Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 810303

Summary: dev-libs/libxml2 uses ftp download URLs only, please add https as in
Product: Gentoo Linux Reporter: Nikolay Kichukov <hjckr>
Component: Current packagesAssignee: Sam James <sam>
Severity: normal CC: base-system, jstein
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Nikolay Kichukov 2021-08-25 07:51:56 UTC
If you are trying to compile libxml2 on a system that has limited outbound Internet connectivity which does not allow outbound connections to port 21, then you are unable to fetch the sources.

The sources however are fetchable via https as per:

which lists as optional download location:
"Libxml2 is also available from GIT:

See libxml2 Git web. To checkout a local tree use"

In the case of the latest version, the URL would be:

Reproducible: Always

Steps to Reproduce:
See description.
Actual Results:  
Can fail to download via FTP and there is no alternative in the ebuild. Upstream https alternative does exist.

Expected Results:  
Attempt FTP download first, if this fails, try https download.
Comment 1 Sam James archtester gentoo-dev Security 2021-08-26 22:13:26 UTC
Note that I'd expect you to be using GENTOO_MIRRORS anyway, mirrors for which are available via HTTP and overn HTTPS. Upstream URLs aren't always reliable.

But sure, this seems preferable, thanks!
Comment 2 Sam James archtester gentoo-dev Security 2021-08-26 22:16:03 UTC
Hm. These aren't official distribution tarballs but instead generated by gitlab automatically. Mentioning you can checkout from git doesn't mean they endorse using gitlab to download the sources for distributions.

Such auto-generated tarballs are usually lacking files.