Re: heads-up: 38 cleanup-maint patches

[Jim Meyering]

On Mon, Dec 1, 2014 at 1:49 AM, Jose E. Marchesi <address@hidden> wrote:
>
>     I will soon push the following clean-up patches.
>     It was nearly 400KBuncompressed, so I'm attaching the compressed
>     version:
>
> Thanks Jim.  Much appreciated :)
>
>       AC_PREREQ(2.62)
>      -AM_INIT_AUTOMAKE([1.11.1 parallel-tests])
>      +AM_INIT_AUTOMAKE([1.11.1 no-dist-gzip dist-xz color-tests 
> parallel-tests])
>
> I would like to continue distributing gzip tarballs along with xz
> tarballs.

Hi Jose,
Thanks for the review.

Re continuing to distribute gzip-compressed tarballs,
I have to ask "Why?"

My motivation to avoid gzip is partly because there have been
so many CVEs, that I want to discourage gzip use where I can.
I have spent too much time reading its hard-to-maintain code,
and find xz to be far superior both on design/readability, and
on the performance front. Perhaps I resent gzip for taking some
time out of a christmas/new-years vacation to deal with the first
CVE of 2010 :-)

How many people do you know who run gpg --verify
before uncompressing a distribution tarball? Those who skip
that step may be vulnerable to some gzip 0-day. Sure, it's unlikely,
but I have far less confidence in gzip's code than I do in xz's.

Distributing xz-only tarballs has worked fine for 3 years
in other GNU projects: coreutils, grep, diffutils and parted.

If you feel strongly about it, you're welcome to include your
justification in a patch and push it.

Jim