Feb 4, 2024 21:48:07 Zehka <zehka@chaospott.de>:

> Hello everyone,
> Today i noticed by chance that the aur/tor-browser package is gone and replaced by extra/torbrowser-launcher
> That worries me a bit because as a user of an aur helper i did either not receive or see a notice about that so i stayed on version 12.5.3-1 that was the last one on aur without noticing it was getting outdated.
> I just wonder if that's common practice? This case is particularly unlucky in my eyes because tor browser has a special role in the security concepts of many people and because the new package is spelled torbrowser-launcher a search in both databases with "yay tor-browser" in september only showed me the aur result.
> So i just wanted to ask if there is any possibility to make that transition better because i assume i'm not the only user out there who didn't notice.

The transition from AUR -> extra is a bit iffy, because officially speaking AUR packages are unsupported, and so are AUR helpers, so from the Archlinux PMs' point of view the AUR package might as well not exist. There are ways to provide proper replacements in official package repos as well as AUR repos, but I believe the official repos pretend the AUR doesn't exist for these things.

> And more thought that i had even though i didn't want to check in order to cause unnecessary chaos: Is the name tor-browser now blocked in aur or could anyone just upload a malicious package to that name and until somebody notices that everyone who has the old tor browser and uses an aur helper for updates gets a malicious version?

No, the name isn't blocked. Yes,, someone could upload a malicious version to it, and yes the helpers would update to said version, but as I said above, the AUR and AUR helpers are officially unsupported, it's generally on the user who installs the AUR package to make sure it doesn't do anything malicious (by inspecting the PKGBUILD and perhaps whatever it's downloading), and if it does, to report the package.

> Regards
> Zehka