On 24/02/05 03:47AM, Zehka wrote: > Hello everyone, Hello!
> Today i noticed by chance that the aur/tor-browser package is gone and > replaced by extra/torbrowser-launcher The aur/tor-browser package on the aur was merged[0] into aur/tor-browser-bin and was not replaced by extra/torbrowser-launcher as far as I understand it. > That worries me a bit because as a user of an aur helper i did either not > receive or see a notice about that so i stayed on version 12.5.3-1 that was > the last one on aur without noticing it was getting outdated. > I just wonder if that's common practice? This case is particularly unlucky > in my eyes because tor browser has a special role in the security concepts > of many people and because the new package is spelled torbrowser-launcher a > search in both databases with "yay tor-browser" in september only showed me > the aur result. > So i just wanted to ask if there is any possibility to make that transition > better because i assume i'm not the only user out there who didn't notice. Usually when a package is moved to the main repos the pkgrel is bumped so that people who already have it on their system get the update. Of course when it is also renamed at the same time things get a little more complicated and depending on how popular the package is a replaces directive is used or not. > And more thought that i had even though i didn't want to check in order to > cause unnecessary chaos: Is the name tor-browser now blocked in aur or could > anyone just upload a malicious package to that name and until somebody > notices that everyone who has the old tor browser and uses an aur helper for > updates gets a malicious version? You are advised to inspect every PKGBUILD on install and any update anyways and I'd say especially if you have a special threat model and/or care about security: "DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk." and "Verify that the PKGBUILD and accompanying files are not malicious or untrustworthy."[1] > Regards > Zehka Cheers, gromit [0]: https://lists.archlinux.org/hyperkitty/list/aur-reque...@lists.archlinux.org/message/4RCWE2NX6E4NORQHVXR2TCGRUR756HSN/ [1]: https://wiki.archlinux.org/title/Arch_User_Repository#Installing_and_upgrading_packages
signature.asc
Description: PGP signature
