Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo

[Dale <rdalek1967@gmail.com>]

Eddie Chapman wrote:
> Michał Górny wrote:
>> On Sat, 2024-03-30 at 14:57 +0000, Eddie Chapman wrote:
>>
>>> Note, I'm not advocating ripping xz-utils out of tree, all I'm saying
>>> is wouldn't it be nice if there were at least 2 alternatives to choose
>>> from? That doesn't have to be disruptive in any way, people who wish to
>>> continue using and trusting xz-utils should be able to continue to do so
>>> without any friction whatsoever.
>> So, you're basically saying we should go out of our way, recompress all
>> distfiles using two alternative compression formats, increase mirror load
>> four times and add a lot of complexity to ebuilds, right?
>>
>> --
>> Best regards,
>> Michał Górny
>>
> Yes that's a very good point, that was something I was wondering in
> weighing up both sides, what the costs would be practically, as I don't
> know the realities of running Gentoo infrastructure. And maybe the costs
> is just too high of a price to pay.
>
> I wonder if increased use of git repos rather than distributed tarballs
> could be part of a solution to those issues, although that could put quite
> a storage burden on every user. Unless they were all shallow git pulls and
> the user could optionally choose to tar up the git directory after clone
> with compression.  But yes granted then there is even more ebuild
> complexity.
>
>
> .
>

There is a lot of unknowns out there.  From what I've read, the person
responsible for writing the code inserted this hack.  There may be no
way to prevent this.  Basically, the person that should have been
trusted with this code violated that trust.  Why is unknown but I'm as
curious about that as anything.  It's like when someone goes to a
grocery store to buy a tomato.  They want organic and there is a organic
sticker on the tomato.  You either trust that sticker, and the
person/company who put it on there, or you don't trust that sticker at
all and avoid buying all tomatoes.  The trust starts with the
person/company that puts that sticker on the tomato.  The person who was
trusted with that code, broke that trust.  There is likely hundreds of
packages out there in the exact same position.  Any package that has few
or only one person writing the code can do the same thing. 

While this should be analyzed as more info comes in, right now, we
should let the devs get us back to as safe a place as possible.  Since
it appears to affect systemd users who don't use Gentoo, which is a huge
target, they certainly need to react as quickly as they can to the devs
actions.  Let's just not overreact just yet.  The devs has rolled back
to a safe, safer, version.  Let time and more info sort this out. If it
is needed, xz will go away, which shouldn't come as a surprise.  I'm
sure the person who did this will never get that trust back. 

Long term, this is going to be interesting to see what all gets
revealed.  The why is one thing.  Another is how to prevent if it can be
at all. 

I'm going back to my hole now. 

Dale

:-)  :-) 

P. S.  Links that some may want to follow, instead of a -dev thread. 

https://bugs.gentoo.org/928134

https://forums.gentoo.org/viewtopic.php?p=8821925