From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 36790158041 for ; Sat, 30 Mar 2024 16:07:23 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AB32B2BC020; Sat, 30 Mar 2024 16:07:19 +0000 (UTC) Received: from mail-oa1-x2d.google.com (mail-oa1-x2d.google.com [IPv6:2001:4860:4864:20::2d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 65E952BC01A for ; Sat, 30 Mar 2024 16:07:19 +0000 (UTC) Received: by mail-oa1-x2d.google.com with SMTP id 586e51a60fabf-2220a389390so1285146fac.0 for ; Sat, 30 Mar 2024 09:07:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711814838; x=1712419638; darn=lists.gentoo.org; h=content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:to:subject:from:to:cc:subject :date:message-id:reply-to; bh=8EXvs94qIDQvviBhW0Sl1F9ijoqV/B0QkMLN/E+78wk=; b=eDnA5bXEGpTxwYIylbaGNBjAzE5/8vCMvR+DEj3yRrC9ieae229I70A6g7f8fGzl/9 vEBZ+7D8edPNsgMKC01ESU1Q7tRdgo/BM/MfKmX2h9fGZabbu8t59P4HiSYcTrsixodv cYuAPIb1JaCeP7+obWLl7JWtST35Iqt80vncHDld3dFNcMq2OxEiJE3W3+fvqtp0Hzbk UTErKhvVv4bZ7Q/JHEKfj3ZYY2KnF0rsgl2vVY8p4KfVNTAfqRTYRIWWCFA4pI55lmg0 HdDLOiUtKZwrjL0J5nU424RB1xjlWzddJrK6AMm+ef+WbBoXLZ7uajL9F+QpXodzUxSg nVig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711814838; x=1712419638; h=content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:to:subject:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=8EXvs94qIDQvviBhW0Sl1F9ijoqV/B0QkMLN/E+78wk=; b=PvQcWXmHFR0uAkMFm80Mp6UBk03Ynd7LT9O0ir3vyA0Zv/TbOu2nPXHqRs5UsvgkqR qzh6NFmCO+s9rsltEl82Nf3WXSNBSn1EF8pfQ81hWA9jbTcDi9CFNar3B64ODohgG+3j EpekfzAKRxArgvVwlEQvBCgd32aE1orv5s1rx0LNKnrdAh095SY/PoWZkla3J1vCtCFy 5fuQ0SuR1GuWCEmjzmpvBE12rImqa6pJYn5ObPfktW6P9ex5/NR8kIEn+h5K6d8oukMy iAY+dPYisW1PpcFwLf2A4rwspVgcYJGShqQhPoXblOSdkPs80cqNSapZgiglaUCMGuk+ hS2A== X-Gm-Message-State: AOJu0YzvKOcD94UkXon3p/HcpnZ7kxbIhdYARGYu88OCzkiydM+WcNMI YdM/rSFUYGb7BfDLDga4Qa/pQstHbowXpb3NmNBfAF++wjD9LNcg X-Google-Smtp-Source: AGHT+IFvznCBuRZHkUVaiv0zAtu1+xoX9L4ONAzR8hEPmPFv9OwjTU0zeI837wIY2825E8LNtyxeuA== X-Received: by 2002:a05:6871:612:b0:22a:9d0c:20c with SMTP id w18-20020a056871061200b0022a9d0c020cmr3329490oan.2.1711814838436; Sat, 30 Mar 2024 09:07:18 -0700 (PDT) Received: from [10.8.8.4] ([37.19.221.89]) by smtp.gmail.com with ESMTPSA id i1-20020a9d6241000000b006e68053e610sm1139659otk.4.2024.03.30.09.07.