tor-browser depublication and replacment
Hello everyone, Today i noticed by chance that the aur/tor-browser package is gone and replaced by extra/torbrowser-launcher That worries me a bit because as a user of an aur helper i did either not receive or see a notice about that so i stayed on version 12.5.3-1 that was the last one on aur without noticing it was getting outdated. I just wonder if that's common practice? This case is particularly unlucky in my eyes because tor browser has a special role in the security concepts of many people and because the new package is spelled torbrowser-launcher a search in both databases with "yay tor-browser" in september only showed me the aur result. So i just wanted to ask if there is any possibility to make that transition better because i assume i'm not the only user out there who didn't notice. And more thought that i had even though i didn't want to check in order to cause unnecessary chaos: Is the name tor-browser now blocked in aur or could anyone just upload a malicious package to that name and until somebody notices that everyone who has the old tor browser and uses an aur helper for updates gets a malicious version? Regards Zehka
Feb 4, 2024 21:48:07 Zehka <zehka@chaospott.de>:
Hello everyone, Today i noticed by chance that the aur/tor-browser package is gone and replaced by extra/torbrowser-launcher That worries me a bit because as a user of an aur helper i did either not receive or see a notice about that so i stayed on version 12.5.3-1 that was the last one on aur without noticing it was getting outdated. I just wonder if that's common practice? This case is particularly unlucky in my eyes because tor browser has a special role in the security concepts of many people and because the new package is spelled torbrowser-launcher a search in both databases with "yay tor-browser" in september only showed me the aur result. So i just wanted to ask if there is any possibility to make that transition better because i assume i'm not the only user out there who didn't notice.
The transition from AUR -> extra is a bit iffy, because officially speaking AUR packages are unsupported, and so are AUR helpers, so from the Archlinux PMs' point of view the AUR package might as well not exist. There are ways to provide proper replacements in official package repos as well as AUR repos, but I believe the official repos pretend the AUR doesn't exist for these things.
And more thought that i had even though i didn't want to check in order to cause unnecessary chaos: Is the name tor-browser now blocked in aur or could anyone just upload a malicious package to that name and until somebody notices that everyone who has the old tor browser and uses an aur helper for updates gets a malicious version?
No, the name isn't blocked. Yes,, someone could upload a malicious version to it, and yes the helpers would update to said version, but as I said above, the AUR and AUR helpers are officially unsupported, it's generally on the user who installs the AUR package to make sure it doesn't do anything malicious (by inspecting the PKGBUILD and perhaps whatever it's downloading), and if it does, to report the package.
Regards Zehka
-- Kusoneko GPG: https://kusoneko.moe/gpg.txt https://kusoneko.moe
On 24/02/05 03:47AM, Zehka wrote:
Hello everyone,
Hello!
Today i noticed by chance that the aur/tor-browser package is gone and replaced by extra/torbrowser-launcher
The aur/tor-browser package on the aur was merged[0] into aur/tor-browser-bin and was not replaced by extra/torbrowser-launcher as far as I understand it.
That worries me a bit because as a user of an aur helper i did either not receive or see a notice about that so i stayed on version 12.5.3-1 that was the last one on aur without noticing it was getting outdated. I just wonder if that's common practice? This case is particularly unlucky in my eyes because tor browser has a special role in the security concepts of many people and because the new package is spelled torbrowser-launcher a search in both databases with "yay tor-browser" in september only showed me the aur result. So i just wanted to ask if there is any possibility to make that transition better because i assume i'm not the only user out there who didn't notice.
Usually when a package is moved to the main repos the pkgrel is bumped so that people who already have it on their system get the update. Of course when it is also renamed at the same time things get a little more complicated and depending on how popular the package is a replaces directive is used or not.
And more thought that i had even though i didn't want to check in order to cause unnecessary chaos: Is the name tor-browser now blocked in aur or could anyone just upload a malicious package to that name and until somebody notices that everyone who has the old tor browser and uses an aur helper for updates gets a malicious version?
You are advised to inspect every PKGBUILD on install and any update anyways and I'd say especially if you have a special threat model and/or care about security: "DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk." and "Verify that the PKGBUILD and accompanying files are not malicious or untrustworthy."[1]
Regards Zehka
Cheers, gromit [0]: https://lists.archlinux.org/hyperkitty/list/aur-requests@lists.archlinux.org... [1]: https://wiki.archlinux.org/title/Arch_User_Repository#Installing_and_upgradi...
On 05-02-2024 03:47, Zehka wrote:
Hello everyone, Today i noticed by chance that the aur/tor-browser package is gone and replaced by extra/torbrowser-launcher That worries me a bit because as a user of an aur helper i did either not receive or see a notice about that so i stayed on version 12.5.3-1 that was the last one on aur without noticing it was getting outdated. I just wonder if that's common practice? This case is particularly unlucky in my eyes because tor browser has a special role in the security concepts of many people and because the new package is spelled torbrowser-launcher a search in both databases with "yay tor-browser" in september only showed me the aur result. So i just wanted to ask if there is any possibility to make that transition better because i assume i'm not the only user out there who didn't notice. Regards Zehka
Hi, for aur pacakges that you use / are interested in you can enable per package notifications when logged into the aur. In your "My Account" page you can select which type of notifications you want to receive globally. Incase you want to minimize emails from aur, just enable "Notify of ownership updates" . Lone_Wolf
Is it not better to have an instruction written about this issue in the Arch Wiki? Or is there one, already? (well, I don't have all archwiki in my memory!) A general guide that, packages transferred to Arch repositories from AUR without renaming get a `pkgrel` bump. But in general case, subscribing to package's notifications is advised to prevent any surprise or confusion; in particular, for when a package is renamed, both inside AUR itself and also when transferred to official repositories. Regards, Abraham
See Heusel's reply. It was not transferred; it was merged into its -bin AUR package. -- Cheers, Aᴀʀᴏɴ
participants (6)
-
Aaron Liu
-
Abraham S.A.H.
-
Christian Heusel
-
Kusoneko
-
Lone_Wolf
-
Zehka