I use apt because it cryptographically verifies the authenticity of the download before installing it.
Can you please point me to the rclone documentation that describes how to download rclone and verify the authenticity of the release before installing it?
A repo is a package compiled a random maintainer not associated with rclone that you are installing.
If you want to not install from the rclone.org website, not sure then. You can download it directly. You can build it yourself from source. You can use the install script.
I've created this feature request to resolve the issue where rclone users cannot securely download the latest version of rclone -- other than their distro's repos (eg Debian's apt)
The issue that I've created addresses the lack of the PGP fingerprint being published in multiple distinct domains (to thwart Publishing Infrastructure compromise on TOFU) and documentation.
Also:
Hashes do not provide cryptographic authenticity. You need signatures for that
md5sum isn't even a cryptographically secure hash function
Since this website won't let me upload the full log and it's too large to paste here, I'm uploading a truncated execution with double verbosity and --dump headers that shows this bug on an ls
I just tested this issue on an older version of rclone , and the issue is not present.
So this is a bug that was introduced at some point between rclone v1.53.3-DEV and rclone v1.60.1-DEV
Here's the same execution as before with an identical rclone.conf but on an older version of rclone (the latest version available in Debian 11 [as opposed to Debian 12])
user@disp2914:~$ cat /etc/issue
Debian GNU/Linux 11 \n \l
user@disp2914:~$
user@disp2914:~$ rclone version
rclone v1.53.3-DEV
- os/arch: linux/amd64
- go version: go1.15.9
user@disp2914:~$
user@disp2914:~$ rclone ls -vv --dump headers REDACTED_BUCKET:REDACTED_DIR
2023/08/29 20:34:39 DEBUG : rclone: Version "v1.53.3-DEV" starting with parameters ["rclone" "ls" "-vv" "--dump" "headers" "REDACTED_BUCKET:REDACTED_DIR"]
2023/08/29 20:34:39 DEBUG : Using config file from "/home/user/.config/rclone/rclone.conf"
2023/08/29 20:34:39 DEBUG : Creating backend with remote "REDACTED_BUCKET:REDACTED_DIR"
2023/08/29 20:34:39 DEBUG : Creating backend with remote "b2:REDACTED_BUCKET/REDACTED_DIR.bin"
2023/08/29 20:34:39 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2023/08/29 20:34:39 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/08/29 20:34:39 DEBUG : HTTP REQUEST (req 0xc0002cca00)
2023/08/29 20:34:39 DEBUG : GET /b2api/v1/b2_authorize_account HTTP/1.1
Host: api.backblazeb2.com
User-Agent: rclone/v1.53.3-DEV
Authorization: XXXX
Accept-Encoding: gzip
2023/08/29 20:34:39 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/08/29 20:34:40 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/08/29 20:34:40 DEBUG : HTTP RESPONSE (req 0xc0002cca00)
2023/08/29 20:34:40 DEBUG : HTTP/1.1 200
Content-Length: 620
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=UTF-8
Date: Wed, 30 Aug 2023 01:34:41 GMT
2023/08/29 20:34:40 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/08/29 20:34:40 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/08/29 20:34:40 DEBUG : HTTP REQUEST (req 0xc0002cd100)
2023/08/29 20:34:40 DEBUG : POST /b2api/v1/b2_list_file_names HTTP/1.1
Host: api002.backblazeb2.com
User-Agent: rclone/v1.53.3-DEV
Content-Length: 173
Authorization: XXXX
Content-Type: application/json
Accept-Encoding: gzip
2023/08/29 20:34:40 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/08/29 20:34:42 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/08/29 20:34:42 DEBUG : HTTP RESPONSE (req 0xc0002cd100)
2023/08/29 20:34:42 DEBUG : HTTP/1.1 200
Content-Length: 42
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=UTF-8
Date: Wed, 30 Aug 2023 01:34:42 GMT
