Package Base Details: tomb

Git Clone URL: https://aur.archlinux.org/tomb.git (read-only, click to copy)
Submitter: None
Maintainer: parazyd (roddhjav)
Last Packager: roddhjav
Votes: 48
Popularity: 0.85
First Submitted: 2011-04-15 15:20
Last Updated: 2021-01-15 15:26

Packages (2)

Pinned Comments

roddhjav commented on 2020-05-24 12:13

To install the package first import jaromil PGP key:

gpg --recv-keys 6113D89CA825C5CEDD02C87273B35DA54ACB7D10

Alternatively add keyserver-options auto-key-retrieve to your ~/.gnupg/gpg.conf.

This key can also be found on https://keybase.io/jaromil

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 Next › Last »

DaveCode commented on 2014-05-23 04:39

BTW I don't have wipe installed and it may be optdepends. Do
$ cat src/Tomb-1.5.2/Makefile
which says wipe is just "recommended" not required.

DaveCode commented on 2014-05-23 04:29

1. Same err as 2014-01-05 04:16 showing tomb-kdf twice. Best guess, this PKGBUILD breaks AUR guidelines. It lacks a single package() function. It's two packages, not one. It seems to want tomb-kdf as a "shadow package," not kosher. What the heck is

true && pkgname=(tomb tomb-kdf)

supposed to do? Split into tomb-kdf and tomb separately or merge completely somehow under ONE package name.

If the previous maintainer's work was your baseline, it would be easier to start from scratch using info from

https://wiki.archlinux.org/index.php/creating_packages
https://wiki.archlinux.org/index.php/Arch_packaging_standards
https://wiki.archlinux.org/index.php/PKGBUILD
https://wiki.archlinux.org/index.php/PKGBUILD_Templates
https://wiki.archlinux.org/index.php/VCS_PKGBUILD_Guidelines


2. Oh my...he only signs checksums. Checksums are easy to spoof with mere code comments. Tell jaromil. He needs to sign the tarballs not their checksums.

Right now the PKGBUILD doesn't even check a SHA sig, does it? There's a comment in there about his key, but nothing is done with it?

https://wiki.archlinux.org/index.php/makepkg#Signature_checking

richli commented on 2014-05-21 04:25

@DaveCode:

1) I don't get this error, either by using makepkg or by using pacaur. Namcap doesn't report any errors like this either. I'm not sure how I can troubleshoot this on my end. Is there any more detail you can provide?

2) Check the available files here [1], they don't provide a signature for the tarball itself, only the checksum file. Unless there is one available somewhere else?

[1] https://files.dyne.org/tomb/

DaveCode commented on 2014-05-21 04:01

Thanks for adoption. Issues,

1. Dup target in pacaur when done building pkg and tries to install.
error: '/blah/bleh/foo/pacaurtmp-root/tomb/tomb-kdf-1.5.2-1-x86_64.pkg.tar.xz': duplicate target

2. PKGBUILD should verify gpg sig on download tarball, not just sha sums, a security pkg merits full treatment.

richli commented on 2014-05-20 03:50

I've adopted this package and updated it to the current version, 1.5.2.

richli commented on 2014-02-26 05:39

The past couple pastebins are expired, so I updated the PKGBUILD myself for the current version (v1.5.2) and have it here:

https://gist.github.com/richli/9224088

DaveCode commented on 2014-01-05 04:16

Here's what tried to run
# tail -n 1 /var/log/pacman.log
[PACMAN] Running '/usr/bin/pacman -U /tmp/XDG_CACHE_HOME_root/pacaurtmp-root/tomb/tomb-1.4-2-any.pkg.tar.xz /tmp/XDG_CACHE_HOME_root/pacaurtmp-root/tomb/tomb-kdf-1.4-2-x86_64.pkg.tar.xz /tmp/XDG_CACHE_HOME_root/pacaurtmp-root/tomb/tomb-kdf-1.4-2-x86_64.pkg.tar.xz'

DaveCode commented on 2014-01-05 04:11

Voted. Failure report on x86_64: public key glitch and dup target.
http://pastebin.archlinux.fr/486221

fauno commented on 2013-12-04 13:37

i'm sorry! i didn't get the sha verification messages! i'm testing boyska modifications and i'll upload the new pkgrel afterwards :)

BoySka commented on 2013-12-04 11:42

I think this is better packaged:
http://pastebin.com/sym3AWui

it adds tomb-kdf (which is very important for security) and removes tomb-gui (which is non-working and should be considered WIP)

It also solves verification issues by just relying on sha256sum