[Pkg-privacy-maintainers] Bug#1125775: torsocks: library not in search path, leaks user IP to endpoint

[Salvatore Bonaccorso]

Hi,

On Mon, Jan 19, 2026 at 10:48:26AM +0100, intrigeri wrote:
> Hi,
> 
> (Note: I'm not involved in maintaining this package anymore; nowadays
> Hefee is responsible for it.)

Just for clarity, yes I knew, included you as you might have some
additional insights from the past.

> Salvatore Bonaccorso (2026-01-17):
> > [not the maintainers here, but I'm adding intrigeri as well explicitly
> > for input on the change below, and this is only a preliminary cursory
> > look after it was raised in #debian-security IRC channel]
> > [...]
> >
> > It looks that in debian/rules the call for dh_makeshlibs is explicitly
> > overriden, otherwise a trigger for registering 'activate-nowait
> > ldconfig' would be generated.
> 
> Indeed, I think this override used to be correct, but the multiarch
> packaging changes that happened during the Trixie dev cycle moved to
> using ld.so to load the library, so this override now breaks things as
> cacin reported :/
> 
> > This should resolve the issue, but then
> > one needs to explicitly override both
> >
> > E: libtorsocks: package-modifies-ld.so-search-path [etc/ld.so.conf.d/torsocks-x86_64-linux-gnu.conf]
> > W: libtorsocks: package-has-unnecessary-activation-of-ldconfig-trigger
> >
> > because then this would be actually intended? intrigeri is this
> > correct?
> 
> I think so, but I'd rather let Hefee comment about it, since they've
> implemented this part.

Ack, let's wait to get Hefee's comments on it.

Regards,
Salvatore