2023/08/29 20:34:42 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/08/29 20:34:42 DEBUG : Creating backend with remote "b2:REDACTED_BUCKET/REDACTED_DIR"
2023/08/29 20:34:42 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/08/29 20:34:42 DEBUG : HTTP REQUEST (req 0xc0002cdb00)
2023/08/29 20:34:42 DEBUG : GET /b2api/v1/b2_authorize_account HTTP/1.1
Host: api.backblazeb2.com
User-Agent: rclone/v1.53.3-DEV
Authorization: XXXX
Accept-Encoding: gzip
2023/08/29 20:34:42 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/08/29 20:34:42 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/08/29 20:34:42 DEBUG : HTTP RESPONSE (req 0xc0002cdb00)
2023/08/29 20:34:42 DEBUG : HTTP/1.1 200
Content-Length: 620
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=UTF-8
Date: Wed, 30 Aug 2023 01:34:43 GMT
2023/08/29 20:34:42 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/08/29 20:34:42 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/08/29 20:34:42 DEBUG : HTTP REQUEST (req 0xc0002cdf00)
2023/08/29 20:34:42 DEBUG : POST /b2api/v1/b2_list_file_names HTTP/1.1
Host: api002.backblazeb2.com
User-Agent: rclone/v1.53.3-DEV
Content-Length: 165
Authorization: XXXX
Content-Type: application/json
Accept-Encoding: gzip
2023/08/29 20:34:42 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/08/29 20:34:42 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/08/29 20:34:42 DEBUG : HTTP RESPONSE (req 0xc0002cdf00)
2023/08/29 20:34:42 DEBUG : HTTP/1.1 200
Content-Length: 775
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=UTF-8
Date: Wed, 30 Aug 2023 01:34:43 GMT
2023/08/29 20:34:42 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/08/29 20:34:42 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/08/29 20:34:42 DEBUG : HTTP REQUEST (req 0xc000226b00)
2023/08/29 20:34:42 DEBUG : POST /b2api/v1/b2_list_file_names HTTP/1.1
Host: api002.backblazeb2.com
User-Agent: rclone/v1.53.3-DEV
Content-Length: 170
Authorization: XXXX
Content-Type: application/json
Accept-Encoding: gzip
2023/08/29 20:34:42 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/08/29 20:34:42 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/08/29 20:34:42 DEBUG : HTTP RESPONSE (req 0xc000226b00)
2023/08/29 20:34:42 DEBUG : HTTP/1.1 200
Content-Length: 1985
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=UTF-8
Date: Wed, 30 Aug 2023 01:34:43 GMT
2023/08/29 20:34:42 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
REDACTED_FILESIZE REDACTED_FILENAME
REDACTED_FILESIZE REDACTED_FILENAME
REDACTED_FILESIZE REDACTED_FILENAME
2023/08/29 20:34:42 DEBUG : 6 go routines active
user@disp2914:~$
Unfortunately I'll need someone else to confirm if this is still present on the latest version as I can't find any documentation on how to securely install rclone outside of the Debian repos.
As a workaround until this bug is fixed, I was successfully able to fix copying files to my Backblaze B2 bucket using rclone by downgrading one version in Debian 12.
that does not look correct?
perhaps REMOTE:BUCKET/DIR
i cannot be sure, as you were asked twice, to answer all questions, including the redacted config?
if you create a dummy bucket, dir and one file, then no need to redact.
is that error present in the dump you posted?
in any event, if you test using latest rclone, would notice rclone does not HEAD.
just curious, why track down a suspected bug by comparing ancient version versus old version?
are you planning to fork an old version/modify/compile and use that?
trying to understand what you need help with?
on the upside, i like your idea of PGP fingerprint being published in multiple distinct domains
That was an issue in my redaction. There is no issue with the command's remote/bucket/dir/etc. As shown above, the exact same command works fine on one version (the latest version that's available in the Debian 11 repos) but not on the latest version that's available in the Debian 12 repos.