Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 757885 - net-proxy/torsocks: use official upstream repository
Summary: net-proxy/torsocks: use official upstream repository
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Anthony Basile
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-01 15:41 UTC by xayati9309
Modified: 2020-12-01 15:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description xayati9309 2020-12-01 15:41:02 UTC
Torsocks is a project of the Tor Project, and its repository can be found on the official Tor Project site here: https://gitweb.torproject.org/torsocks.git

The Gentoo ebuild uses somebody's downstream personal GitHub repository instead of the official source.

Needless to say, using any unofficial sources (even from a repository that is "just a clone of the official source, trust me xoxo") is horrible security practice.

The package should be updated to use the code from the Tor Project instead of someody's personal downstream Github repo...
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-01 15:44:08 UTC
Note that:
1) dgoulet is a Tor developer;
2) We have checksums for used versions (see the Manifest);
3) I'm not sure the upstream version actually existed back then.

But yes, it should be changed.