Pacman

Historical bug tracker for the Pacman package manager.

The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues

This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
Tasklist

FS#9617 - Make anonymous password configurable

Attached to Project: Pacman
Opened by Gerhard Brauer (GerBra) - Tuesday, 19 February 2008, 19:46 GMT
Last edited by Dan McGee (toofishes) - Wednesday, 20 February 2008, 14:02 GMT
Task Type Feature Request
Category General
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 3.1.1
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Most of our ftp mirrors allow anonymous login without or with any password. At the moment we have a problem with one new german mirror. Their wu-ftpd was configured very conservative.

wget downloadfile works.
curl downladfiles not. curl standard pw ftp@example.com was rejected.
pacman -Sy doesn't work. pacmans standard pw libalpm@guest was rejected.
We have mailed with admin, curl works now and for the pacman problem we have advised him to accept either libalpm@guest or any/empty password for anonymous login.

Bur maybe we could get a problem in the future if some/more ftp-Admins restrict their services.
Ex. ftp.gwdg.de (this is NOT the problem ftp server)
Here works any or an empty pw but they sent a response if pw is empty like:
----------------
Name (ftp.gwdg.de:gerhard): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-The response '' is not valid
230-Next time please use your e-mail address as your password
230- for example: joe@p54567adB5.dip.t-dialin.net
230-Hello User at p54567adB5.dip.t-dialin.net,
230-we have 135 users (max 2000) logged in in your class at the moment.
-------------

The standard pacman password is hardcoded anywhere in source (pacman/libalpm).

My request, suggestion is: could the password for anonymous login be configurable by the user in /etc/pacman.conf?
Maybe we use a sensible default like: 'pacman@'. Most ftpd complete this with the hostname.
And if there are problems with this default the user could change this to something what his mirror accepts.
This task depends upon

Closed by  Dan McGee (toofishes)
Wednesday, 20 February 2008, 14:02 GMT
Reason for closing:  Won't implement
Additional comments about closing:  Can be done in a lot of ways with the RFC spec for specifying username/password on in a URL (see comments). If not, it is more or less a broken mirror from our point of view.
Comment by Gerhard Brauer (GerBra) - Tuesday, 19 February 2008, 19:55 GMT
Or a other hint if i see this report above:
libalpm@guest isn't in my browser recognized as an email adress, guest is not an FQDN. Maybe this is the problem. Or a problem.
Comment by Dan McGee (toofishes) - Tuesday, 19 February 2008, 20:06 GMT
Server =guest@ftp.testserver.com/archlinux/$repo/os/i686"> ftp://libalpm:guest@ftp.testserver.com/archlinux/$repo/os/i686

I guess I'm not sure what is wrong with that.
Comment by Gerhard Brauer (GerBra) - Tuesday, 19 February 2008, 20:36 GMT
It's not a FQDN after libalpm@.

Try ftp.uni-bayreuth.de with anonymous and pw libalpm@guest (That is our "problem server")
But also try at ftp.gwdg.de with these logins.
gwdg accept but gave a hint:
-------
Name (ftp.gwdg.de:gerhard): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-The response 'libalpm@guest' is not valid
230-Next time please use your e-mail address as your password
230- for example: joe@p534A487B5.dip.t-dialin.net
230-Hello User at p534A487B5.dip.t-dialin.net,
--------

If i use libalpm@guest.de than gwdg don't complain.
Comment by Dan McGee (toofishes) - Tuesday, 19 February 2008, 21:10 GMT
I was giving an example. The post came out all weird too.

The point is, there is an RFC standard for URLs that you can follow where username and password are specified. This seems like a perfectly reasonable solution rather than adding some additional config to pacman that is unnecessary for 99% of our mirrors.

proto:// username : password @ hostname.fqdn /path/to/resource
Comment by Gerhard Brauer (GerBra) - Tuesday, 19 February 2008, 21:54 GMT
This sounds to easy ;-)
What if the password must/should be a email address?
I've tested with ftp.archlinux.org:
Server =libalpm@guest.de@ftp.archlinux.org/$repo/os/i686"> ftp://anonymous:libalpm@guest.de@ftp.archlinux.org/$repo/os/i686
Server =guest.de@ftp.archlinux.org/$repo/os/i686"> ftp://anonymous:libalpm\@guest.de@ftp.archlinux.org/$repo/os/i686
Server =libalpm@guest.de'@ftp.archlinux.org/$repo/os/i686"> ftp://anonymous:'libalpm@guest.de'@ftp.archlinux.org/$repo/os/i686
Server =libalpm@guest.de"@ftp.archlinux.org/$repo/os/i686"> ftp://anonymous:"libalpm@guest.de"@ftp.archlinux.org/$repo/os/i686

All ftp servers request for anonymous login a email address as password. I's admin business how strict they check for validation.
Some accept any text, some check for a vaild address by RFC (2822?), some filtered for fake addresses.

But if we hardcode a email address (i assume libalpm@guest should be one), why not a valid RFC conform email address?
Comment by Gerhard Brauer (GerBra) - Tuesday, 19 February 2008, 21:58 GMT
Oh, same problem in output above..
I mean in mirrorlist:

Server = ftp:// anonymous : libalpm@guest.de @ ftp.archlinux.org/foobar

Also with libalpm\@guest.de, 'libalpm@guest.de', "libalpm@guest.de"
Comment by Xavier (shining) - Tuesday, 19 February 2008, 22:36 GMT
Ahah, I found this bug report so confusing, but so it was only because a Flyspray bug/feature which transforms ftp url in an odd mess ? :)

Anyway, if most ftp mirrors don't care about what the password is, and some others require a valid email address, there is no real reason to not use one.
Comment by Dan McGee (toofishes) - Tuesday, 19 February 2008, 23:10 GMT
This is the first FTP server I have ever heard of require an email address for a password. Ever.

I don't think we need a mirror that can't accept libalpm@guest as a valid login. I don't send a username/email address to every HTTP request, why should anonymous FTP be any different?
Comment by Gerhard Brauer (GerBra) - Wednesday, 20 February 2008, 10:30 GMT
Dan, you're right.
I've checked some mirrors and all of them don't complain by any password syntax for anonymous.
The example with ftp.gwdg.de was my mistake: this is their main ftpd and only there i got this hint (i saw this also on many german university ftp servers). But the mirror ftp server of gwdg (ftp5.gwdg.de, our mirror) doesn't have such a warning/restriction.

To clarify: At the moment we have no problem with one of our official mirrors.
Only one new (inofficial) german mirror have this problem. And the research for reasons lead to this feature request.
I'm sure we could resolve this with the mirror admin. If not, we bann them.

So this was a nice discussion, not more ;-) Let's close the report.
Comment by Dan McGee (toofishes) - Wednesday, 20 February 2008, 14:02 GMT
Cool, I wasn't ever trying to lay into you, I just thought it was the wrong approach to this problem, that's all. I know pacman/libalpm have been making up a username and password for years without issues.

Loading...