[PRQ#80755] Orphan Request for tor-browser-bin
gerliczkowalczuk [1] filed an orphan request for tor-browser-bin [2]: This package has several outstanding issues: * runtime-fetched checksums break makepkg security model * repeated build failures reported by users * outdated version despite frequent Tor Browser releases Given that Tor Browser is security-critical software, these issues are quite serious. Is the package still actively maintained? If not, I would be willing to help maintain or adopt it to address these problems. [1] https://aur.archlinux.org/account/gerliczkowalczuk/ [2] https://aur.archlinux.org/pkgbase/tor-browser-bin/
Appreciate the slop, The checksums are not providing any real protection as we're using the GPG signature which provides both integrity and authenticity. The runtime fetched checksum approach was from before I became co-maintainer. I build, install and validate each commit before it goes live. All of the last years worth of comments about "repeated build failures" have been due to the checksums of new releases before the PKGBUILD gets updated (and the old version packages are removed upstream). While I do account for ~80% of the package commits, the version bumps have been lacking lately. Thanks for the reminder. You can also feel free to mark the package out of date or comment on it to help others. - Sebastian -------- Original Message -------- On Saturday, 04/04/26 at 12:48 notify@aur.archlinux.org wrote: gerliczkowalczuk [1] filed an orphan request for tor-browser-bin [2]: This package has several outstanding issues: * runtime-fetched checksums break makepkg security model * repeated build failures reported by users * outdated version despite frequent Tor Browser releases Given that Tor Browser is security-critical software, these issues are quite serious. Is the package still actively maintained? If not, I would be willing to help maintain or adopt it to address these problems. [1] https://aur.archlinux.org/account/gerliczkowalczuk/ [2] https://aur.archlinux.org/pkgbase/tor-browser-bin/
On 2026-04-04 22:14, Sebastian Jug wrote:
Appreciate the slop,
The checksums are not providing any real protection as we're using the GPG signature which provides both integrity and authenticity.
The runtime fetched checksum approach was from before I became co-maintainer. I build, install and validate each commit before it goes live. All of the last years worth of comments about "repeated build failures" have been due to the checksums of new releases before the PKGBUILD gets updated (and the old version packages are removed upstream).
While I do account for ~80% of the package commits, the version bumps have been lacking lately. Thanks for the reminder. You can also feel free to mark the package out of date or comment on it to help others.
- Sebastian
-------- Original Message -------- On Saturday, 04/04/26 at 12:48 notify@aur.archlinux.org wrote: gerliczkowalczuk [1] filed an orphan request for tor-browser-bin [2]:
This package has several outstanding issues:
* runtime-fetched checksums break makepkg security model * repeated build failures reported by users * outdated version despite frequent Tor Browser releases
Given that Tor Browser is security-critical software, these issues are quite serious.
Is the package still actively maintained? If not, I would be willing to help maintain or adopt it to address these problems.
[1] https://aur.archlinux.org/account/gerliczkowalczuk/ [2] https://aur.archlinux.org/pkgbase/tor-browser-bin/
Hi, Thanks for the clarification and for the update. That makes sense regarding the GPG verification and upstream behavior. I appreciate the explanation. I'll make sure to flag the package out of date when needed. Best regards Oskar Gerlicz Kowalczuk
On 2026-04-04 22:14, Sebastian Jug wrote:
Appreciate the slop,
The checksums are not providing any real protection as we're using the GPG signature which provides both integrity and authenticity.
The runtime fetched checksum approach was from before I became co-maintainer. I build, install and validate each commit before it goes live. All of the last years worth of comments about "repeated build failures" have been due to the checksums of new releases before the PKGBUILD gets updated (and the old version packages are removed upstream).
While I do account for ~80% of the package commits, the version bumps have been lacking lately. Thanks for the reminder. You can also feel free to mark the package out of date or comment on it to help others.
- Sebastian
-------- Original Message -------- On Saturday, 04/04/26 at 12:48 notify@aur.archlinux.org wrote: gerliczkowalczuk [1] filed an orphan request for tor-browser-bin [2]:
This package has several outstanding issues:
* runtime-fetched checksums break makepkg security model * repeated build failures reported by users * outdated version despite frequent Tor Browser releases
Given that Tor Browser is security-critical software, these issues are quite serious.
Is the package still actively maintained? If not, I would be willing to help maintain or adopt it to address these problems.
[1] https://aur.archlinux.org/account/gerliczkowalczuk/ [2] https://aur.archlinux.org/pkgbase/tor-browser-bin/
Hi, Thanks for the clarification and for the update. That makes sense regarding the GPG verification and upstream behavior. I appreciate the explanation. I'll make sure to flag the package out of date when needed. Best regards Oskar Gerlicz Kowalczuk
participants (3)
-
notify@aur.archlinux.org
-
oskar@gerlicz.space
-
Sebastian Jug