Bug 286532 - pkg-static: An error occured while fetching package: No error
Summary: pkg-static: An error occured while fetching package: No error
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-pkg (Nobody)
URL: https://forums.freebsd.org/threads/pk...
Keywords:
Depends on:
Blocks:
 
Reported: 2025-05-02 20:09 UTC by p5B2EA84B3
Modified: 2025-05-22 13:32 UTC (History)
4 users (show)

See Also:
linimon: maintainer-feedback? (pkg)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description p5B2EA84B3 2025-05-02 20:09:42 UTC 
Having seen multiple complaints about 

pkg-static: An error occured while fetching package: No error

in the FreeBSD forums
https://forums.freebsd.org/threads/pkg-8-an-error-occured-while-fetching-package-no-error.96761/

I now got hit with the same in a poudriere bulk run:

# poudriere bulk -j 14amd64 -b latest -f bulk_amd64 |& tee poud_build.log
[00:00:00] Creating the reference jail... done
[00:00:00] Mounting system devices for 14amd64-default
[00:00:00] Warning: Using packages from previously failed, or uncommitted, build: /poudriere/data/packages/14amd64-default/.building
[00:00:00] Mounting ccache from: /var/cache/ccache_poudriere
[00:00:00] Mounting ports from: /poudriere/ports/default
[00:00:00] Mounting packages from: /poudriere/data/packages/14amd64-default
[00:00:00] Mounting distfiles from: /var/cache/distfiles
[00:00:00] Copying /var/db/ports from: /usr/local/etc/poudriere.d/options
[00:00:00] Appending to make.conf: /usr/local/etc/poudriere.d/14amd64-make.conf
/etc/resolv.conf -> /poudriere/data/.m/14amd64-default/ref/etc/resolv.conf
[00:00:00] Starting jail 14amd64-default
Updating /var/run/os-release done.
[00:00:00] Will build as root:wheel (0:0)
[00:00:01] Ports supports: FLAVORS SUBPACKAGES SELECTED_OPTIONS
[00:00:01] Inspecting /poudriere/data/.m/14amd64-default/ref//usr/ports for modifications to git checkout... no
[00:00:04] Ports top-level git hash: 3bb25f440 
[00:00:04] Acquiring build logs lock for 14amd64-default... done
[00:00:04] Logs: /poudriere/data/logs/bulk/14amd64-default/2025-05-02_21h45m56s
[00:00:04] WWW: http://172.17.17.80/build.html?mastername=14amd64-default&build=2025-05-02_21h45m56s
[00:00:04] Loading MOVED for /poudriere/data/.m/14amd64-default/ref/usr/ports
[00:00:04] Gathering ports metadata
[00:00:07] Calculating ports order and dependencies
[00:00:08] Sanity checking the repository
[00:00:08] Trimming IGNORED and blacklisted ports
[00:00:08] Package fetch: Looking for missing packages to fetch from pkg+https://pkg.FreeBSD.org/${ABI}/latest
Updating FreeBSD repository catalogue...
[pkg.FreeBSD.org] Fetching meta.conf: . done
[pkg.FreeBSD.org] Fetching data.pkg: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 35977 packages processed.
All repositories are up to date.
[00:00:34] Package fetch: Will fetch 10 packages from remote or local pkg cache
The following packages will be fetched:

New packages to be FETCHED:
	curl: 8.13.0_1 (2 MiB: 27.68% of the 6 MiB to download)
	gtk-doc: 1.33.2_3 (420 KiB: 6.82% of the 6 MiB to download)
	py311-calver: 2025.4.17 (9 KiB: 0.15% of the 6 MiB to download)
	py311-lxml: 4.9.3_1 (2 MiB: 31.65% of the 6 MiB to download)
	py311-lxml5: 5.3.2 (1 MiB: 18.76% of the 6 MiB to download)
	py311-markdown: 3.7 (183 KiB: 2.96% of the 6 MiB to download)
	py311-trove-classifiers: 2025.4.11.15 (17 KiB: 0.28% of the 6 MiB to download)
	py311-typing-extensions: 4.13.2 (94 KiB: 1.53% of the 6 MiB to download)
	py311-xml2rfc: 3.28.0 (599 KiB: 9.72% of the 6 MiB to download)
	yelp-tools: 42.0_1 (28 KiB: 0.46% of the 6 MiB to download)

