1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109662: unblock: megatools/1.11.5-1

    From Alberto Garcia@21:1/5 to All on Mon Jul 21 12:20:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    User: [email protected]
    Usertags: unblock
    X-Debbugs-Cc: [email protected]
    Control: affects -1 + src:megatools

    Please unblock package megatools

    [ Reason ]
    megatools is a command-line client for the Mega cloud storage service.

    Mega has recently started using Hashcash to (presumably) prevent DoS
    attacks, so HTTP requests from clients that don't include a valid
    X-Hashcash header can be rejected with an HTTP 402 code.

    With megatools 1.15.3-1 (the current version in trixie) the result
    looks like this:

    $ megals -l
    ERROR: Can't login to mega.nz: API call 'us' failed: HTTP POST failed: Server returned 402

    After updating megatools to 1.15.5-1 the request works as expected.

    Mega seems to allow connections from the same IP for some time after
    a valid request has been made, so if the user doesn't have the latest
    megatools installed one possible workaround is to log in first using a
    web browser before using the command-line client.


    [ Impact ]
    If the package is not updated users won't be able to use megatools
    normally unless they log in with the browser first as explained in the
    previous paragraph. This is cumbersome in general, and very hard or
    impossible in scenarios where megatools is used remotely over ssh or
    similar.


    [ Tests ]
    I tested manually that Mega returns HTTP 402 for every request until I
    updated the package to the version in sid.


    [ Risks ]
    This package comes with two changes (see the attached diff):

    - Add the X-Hashcash header if the first request fails with HTTP 402.
    I believe that the risk here is very low since this works exactly as
    before and the new code path is only used if access is denied.

    - Identify as Firefox in the User-Agent string (and other headers),
    in order to minimize the risk of the original user agent being
    blocked. I think that the risk is also very low, and in any case it
    would not make things worse than they are now.

    https://salsa.debian.org/berto/megatools/-/blob/debian/1.11.5-1/lib/http.c?ref_type=tags#L176


    [ Checklist ]
    [x] all changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in testing


    [ Other info ]
    I'm requesting this earlier because as of today the package in sid is
    "too young, only 10 of 20 days old", but I wanted to do it before the
    deadline for unblock requests on the 30th of July.

    unblock megatools/1.11.5-1

    diff --git a/NEWS b/NEWS
    index 6718be6..4635920 100644
    --- a/NEWS
    +++ b/NEWS
    @@ -1,3 +1,12 @@
    +megatools 1.11.5 - 2025-07-06
    +=============================
    +
    +This release implements mega.nz X-Hashcash to handle 402 status responses
    +as suggested by a user.
    +
    +This should handle 402 errors returned by mega.nz.
    +
    +
    megatools 1.11.3 - 2025-02-03
    =============================

    diff --git a/debian/changelog b/debian/changelog
    index f9a80f9..5c7e4c7 100644
    --- a/debian/changelog
    +++ b/debian/changelog
    @@ -1,3 +1,17 @@
    +megatools (1.11.5-1) unstable; urgency=medium
    +
    + * New upstream release
    +
    + -- Alberto Garcia <[email protected]> Fri, 11 Jul 2025 15:09:54 +0200
    +
    +megatools (1.11.4-1) unstable; urgency=medium
    +
    + * New upstream release.
    + * debian/control:
    + - Update Standards-Version to 4.7.2 (no changes).
    +
    + -- Alberto Garcia <[email protected]> Wed, 07 May 2025 16:26:31 +0200
    +
    megatools (1.11.3-1) unstable; urgency=medium

    * New upstream release.
    diff --git a/debian/control b/debian/control
    index 21dd60b..3de48a