Bug#468161: Please increase the severity of this bug...

[Rick Thomas <rbthomas55@pobox.com>]

In light of the reply to bug #469919 (quoted below) from Robert  
Lemmen, the maintainer of zsync, it seems that this bug report should  
be interpreted as "Either fix the problem on the cdimage side, or  
stop using zsync to distribute Debian cdimages".  If Robert can't fix  
the bug on his side, and it can't be fixed on the cdimage side,  
there's little point in going to the effort of creating useless  
".zsync" files.

Additional data that may be helpful from bug #444159 is also quoted  
below.

It may be appropriate to merge the three bug reports #468161,  
#444159, and #469919.  I'm not familiar enough with the Debian BTS to  
know...


Thanks,

Rick

======reply to bug # 469919 by Robert Lemmen========
> 	From: 	  robertle@semistable.com
> 	Subject: 	Re: Bug#469919: zsync fails
> 	Date: 	March 11, 2008 8:13:33 AM EDT
> 	To: 	  rbthomas55@pobox.com, 469919@bugs.debian.org
>
> this is the same as bug #444159, zsync does not support HTTP redirects
> in the moment. It is questionable if it is actually a good idea to
> support them, as this would mean going through the whole redirect  
> chain
> for every microscopic request (zsync send *many* of them). in the case
> of the debian isos, the .zsync files should be updated to reflect the
> new position of the isos...
>
> regards  robert
>
> On Fri, Mar 07, 2008 at 04:43:33PM -0500, Rick Thomas wrote:
>
> > Package: zsync
> >
> > rbthomas@ribbit:~$ zsync http://cdimage.debian.org/cdimage/daily-
> > builds/sid_d-i/20080307-1/powerpc/iso-cd/debian-testing-powerpc-
> > businesscard.iso.zsync
> > #################### 100.0% 114.7 kBps DONE
> >
> > No relevent local data found - I will be downloading the whole file.
> > If that's not what you want, CTRL-C out. You should specify the local
> > file is the old version of the file to download with -i (you might
> > have to decompress it with gzip -d first). Or perhaps you just have
> > no data that helps download the file
> > downloading from http://cdimage.debian.org/cdimage/daily-builds/ 
> > sid_d-
> > i/20080307-1/powerpc/iso-cd/debian-testing-powerpc-businesscard.iso:
> > -------------------- 0.0%bad status code 302
> > -------------------- 0.0% 0.0 kBps aborted
> >
> > failed to retrieve from debian-testing-powerpc-businesscard.iso
> > Aborting, download available in debian-testing-powerpc-
> > businesscard.iso.part
> > verifying download...
> > rbthomas@ribbit:~$
> >
> >
> > This is on Debian Lenny on PowerPC Macintosh
> >
> > What's a "bad status code 302" mean?
> >
> >
> > Rick
> --
> Robert Lemmen                               http://www.semistable.com


===========relevant excerpt from bug #444159============
> HTTP error 302 is "Found", aka "The requested resource resides
> temporarily under a different URI". This means that zsync-assisted
> downloads are currently failing for Debian daily test images. Looking
> into the zsync source code, I can see it's using its own local HTTP
> code rather than using libcurl or any of the other readily-available
> HTTP client libraries. That does seem like a bit of a design bug, to
> say the least. I wouldn't be surprised at all if there were multiple
> security bugs in there just waiting to be found.
=========================================================