Package Details: tor-browser-bin 14.0.3-1

Git Clone URL: https://aur.archlinux.org/tor-browser-bin.git (read-only, click to copy)
Package Base: tor-browser-bin
Description: Tor Browser Bundle: anonymous browsing using Firefox and Tor
Upstream URL: https://www.torproject.org/projects/torbrowser.html
Licenses: MPL-2.0
Conflicts: tor-browser
Provides: tor-browser
Submitter: FabioLolix
Maintainer: grufo (jugs)
Last Packager: jugs
Votes: 1280
Popularity: 1.03
First Submitted: 2023-09-24 17:45 (UTC)
Last Updated: 2024-12-06 14:48 (UTC)

Pinned Comments

grufo commented on 2019-08-15 02:22 (UTC)

Before running makepkg, you must do this (as normal user):

$ gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

If you want to update tor-browser from AUR without AUR helpers you can run in a terminal:

$ tor-browser -u

Latest Comments

« First ‹ Previous 1 .. 27 28 29 30 31 32 33 34 35 36 37 .. 77 Next › Last »

grufo commented on 2017-11-03 14:01 (UTC)

@LaughingMan tor-browser and tor-browser-en-us do that. @yar, @jugs We should think to merge tor-browser-en and tor-browser-en-us. Please have a look at the source of the various tor-browser* I mantain. I revised the package's bash script and made it more portable. Would you like to be co-mantainers of tor-browser-en-us?

fennectech commented on 2017-10-28 23:40 (UTC)

if only yaourt was capable of doing this by itself.

grufo commented on 2017-10-21 02:15 (UTC)

@Marcel_K Thank you for the clarification. I will remove the `pre_install()` message in the next days. Regarding the md5sums, this is an umbrella PKGBUILD, which selects the package source in function of the language of the machine. I really cannot mantain an array of md5sums/SHA256 for each language and update it with each release.

Marcel_K commented on 2017-10-20 23:47 (UTC) (edited on 2017-10-20 23:48 (UTC) by Marcel_K)

BTW, it is *not* a good idea to skip checksumming of source files, like you do now in md5sums_(i686|x86_64). Only (automatically) set the checksum of signature files to SKIP. A better hashing algorithm like SHA256 is also nice, unless the source of the files provide MD5 checksums, which isn't the case, as far as I can see within a few seconds.

Marcel_K commented on 2017-10-20 23:43 (UTC)

Yes, signature checking of the source files (using the signature files downloaded due to their presence in the sources array) is done during makepkg. You can install signed packages, like the ones from the official repos, but those keys are in the pacman keyring and installed automatically (with a slight hiccup, like a few days ago, when I tried to update my system but pacman-keyring wasn't update in time). See https://wiki.archlinux.org/index.php/Pacman/Package_signing There also exist user repositories with pre-built packages that can be signed: https://wiki.archlinux.org/index.php/Unofficial_user_repositories In short: do not compile a package yourself and then send it to someone using an insecure method like regular email.

grufo commented on 2017-10-20 23:25 (UTC)

@Marcel_K I am not enough a pacman expert to give an answer, therefore I will ask you a question. Imagine you have not imported the PGP keys and I did. Now imagine that I build the tor-browser package and I email it to you (the built pacman package). My question is: will you be able to install it?

Marcel_K commented on 2017-10-20 23:15 (UTC)

But the .install files are only run using pacman, which is too late. The message makepkg outputs should be enough, IMHO. Or create a pinned comment about the import of the PGP key, linking to https://wiki.archlinux.org/index.php/Makepkg#Signature_checking

grufo commented on 2017-10-20 22:20 (UTC)

@Marcel_K You are right, but unfortunately there is not a `pre_validate()` function available for .install files, the earliest function available is `pre_install()`. And to print messages via PKGBUILD before validation in my opinion is not a good practice. Maybe this could be a proposal for Arch developers regarding the .install files (either a `pre_validate()` function or a `fail_validate()` function that is triggered only when validation fails).

Marcel_K commented on 2017-10-20 22:01 (UTC)

The message about signature verification is useless in the install file as you should already have built and installed the package before seeing it.