Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 810303 - dev-libs/libxml2 uses ftp download URLs only, please add https as in gitlab.gnome.org
Summary: dev-libs/libxml2 uses ftp download URLs only, please add https as in gitlab.g...
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sam James
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-25 07:51 UTC by Nikolay Kichukov
Modified: 2021-08-26 22:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nikolay Kichukov 2021-08-25 07:51:56 UTC
If you are trying to compile libxml2 on a system that has limited outbound Internet connectivity which does not allow outbound connections to port 21, then you are unable to fetch the sources.

The sources however are fetchable via https as per:
http://xmlsoft.org/downloads.html

which lists gitlab.gnome.org as optional download location:
"Libxml2 is also available from GIT:

See libxml2 Git web. To checkout a local tree use"

In the case of the latest version, the URL would be:
https://gitlab.gnome.org/GNOME/libxml2/-/archive/v2.9.12/libxml2-v2.9.12.tar.gz

Reproducible: Always

Steps to Reproduce:
See description.
Actual Results:  
Can fail to download via FTP and there is no alternative in the ebuild. Upstream https alternative does exist.

Expected Results:  
Attempt FTP download first, if this fails, try https download.
Comment 1 Sam James archtester gentoo-dev Security 2021-08-26 22:13:26 UTC
Note that I'd expect you to be using GENTOO_MIRRORS anyway, mirrors for which are available via HTTP and overn HTTPS. Upstream URLs aren't always reliable.

But sure, this seems preferable, thanks!
Comment 2 Sam James archtester gentoo-dev Security 2021-08-26 22:16:03 UTC
Hm. These aren't official distribution tarballs but instead generated by gitlab automatically. Mentioning you can checkout from git doesn't mean they endorse using gitlab to download the sources for distributions.

Such auto-generated tarballs are usually lacking files.