From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2BE60158041 for ; Sat, 30 Mar 2024 03:44:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C2E52E2AC5; Sat, 30 Mar 2024 03:43:56 +0000 (UTC) Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7483CE2ABA for ; Sat, 30 Mar 2024 03:43:56 +0000 (UTC) Received: from fews01-sea.riseup.net (fews01-sea-pn.riseup.net [10.0.1.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx1.riseup.net (Postfix) with ESMTPS id 4V636M1RBwzDqK3; Sat, 30 Mar 2024 03:43:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1711770235; bh=Gx4awabvuaMaMgrTZQBZBC94kLa8+bLus0aj/qOka/g=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=V57CgZXGWfjsmQh6XisfVJu3ItEmOMhfK86gU4uaUCJNzXrDSWa2EjpPfQF5mkNX0 SMUM3UFPFFC3GM+R/QmrlXYx9hogui7oh8mSfyT/B0WFdx+8MJ10xKh2L6RR9aOmYk LTWZy8febMwmuuC+h0djUA6omXijuEUHZCYh+SfI= X-Riseup-User-ID: 0AFE7A9466A6A83376B5D231EC39A291C5EFE259601B17F2155BEA78DAE37A5C Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews01-sea.riseup.net (Postfix) with ESMTPSA id 4V636L59w2zJrBl; Sat, 30 Mar 2024 03:43:54 +0000 (UTC) Date: Fri, 29 Mar 2024 20:43:35 -0700 From: orbea To: gentoo-dev@lists.gentoo.org Cc: "Eddie Chapman" Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo Message-ID: <20240329204315.3b29449b@Akita> In-Reply-To: References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 1c4cbdc8-7db9-41d3-a50c-fda4f2d2f2bf X-Archives-Hash: 9cfe69d68ef7d75a06550abb570b4c95 On Sat, 30 Mar 2024 03:07:13 -0000 "Eddie Chapman" wrote: > Given what we've learnt in the last 24hrs about xz utilities, you > could forgive a paranoid person for seriously considering getting rid > entirely of them from their systems, especially since there are > suitable alternatives available. Some might say that's a bit > extreme, xz-utils will get a thorough audit and it will all be fine. > But when a malicious actor has been a key maintainer of something as > complex as a decompression utility for years, I'm not sure I could > ever trust that codebase again. Maybe a complete rewrite will emerge, > but I'm personally unwilling to continue using xz utils in the > meantime for uncompressing anything on my systems, even if it is done > by an unprivileged process. > > I see that many system package ebuilds unconditionally expect > app-arch/xz-utils to be installed simply to be able to decompress the > source archive in SRC_URI. So simply specifying -lzma on your system > isn't going to get rid of it. > > No one could have been expected to foresee what's happened with > xz-utils, but now that it's here, perhaps Gentoo (and other projects > that do) should consider not relying on a single decompression > algorithm for source archives, even just as an insurance against some > other yet unknown disaster with one algorithm or another in future? > > And yes I'm sure there will be individual packages that currently > absolutely need xz-utils installed during the build process, and one > or two that absolutely have to have it available at runtime, but those > bridges can be crossed as and when. > > Eddie > > I think this is an overreaction and we should wait for the dust to settle before making drastic disruptive changes.