Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 757885

Summary: net-proxy/torsocks: use official upstream repository
Product: Gentoo Linux Reporter: xayati9309
Component: Current packagesAssignee: Anthony Basile <blueness>
Status: UNCONFIRMED ---    
Severity: normal CC: sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
Package list:
Runtime testing required: ---

Description xayati9309 2020-12-01 15:41:02 UTC
Torsocks is a project of the Tor Project, and its repository can be found on the official Tor Project site here:

The Gentoo ebuild uses somebody's downstream personal GitHub repository instead of the official source.

Needless to say, using any unofficial sources (even from a repository that is "just a clone of the official source, trust me xoxo") is horrible security practice.

The package should be updated to use the code from the Tor Project instead of someody's personal downstream Github repo...
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-01 15:44:08 UTC
Note that:
1) dgoulet is a Tor developer;
2) We have checksums for used versions (see the Manifest);
3) I'm not sure the upstream version actually existed back then.

But yes, it should be changed.