Torsocks is a project of the Tor Project, and its repository can be found on the official Tor Project site here: https://gitweb.torproject.org/torsocks.git The Gentoo ebuild uses somebody's downstream personal GitHub repository instead of the official source. Needless to say, using any unofficial sources (even from a repository that is "just a clone of the official source, trust me xoxo") is horrible security practice. The package should be updated to use the code from the Tor Project instead of someody's personal downstream Github repo...
Note that: 1) dgoulet is a Tor developer; 2) We have checksums for used versions (see the Manifest); 3) I'm not sure the upstream version actually existed back then. But yes, it should be changed.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=def88ebef11b4616ae6f574e6bd9df9b1bd6f518 commit def88ebef11b4616ae6f574e6bd9df9b1bd6f518 Author: Craig Andrews <candrews@gentoo.org> AuthorDate: 2022-10-13 17:54:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-30 09:33:27 +0000 net-proxy/torsocks: unset upstream in metadata.xml Closes: https://bugs.gentoo.org/757885 Signed-off-by: Craig Andrews <candrews@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/27772 Signed-off-by: Sam James <sam@gentoo.org> net-proxy/torsocks/metadata.xml | 4 ---- 1 file changed, 4 deletions(-)
