[Bug 272674] ports-mgmt/pkg 1.20.4 fails to read from a web server using digest authentication with http

Reply: bugzilla-noreply_a_freebsd.org: "maintainer-feedback requested: [Bug 272674] ports-mgmt/pkg 1.20.4 fails to read from a web server using digest authentication with http"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 272674] ports-mgmt/pkg 1.20.4 fails to read from a web server using digest authentication with http"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 272674] ports-mgmt/pkg 1.20.4 fails to read from a web server using digest authentication with http"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 23 Jul 2023 09:16:46 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272674

            Bug ID: 272674
           Summary: ports-mgmt/pkg 1.20.4 fails to read from a web server
                    using digest authentication with http
           Product: Ports & Packages
           Version: Latest
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: pkg@FreeBSD.org
          Reporter: ross@exitzero.uk
             Flags: maintainer-feedback?(pkg@FreeBSD.org)
          Assignee: pkg@FreeBSD.org

Created attachment 243563
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=243563&action=edit
pkg -d update output from version 1.20.4

I am running FreeBSD 12.4-RELEASE-p3 and use ports-mgmt/poudriere to create a
package repository. This repository is hosted on a web server accessed by other
machines and jails.  The web server uses digest authentication to provide basic
privacy for the contents of that repository (aiming to hide precise software
version numbers).

ports-mgmt/pkg version 1.19.2 works without issue. Version 1.20.4 fails.
Running pkg -d update I can see that version 1.20.4 attempts to fetch from my
web server using basic HTTP authentication but does not use digest
authentication in response to the server's 401 reply.

My pkg repository configuration:
my_poudriere_repo: {
  url:           
"http://redactedusername:redactedpassword@pkg/${VERSION_MAJOR}${VERSION_MINOR}${ARCH}-default"
  enabled:         true,
  signature_type: "pubkey"
  pubkey:         "/etc/ssl/keys/my_pkg_repo.pub"
  mirror_type:    "none"
}

I have attached a redacted version of the output from pkg -d update.

I note that pkg began to use libcurl in place of fetch from version 1.20.0.

Workarounds:
- Lock ports-mgmt/pkg to version 1.19.2 before updating packages by running:
# pkg lock ports-mgmt/pkg
- Remove digest authentication from webserver, switching to basic or none.

-- 
You are receiving this mail because:
You are the assignee for the bug.