757885 – net-proxy/torsocks: use official upstream repository

Bug 757885 - net-proxy/torsocks: use official upstream repository

Summary: net-proxy/torsocks: use official upstream repository

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All All

Importance:	Normal normal (vote)
Assignee:	Anthony Basile

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-12-01 15:41 UTC by xayati9309
Modified:	2020-12-01 15:44 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description xayati9309 2020-12-01 15:41:02 UTC

Torsocks is a project of the Tor Project, and its repository can be found on the official Tor Project site here: https://gitweb.torproject.org/torsocks.git

The Gentoo ebuild uses somebody's downstream personal GitHub repository instead of the official source.

Needless to say, using any unofficial sources (even from a repository that is "just a clone of the official source, trust me xoxo") is horrible security practice.

The package should be updated to use the code from the Tor Project instead of someody's personal downstream Github repo...

Comment 1 Sam James archtester

2020-12-01 15:44:08 UTC

Note that:
1) dgoulet is a Tor developer;
2) We have checksums for used versions (see the Manifest);
3) I'm not sure the upstream version actually existed back then.

But yes, it should be changed.