amazon-linux-2023 icon indicating copy to clipboard operation
amazon-linux-2023 copied to clipboard
verified publisher icon amazonlinux

[Package Request] - axel

Open debugger-zhang opened this issue 2 years ago • 5 comments

What package is missing from Amazon Linux 2023? Please describe and include package name. axel Is this an update to existing package or new package request? new package request Is this package available in Amazon Linux 2? If it is available via external sources such as EPEL, please specify. This package exists in EPEL Any additional information you'd like to include. (use-cases, etc)

debugger-zhang avatar Jul 07 '23 02:07 debugger-zhang

Hi @debugger-zhang. We don't have plans to add axel at this point, since we have at least wget and curl for providing command-line/scriptable download functionality. Do you have needs for this package that aren't addressed by the existing tools? Can you provide details?

nmeyerhans avatar Jul 13 '23 22:07 nmeyerhans

I filed this task since there are some scripts still using it (e.g. a 5-year-old one: https://github.com/NVIDIA/FastPhotoStyle/blob/master/demo_example1.sh). I can compile and install it manually, but since it is a lightweight and stable package, providing it in the repo should be considered.

debugger-zhang avatar Jul 14 '23 03:07 debugger-zhang

Looking at the upstream project, a few things caught my eye:

  1. it appears to have (yet another) implementation of various protocol parsing. Even for incredibly widely used software such as curl and wget, there still ends up being bugs in this code, and having a more niche implementation around doesn't immediately fill me with confidence about the probability it doesn't also have a number of issue.
  2. There seem to be some.... choices when it comes to functionality that make it rather easy to start fetching artifacts that you don't have a high level of confidence are the ones you intended to fetch.

Notably, these things caught my eye:

https://github.com/axel-download-accelerator/axel/blob/master/doc/axel.txt#L98:

 This will do a search for the linux-2.4.17.tar.bz2 file on filesearching.com and it'll use the four (if possible)
 fastest mirrors for the download (possibly including ftp.kernel.org).

    $ axel -S4 ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.17.tar.bz2

https://github.com/axel-download-accelerator/axel/blob/master/src/search.c#L123:

        snprintf(s, size, "http://www.filesearching.com/cgi-bin/s?"

The above would make me incredibly nervous about adding the package without conducting a more in-depth security review.

Perhaps a way forward here is to either:

  1. Send pull requests to projects where they invoke axel rather than use the more common curl
  2. Author a small package that implements a command line compatible binary but backs onto libcurl instead

stewartsmith avatar Jul 14 '23 04:07 stewartsmith

I'm starting to import packages I'm missing in al2023 from Fedora that won't be added to a COPR repo: https://copr.fedorainfracloud.org/coprs/faramirza/al2023/ I added axel to the COPR repo.

danie-dejager avatar Jan 05 '24 09:01 danie-dejager

I'm going to mark this as a wontfix and point towards curl and wget instead. They're rather simple to be drop-in replacements for I believe all use cases, and hold a high security bar.

stewartsmith avatar Sep 26 '24 18:09 stewartsmith

We now have this in the documentation: https://docs.aws.amazon.com/linux/al2023/ug/epel.html#axel

stewartsmith avatar Nov 07 '24 22:11 stewartsmith