Number of packages to be fetched: 10

The process will require 6 MiB more space.
6 MiB to be downloaded.
pkg-static: An error occured while fetching package: No error
pkg-static: An error occured while fetching package: No error
Error: (8913) /usr/local/share/poudriere/bulk.sh:injail_direct:265: set -e error: status = 1
[00:00:35] Cleaning up
14amd64-default: removed
14amd64-default-n: removed
[00:00:35] Unmounting file systems

So this is happening in a clean jail and I'm pretty sure that here are no network problems.

As some people are affected and do have little idea what causes this problem, please do give some feedback here. Thanks!
Comment 1 Franco Fichtner 2025-05-05 09:02:43 UTC 
I've been digging into this the past week as well. There's certainly a factor here now that vuln.xml is fetched from HTTPS, but the problem appears to be with pkg-static libcurl fetching over TLS as this also pertains to pkg-statice invokes of pkg-upgrade as further indicated here.

I've dug a bit deeper and this error in libcurl ends up being unhandled by pkg integration ("No error"):

https://github.com/freebsd/pkg/blob/main/external/curl/lib/vtls/openssl.c#L4427-L4429

The actual error is:

TLS connect error: error:06880006:asn1 encoding routines::EVP lib


Which indicates a deeper issue in OpenSSL's SSL_connect() function returning 1 instead of zero.

Interestingly enough the non-static version of pkg doesn't appear to suffer from this and pkg-static only suffers from this in 50% of cases, but if it does it does not allow to establish any SSL connection during its runtime (contrary to when it works which works for all fetches during its runtime).

So this looks like an issue specifically tied to static linking into libcurl/OpenSSL although it seems unlikely libcurl is the immediate culprit of this considering its wide usage elsewhere.


Cheers,
Franco
Comment 2 p5B2EA84B3 2025-05-05 10:57:54 UTC 
Thank you Franco for digging in this issue. 
Please write PRs on your findings for the related libraries also.

Is this a security relevant issue?
Comment 3 Franco Fichtner 2025-05-05 10:59:29 UTC 
At the moment I'm unsure what to fix and it also doesn't look like a security issue.
Comment 4 Franco Fichtner 2025-05-08 09:59:48 UTC 
Can you try this? ;)

# sysctl kern.elf64.aslr.enable=0


Cheers,
Franco
Comment 5 p5B2EA84B3 2025-05-12 13:58:43 UTC 
With having sysctl kern.elf64.aslr.enable=0
during pkg install libreoffice firefox-esr 
the error did happen during downloading a larger list of packages. This caused stopping the process.

After reentering pkg install libreoffice firefox-esr the download continued with the missing packages and completed successfully.

Now what does that tell us?
Comment 6 Franco Fichtner 2025-05-13 06:58:46 UTC 
Different problem? libpkg doesn't know some of the errors that libcurl returns so these show up as "no error" all the time.

My test case is simple:

# rm /var/db/pkg/vuln.xml ; ./pkg-static audit -F

Sometimes it fails, sometimes it doesn't.


Cheers,
Franco
Comment 7 Mark Johnston freebsd_committer freebsd_triage 2025-05-13 22:24:50 UTC 
I can reproduce this, but only on 14.2.  Happens with the latest pkg sources.  No problems on a system running FreeBSD main though.  There, I have openssl 3.0.16 versus 3.0.15 on 14.2...
Comment 8 Franco Fichtner 2025-05-14 05:44:11 UTC 
OPNsense 25.1.6 includes the stable/14 commit for OpenSSL 3.0.16. Building 2.1.2 from scratch on such a system produces the same binary behaviour described here.


Cheers,
Franco
Comment 9 Mark Johnston freebsd_committer freebsd_triage 2025-05-14 20:20:22 UTC 
I believe https://github.com/freebsd/pkg/pull/2448 fixes this problem.
Comment 10 Franco Fichtner 2025-05-22 13:32:20 UTC 
2.1.3 did fix the issue for me. If the original submitter could also verify that would be great.


Cheers,
Franco