I don’t think it’s on the Arch repos. It’s on AUR. But anyway, I would highly recommend to download it from TOR:
https://tb-manual.torproject.org/installation/
No, it’s in the community repo:
https://archlinux.org/packages/community/any/torbrowser-launcher/
If you do not trust the Arch Linux repositories, you shouldn’t be using Arch.
1 Like
Looks like that’s not TOR Browser but just a helper to install TOR Browser.
I have to disagree because this is a special case. Usually the reason to use TOR or the TOR Browser is anonymity. There are users whos freedom or even life depends on beeing anonymous. In such a case, you have to minimize any risk as good as possible. And every party involved is at least a potential risk factor.
So no matter if you trust Arch or not, there’s just no reason to use the repos in this case. Get it from the TOR project and verify the download! Everything else is just bad OpSec.
This is exactly what the helper from the repos is doing.
No, it’s not. Your security is as strong as the weakest link. If the repos are compromised, it doesn’t matter that you have verified your TOR browser. There are thousands of packages in the repos, many of which you have installed, that can violate your privacy.
But there’s just no reason to use the helper.
Direct way > 1 possible point of failure
Arch repos > 2 possible points of failure
I think anyone who really NEEDS to be anonymous will understand this.
But if you just want the TOR browser for more privacy or to check out the Darknet, sure, go on and download it from wherever you like.
That’s just wrong logic, because it assumes that the two supposed points of failure are independent. They are not. If you are using Arch, in every case you are counting on Arch repos to be trustworthy, and that’s the only point of failure here in both of these situations. If the repos are compromised, it doesn’t matter whether you have a trustworthy Tor browser or not. In fact, by downloading it manually, you are introducing a possibility of user error.
Well, I can’t follow your logic here, but nvm.
BTW, the best (most secure) solution would be to not run the TOR browser on Arch/EOS at all and use Tails instead.
If you are going to run Tor browser on Arch, using the torbrowser-launcher package is in no way less safe than downloading the browser manually, since by using Arch Linux you have already assumed that Arch Linux software repositories are trustworthy.
Two possibilities here exist:
- The assumption that Arch Linux software repositories are trustworthy is true. In that case, the
torbrowser-launcherpackage is also trustworthy, since it comes from a trustworthy repository. - The assumption that Arch Linux software repositories are trustworthy is false. In that case, it doesn’t matter which version of Tor browser you’re using, your anonymity is already compromised by hundreds or thousands of untrustworthy packages you have installed on your system. Also, why are you using EndeavourOS then?
I don’t really see what’s difficult to understand about that. You either trust the Arch package maintainers, or you don’t. If you trust them, you may as well use the torbrowser-launcher package, for its convenience.
Personally i would never trust anyone except for myself or Whonix to package TOR.
There are few programs that i absolutely would package only myself.
However, if that’s the case for TOR as a daily use browser - it doesn’t matter that much.
2 Likes
That’s such a knee-jerk thing to say. Just think about it.
If you are trusting Arch package maintainers to package the kernel for you, why wouldn’t you trust them to package TOR? And besides, the torbrowser-launcher is not a packaged version of TOR, it’s a script whose source code you can inspect yourself. It couldn’t be safer than that (on Arch Linux, at least).
If they wanted to find out what you’re doing in the TOR browser, they can just put spyware into your kernel and you can have your TOR packaged by anyone in the world, it wouldn’t matter.
1 Like
Well that’s because i never use TOR outside of Whonix 
True, and i don’t argue with your logic, what i mean is that i’d never install / update stuff like that blindly without inspection…
Also yes, i don’t trust Arch package maintainers that much 
For home system it’s totally fine though.
1 Like
Well, if you don’t trust Arch, that’s fine. But that’s not what we were talking about here.
My point was that @NX-01’s claim that using the torbrowser-package is in any way less secure than downloading the Tor browser yourself (and using it on Arch) is simply wrong. It’s equally safe. There are no “two points” of failure.
1 Like
Ok, yeah then it’s abut the same really.
For those who don’t know:
2 Likes
It’s exactly the same 
This reminds me of the discussion I had with @dalto about VS Code… 
1 Like
No matter who you trust or not. But what’s the point of using this helper program/script? Where’s the advantage? It’s so simple. Just download the archive, verify and extract and you can run the browser.
That frog is very stubborn in his definitions you see, he wants to tell you that it’s exactly the same…which one you prefer is your choice still 
1 Like
Sure, but you can say that about any program. So the question really is: what’s the advantage of using a package manager over downloading programs yourself?
I use Vivaldi,with its blocking features and u block origin add on
Speaking of unsafe…
That’s a proprietary browser (“closed source”). You have no idea what it is doing behind your back.
Yeah,but I need chromium browser with sync features.brave sync is horrible