[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Future autoconf package compression
From: |
Jim Meyering |
Subject: |
Re: Future autoconf package compression |
Date: |
Sun, 16 Dec 2012 02:54:50 +0100 |
Jim Meyering wrote:
> Bob Friesenhahn wrote:
>> On Sat, 24 Nov 2012, Marko Lindqvist wrote:
>>> On 2 March 2012 06:45, Eric Blake <address@hidden> wrote:
>>>>
>>>> The Autoconf team is considering releasing only .xz files for 2.69; if
>>>> this would be a hardship for you, and you need the .gz or .bz2 release,
>>>> please speak up now.
>>>
>>> I just encountered new argument for providing .gz of autoconf also in
>>> the future.
>>
>> There is no tangible benefit offered to the world by removing the
>> gzip-compressed autoconf package. Xz is excessively complex,
>> excessively large, and has limited portability and stability compared
>> with gzip.
>
> Hi Bob,
>
> I don't know of significant portability problems.
> In my experience, if they are reported and affect significant
> (sometimes even insignificant) portability targets, they will be
> addressed promptly. Can you point to reported problems that
> have not been resolved?
>
> There is no shortage of reasons to avoid gzip these days. One that
> strikes home for me (as a package maintainer) is that there have
> been exploitable CVEs against gzip in the recent past, and the code
> is surprisingly ugly (hence hard to audit). I do not want to require
> tarball consumers to use a tool that I do not feel good about, and gzip
> is one of those. Just because it is still used by so many people (due
> mostly to inertia) does not mean that we should ignore its faults.
FYI, a couple of weeks ago, Aki Helin exposed still more problems in
gzip's unpacking code. Paul Eggert fixed them just a few days ago:
http://git.sv.gnu.org/cgit/gzip.git/commit/?id=f2be148c3d956c2dd19bd6fdbe6d
http://git.sv.gnu.org/cgit/gzip.git/commit/?id=16977ae732bf60f79c9a4fd6d183