Bug#1104091: marked as done (debmirror prints credentials with --progress)

[Debian Bug Tracking System]

Your message dated Sun, 27 Apr 2025 18:19:05 +0000
with message-id <e1u96an-00h5nm...@fasolo.debian.org>
and subject line Bug#1104091: fixed in debmirror 1:2.44
has caused the Debian Bug report #1104091,
regarding debmirror prints credentials with --progress
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1104091: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104091
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: debmirror
Version: 1:2.43
Tags: security
Severity: grave

When using debmirror to create a mirror of a private registry that uses
HTTP/HTTPS basic authentication, use of the --progress flag will cause the
username and password to be printed in the download progress display. The
example below is using a private Gitea package registry:

# ...
Getting meta files ...
[ 0%] Getting: dists/noble/Release... #** GET
https://USERNAME:passw...@url.com/api/packages/Organization/debian/dists/noble/Release
==> 200 OK (1s)
ok
[ 0%] Getting: dists/noble/InRelease... #** GET GET
https://USERNAME:passw...@url.com/api/packages/Organization/debian/dists/noble/InRelease
==> 200 OK
okGET
https://USERNAME:passw...@url.com/api/packages/Organization/debian/dists/noble/Release.gpg
==> 200 OK
ok
Parsing Packages and Sources files ...
Missing: pool/noble/main/package_0.1.0-1_amd64.deb
Missing: pool/noble/main/package_0.1.1-1_amd64.deb
Missing: pool/noble/main/package_0.1.2-1_amd64.deb
Missing: pool/noble/main/package_0.1.3-1_amd64.deb
Missing: pool/noble/main/package_0.1.4-1_amd64.deb
Missing: pool/noble/main/package_0.1.5-1_amd64.deb
Missing: pool/noble/main/package_0.1.6-1_amd64.deb
Missing: pool/noble/main/package_0.1.7-1_amd64.deb
Missing: pool/noble/main/package_0.1.8-1_amd64.deb
Missing: pool/noble/main/package_0.1.9-1_amd64.deb
Missing: pool/noble/main/package_0.1.10-1_amd64.deb
Get Translation files ...
Get DEP-11 metadata files ...
Get command-not-found metadata files ...
Files to download: 71 MiB
[ 0%] Getting: pool/noble/main/package_0.1.0-1_amd64.deb... #** GET
https://USERNAME:passw...@url.com/api/packages/Organization/debian/pool/noble/main/package_0.1.0-1_amd64.deb
==> 200 OK (12s)
# ...

This is due to debmirror performing basic authentication by putting the
credentials in the URL, then show_progress being called on the
LWP::UserAgent performing the web requests.

I suspect the issue could be resolved by using the "credentials" method of
the user agent instead of putting the credentials in the request URL.

--- End Message ---

--- Begin Message ---

Source: debmirror
Source-Version: 1:2.44
Done: Colin Watson <cjwat...@debian.org>

We believe that the bug you reported is fixed in the latest version of
debmirror, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1104...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated debmirror package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 27 Apr 2025 18:52:16 +0100
Source: debmirror
Architecture: source
Version: 1:2.44
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <cjwat...@debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1104091
Changes:
 debmirror (1:2.44) unstable; urgency=medium
 .
   * Hide HTTP(S) credentials from progress output (closes: #1104091).
Checksums-Sha1:
 2ace703efcc1a976258cf5d110f72241324baecc 1718 debmirror_2.44.dsc
 8d5fdc5d5b8f97f36569d70c43606d7e2a2b37d5 57288 debmirror_2.44.tar.xz
Checksums-Sha256:
 e57ae7fef6aa0778636ba560395b1db08a13d96656e39e442bb15b4a0d37f3e3 1718 
debmirror_2.44.dsc
 2561180713bd03109c331915ccb670ccdc2dab60caa7c03e0ce0bb0663ab0703 57288 
debmirror_2.44.tar.xz
Files:
 95abce1c2b8d6c12f5e0f70a13702889 1718 net optional debmirror_2.44.dsc
 d5e866f639d1663b9ec28c67193570a3 57288 net optional debmirror_2.44.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmgObukACgkQOTWH2X2G
UAsJ0w//a99qLl4EjCLmqKWPk9g4v7lYkswBeDzxQGyF4swg5c5WR9x8iBBMMGGW
qIo78f7RFjW656BDRGiviXCkMiB7Q1PjnYc23ZZg/J5YWTA4M0a9gXMi8izyIInL
mjxDix5yt7vHJ7VuT5AgC8zFVIPQ5kqvtGQXTRyXB5GObk5G0UpKWAW/KgkjoOHL
7VdZBRBA1hhtTLmn5dYj/hzPGL9u4Qu6sjiYx8BIutyCBhcb+HRQKSlVXJOBbWOg
alAW0/kyUEkYZYAwdAXt447mlZxRF9mxp92J9uijf5H6+E+nsJyGerPVRjqJlfbw
SelMV3qNKSfFjctwY1uGfrnoSlVxO0HDU8QXlNqF0/Z6rNs2/AqidHXHr6PkNfw5
4Q2DEd2iyuurcgamXFRrlUVAb+xDgjvXUPJqkKlmR7CC849HP6duwRkNzw0z2DM5
Lz4bkhDZi41uYKCe2rpSPXLN8W/TWSrhaje1c0LfUoqH/VcJLqiStxeCSmQu8HP5
y4eDyZ4QgCs+0gfdrwdGeuRzbq8fCNMwDpsIsKDTOUZnwdPk6n+xGJToRv7aYB/5
/+4vW+LJdsgNXPWw/Jq6jk3l7fvEL1+0l+6P8Um53EVgpf0C1QFznOQeTV703tSu
fpKrQEpeeRXTrC0THREciVGvgF9TYpHLbxSem6I8fsSNMwbZVDE=
=jNVl
-----END PGP SIGNATURE-----

pgpUO3Uk3gOXE.pgp
Description: PGP signature

--- End Message ---