FEHLER: sha256sums does not allow empty values.

Manually downloading tor-browser-linux-x86_64-15.0.3.tar.xz and tor-browser-linux-x86_64-15.0.3.tar.xz.asc into the build directory does not change anything.

ZLima12 commented on 2025-03-20 23:57 (UTC) (edited on 2025-03-20 23:59 (UTC) by ZLima12)

EDIT: I now see the comment below which has the reason.

In the latest commit, the source was changed from dist.torproject.org to archive.torproject.org; is there any particular reason to do this? It seems like archive is meant more for historical releases, while dist is what is used on the website for downloads.

aplnx commented on 2025-03-17 12:24 (UTC)

Hi! I am having the same sha256sums error despite of repeating the commands recommended in pinned message.

tucho commented on 2025-02-08 21:15 (UTC)

@grufo and @jugs, I suggest changing _urlbase from "https://dist.torproject.org/torbrowser/${pkgver}" to "https://archive.torproject.org/tor-package-archive/torbrowser/${pkgver}". That way we can still install the package while you work on releasing a new version.

Elrondo46 commented on 2025-02-08 16:50 (UTC)

Can I co-maintain the package to update it faster when there is a more recent version?

1 2 3 4 5 6 .. 78 Next › Last »