Package Details: tor-browser 7.0.10-1

Git Clone URL: https://aur.archlinux.org/tor-browser.git (read-only)
Package Base: tor-browser
Description: Tor Browser Bundle: Anonymous browsing using firefox and tor (international PKGBUILD)
Upstream URL: https://www.torproject.org/projects/torbrowser.html
Keywords: Anonymity Browser Internet Network Tor
Licenses: GPL
Submitter: grufo
Maintainer: grufo
Last Packager: grufo
Votes: 46
Popularity: 13.435244
First Submitted: 2017-03-23 12:24
Last Updated: 2017-11-16 19:51

Pinned Comments

grufo commented on 2017-11-04 19:47

Before running makepkg, you must do this:

$ gpg --keyserver hkp://pgp.mit.edu:11371 --recv-keys D1483FA6C3C07136

If you want to update tor-browser from AUR without AUR helpers you can run in a terminal:

$ tor-browser -u

Latest Comments

grufo commented on 2017-11-04 19:47

Before running makepkg, you must do this:

$ gpg --keyserver hkp://pgp.mit.edu:11371 --recv-keys D1483FA6C3C07136

If you want to update tor-browser from AUR without AUR helpers you can run in a terminal:

$ tor-browser -u

grufo commented on 2017-10-21 02:15

@Marcel_K Thank you for the clarification. I will remove the `pre_install()` message in the next days. Regarding the md5sums, this is an umbrella PKGBUILD, which selects the package source in function of the language of the machine. I really cannot mantain an array of md5sums/SHA256 for each language and update it with each release.

Marcel_K commented on 2017-10-20 23:47

BTW, it is *not* a good idea to skip checksumming of source files, like you do now in md5sums_(i686|x86_64). Only (automatically) set the checksum of signature files to SKIP. A better hashing algorithm like SHA256 is also nice, unless the source of the files provide MD5 checksums, which isn't the case, as far as I can see within a few seconds.

Marcel_K commented on 2017-10-20 23:43

Yes, signature checking of the source files (using the signature files downloaded due to their presence in the sources array) is done during makepkg. You can install signed packages, like the ones from the official repos, but those keys are in the pacman keyring and installed automatically (with a slight hiccup, like a few days ago, when I tried to update my system but pacman-keyring wasn't update in time). See https://wiki.archlinux.org/index.php/Pacman/Package_signing
There also exist user repositories with pre-built packages that can be signed: https://wiki.archlinux.org/index.php/Unofficial_user_repositories
In short: do not compile a package yourself and then send it to someone using an insecure method like regular email.

grufo commented on 2017-10-20 23:25

@Marcel_K I am not enough a pacman expert to give an answer, therefore I will ask you a question. Imagine you have not imported the PGP keys and I did. Now imagine that I build the tor-browser package and I email it to you (the built pacman package). My question is: will you be able to install it?

Marcel_K commented on 2017-10-20 23:15

But the .install files are only run using pacman, which is too late. The message makepkg outputs should be enough, IMHO. Or create a pinned comment about the import of the PGP key, linking to https://wiki.archlinux.org/index.php/Makepkg#Signature_checking

grufo commented on 2017-10-20 22:20

@Marcel_K You are right, but unfortunately there is not a `pre_validate()` function available for .install files, the earliest function available is `pre_install()`. And to print messages via PKGBUILD before validation in my opinion is not a good practice. Maybe this could be a proposal for Arch developers regarding the .install files (either a `pre_validate()` function or a `fail_validate()` function that is triggered only when validation fails).

Marcel_K commented on 2017-10-20 22:01

The message about signature verification is useless in the install file as you should already have built and installed the package before seeing it.

grufo commented on 2017-09-29 21:29

@acidicX I knew it! Thank you for the suggestion! :)

acidicX commented on 2017-09-29 20:21

@grufo works like a charm! Thank you!

All comments