Mirror unpacks distfile before sending
Dave Allured - NOAA Affiliate
dave.allured at noaa.gov
Wed Apr 3 18:10:55 UTC 2019
On Tue, Apr 2, 2019 at 10:38 PM Ryan Schmidt <ryandesign at macports.org>
wrote:
> On Apr 2, 2019, at 23:21, Bill Cole wrote:
>
> > On 2 Apr 2019, at 23:45, Dave Allured - NOAA Affiliate wrote:
> >
> > [snip]
> >>
> >> I have never before seen this sort of fradulent behavior, silent
> unpacking,
> >> from either an http hosted data site, or the curl command. Can anyone
> else
> >> confirm this weird download behavior from that facebook.net mirror? Is
> >> there an alternate explanation?
> >
> > Yes.
> >
> > It sounds like the mirror may have a wrong-ish implementation of HTTP
> Compression. (See https://en.wikipedia.org/wiki/HTTP_compression) I've
> seen similar oddness dependent on the client request headers.
> >
> > This might be something to bring to the attention of Facebook or GNU,
> since that's a GNU mirror.
>
> I agree, it is a misconfiguration of the Facebook mirror server. Dave,
> could you please report it to them?
>
> Here is what the headers should look like, from ftp.gnu.org:
>
> $ curl -I https://ftp.gnu.org/gnu/groff/groff-1.22.4.tar.gz
> HTTP/1.1 200 OK
> Date: Wed, 03 Apr 2019 04:32:52 GMT
> Server: Apache/2.4.7 (Trisquel_GNU/Linux)
> Strict-Transport-Security: max-age=63072000
> Last-Modified: Sun, 23 Dec 2018 15:06:58 GMT
> ETag: "3f2208-57db1d4efd451"
> Accept-Ranges: bytes
> Content-Length: 4137480
> Content-Security-Policy: default-src 'self'; img-src 'self'
> https://static.fsf.org https://gnu.org; object-src 'none';
> frame-ancestors 'none'; child-src 'self' https://static.gnu.org
> https://static1p.gnu.org https://static1p.fsf.org
> X-Frame-Options: DENY
> X-Content-Type-Options: nosniff
> Content-Type: application/x-gzip
>
> Here are the headers Facebook's mirror is sending:
>
> $ curl -I http://mirror.facebook.net/gnu/groff/groff-1.22.4.tar.gz
> HTTP/1.1
> <http://mirror.facebook.net/gnu/groff/groff-1.22.4.tar.gzHTTP/1.1> 200 OK
> Date: Wed, 03 Apr 2019 04:33:02 GMT
> Server: Apache
> Last-Modified: Sun, 23 Dec 2018 15:06:58 GMT
> Accept-Ranges: bytes
> Content-Length: 4137480
> Connection: close
> Content-Type: application/x-gzip
> Content-Encoding: x-gzip
>
> Note the incorrect "Content-Encoding: x-gzip". That header means that the
> data has been gzip-compressed for transmission by the server, and the
> client should un-gzip it before presenting it to the user. But that is not
> what anybody wants here. We want the client to receive the original
> unmodified .tar.gz file.
>
Bill and Ryan,
Thanks for the expert diagnosis. I will report this. Can anyone recommend
optimal bug reporting channels for facebook.net and GNU, without requiring
a Facebook account?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20190403/d5f996af/attachment.html>
More information about the macports-users
mailing list