AUR (en) - opensnitch-git

Git Clone URL:	https://aur.archlinux.org/opensnitch-git.git (read-only, click to copy)
Package Base:	opensnitch-git
Description:	A GNU/Linux port of the Little Snitch application firewall
Upstream URL:	https://github.com/evilsocket/opensnitch
Licenses:	GPL3
Conflicts:	opensnitch
Provides:	opensnitch
Submitter:	None
Maintainer:	lsf
Last Packager:	lsf
Votes:	43
Popularity:	0.50
First Submitted:	2017-05-03 14:15 (UTC)
Last Updated:	2024-07-25 10:25 (UTC)

Latest Comments

« First ‹ Previous 1 .. 8 9 10 11 12 13 14 15 16 17 18 Next › Last »

lsf commented on 2019-04-24 21:25 (UTC)

No. Or rather: only under very specific circumstances. I don't know how much you know about gnupg/pgp, so I'll just keep it short: What you did is import a key of some person who signs packages with it. Now you can additionally verify the integrity of packages/files signed with this key (in addition to the basic checksums). In some cases, the keys used are provided by the maintainer of the software that is packaged, in other cases it's by the person packaging it for the AUR, providing different amounts of extra "trust". This would only be an issue if you'd now blindly trust everything signed with this key, installed AUR packages without inspecting them and the key owner intentionally created a "bad" package (or someone got hold of his key and created one). So basically: no, everything's fine, as long as you follow basic "AUR hygiene", as stated in: https://wiki.archlinux.org/index.php/Arch_User_Repository#Build_and_install_the_package => "Warning: Carefully check the PKGBUILD, any .install files, and any other files in the package's git repository for malicious or dangerous commands. If in doubt, do not build the package, and seek advice on the forums or mailing list. Malicious code has been found in packages before."

washo commented on 2019-04-24 21:05 (UTC)

@lsf Thank's a lot! By the way, could this compromise the security of the system somehow?

lsf commented on 2019-04-24 18:56 (UTC)

You need to import the public key in your personal gpg keyring (there are ways around cluttering your regular keyring, but let's just stick with using it for simplicity). See: https://wiki.archlinux.org/index.php/Makepkg#ERROR:_One_or_more_PGP_signatures_could_not_be_verified!

It boils down to gpg --recv-keys 8C004C2F93481F6B, but optimally you would also verify the fingerprint of the key as provided "upstream", to ensure it's the actual and correct key you've imported via the aforementioned command.

washo commented on 2019-04-24 18:16 (UTC) (edited on 2019-04-24 18:18 (UTC) by washo)

I had this issue when installing. I already installed the package "python-unicode-slugify-git". Any solution? I'm using Antergos linux. Thank you guys :D

==> Validating source files with sha512sums...

grpcio-tools-1.20.0.tar.gz ... Passed
grpcio-tools-1.20.0.tar.gz.sig ... Skipped

==> Verifying source file signatures with gpg...

grpcio-tools-1.20.0.tar.gz ... FAILED (unknown public key 8C004C2F93481F6B)

==> ERROR: One or more PGP signatures could not be verified!

twnaing commented on 2019-02-21 05:42 (UTC)

Dependencies list all the python3 package. opensnitch-ui script use #!/sbin/python2. I have to install dependencies using pip2 install futures grpcio grpcio-tools pyinotify unicode_slugify pyqt5 configparser --user

parkerlreed commented on 2019-02-06 15:32 (UTC) (edited on 2019-02-06 15:38 (UTC) by parkerlreed)

@gvhoecke git packages don't need their pkgver bumped for every single little update. Use a sane AUR helper that can actually detect upstream changes. There's no reason to flag this.

From the wiki: "Note: VCS packages are not considered out of date when the pkgver changes, do not flag them as the maintainer will merely unflag the package and ignore you. AUR maintainers should not commit mere pkgver bumps."