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 30 Mar 2024 09:07:18 -0700 (PDT) Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo To: gentoo-dev@lists.gentoo.org References: <20240329204315.3b29449b@Akita> <1671d927-55d5-6f01-2b54-b33981406945@gmail.com> From: Dale Autocrypt: addr=rdalek1967@gmail.com; prefer-encrypt=mutual; keydata= mQINBGFSciYBEADcEGMyJBSuavKO/XKUVvgkxck7Nl8Iuu8N2lcnRji/rSKg5c1Acix1ll9i oW8JBCHwvn0+Xy60BvEsqcup3YSHw5STl/bR1ePEehtnYrg8FdjdS91+B805RfnKMm69rFVI wLSBHQrSG1yxHd8CloWoEdhmVtP24buajbh114bgXd9ahtpZrCVMrWdWYUg2mEXguGV5uNAh Rf8SWxDNc79w24JxsV34a8niMUYMjzWr0rafIbzk732X38vGjVMLo/2mMpkbp9mPp++LHoY+ 0Pet8zxxdXPJSCd475kza1AD+hhSyBZXB9yknYWgyY3cZe1rGmooJSi2KX4QxO7npwLThcO1 be6KKRkd35+Fi/a1BzVOHsZMiK/gcwxEFoMd27gir4ehaeHJfFXl+65w4hj0EsOZSxrJrm2C R50g5By2czSKP1bADEygFNpIJj51AR+wM88NImG2RPtlT2maYBzazvF05g65cdHXGp1C7W5P wwwKU2DgABB2t7N7z5A69LnryBRw4zUYDRRYLTYlBlYgg+xILm2c0OrBdxJgLJa7JE50Eo25 d3PFwt9J0gYvqy6sPFLl9So0sDg9zm0hKQtXOP5kgropUFGrNoJI+mjwF4rYLRBVzZwNAvlO OhEvHubBo3mEllv4x+FeptwXZxlk7gUsdqI8AxnFB8K9wi6FVQARAQABtBtEYWxlIDxyZGFs ZWsxOTY3QGdtYWlsLmNvbT6JAk4EEwEIADgCGyMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AW IQQSG1h01ruv/WNXc3Q3RqOgiQH1GwUCYVJy8gAKCRA3RqOgiQH1G+waEACeTZCt77jnRAmQ AV7otKuZekDWiLi3Eig8tj5ZJiCNSYA/hIxzmexRP0GMqjitcXK1iGwWcvMzzvIq30GAjIfB 4BR38cnXbtBa6fNewiT7QaZe/Hn6yBRldXNQypzbHy+/o27bUEy+oX4rE7etUgEHQAjuw7xz XFWg4tH1/KJvsOVY5upnWc5LdxYhsuQ3dQD4b22GsK0pOBDfb9PiirYM8eGKvrVuq4E/c75z lDDFhINl18lNZ9D0ZFL3IkTjHsAAqFH9uhnnEB8CWdHbBewPEfRaOhBUYWZ3Q8uTkmDgZT8q D9jlvLEdw7Nh2ApdxoepnI/4D+ql2Gr4DtH7SEPydr5gcf1Qr/2bXRb1hAYnIVcbncs/Bm3Z bkRKPVWMfE3Fusa+p5hMzixk0YysMaTHlc7mYRYAEZGnPMXnmcCbetwARU7A0yz1M1kCMOAQ Lsz8KH5kv3cRenMB6SFfjND2JfAK61H5TtnPq3L8noS2ZykRYxq9Nm3X64O1tJojIKBoZFr8 AwYNCvqC6puUyGMuzHPh7jPof8glfrrEKIYUvNPGMDoVX3IGetxh/9l6NcxgFA4JGoR+LS3C zmeNrwlllAe3OEUfKoWVQ+pagpSdM+8hHolaSda4Ys66Z3fCR4ZvcTqfhTAVskpqdXa4isAk 7vTcXu3L499ttywEp7rJTbkCDQRhUnImARAAncUdVhmtRr59zqpTUppKroQYlzR0jv8oa7DG K4gakTAT2N7evnI9wpssmzyVk8VEiLzhnFQ/Ol3FRt6hZCXDJt0clyHOyTfvz/MNFttWuZTc mLpSvmRR6VRjAH+Tz3Eam2xUw3PGuH97BcXQ3NnX3msv1UDxtxxBu6e2YrdeOhrCUSgzokcJ 98ChUNy934cgepPybAI12lSWqVFQ1aG7jExZfiUk+333fPSDbpKoZbTW5YJLXbycmW/C1IWL qYQyNjRWKaGoJtUWFhhmNiOQct7n90aKivNVPavmN+UQ9LlMaINtf9T6XCzLfogCFsulDCDJ 0yNQLDTurHaB4E71xoctgXmLLq9z1RQ0W2XiVAAOZQj6K3+d0AOUjDhCQ2QW8dUSq0ckkZXV DKVJOGS8Nhf2eIWIqRnP3AcUiiaiFGqUaVUmUAZ6h/oJmgghEu/1S+pcuUKU5i69+XCZ3hH2 Jzwzbf7K+FAIkOhCfHncF8i1N1pk00pOVykNnqHTfFo3qFusHt0ZWgXVnnn4pYdXqZNoDhvF BRE5Vm4k/k96Pw8HRx6Os6eFSRrlqGzRgqsu86FekxusXB9UGv4lJhtU/J+8MRWsh22K718s DbQnABicGKFz1qQlWvcf59oTByhLINJCBt1WXl+TzJDXepr3QSkqmK41dO9Hob97C9dMiK8A EQEAAYkCNgQYAQgAIAIbDBYhBBIbWHTWu6/9Y1dzdDdGo6CJAfUbBQJhUnLyAAoJEDdGo6CJ AfUbVHIQAKSWw620vPhR3A/njU2z77F3z/Jk+HTKdE3fIyWSWdkYN7CBFL0NguOMP30WZ+qE sJhZu7T5hf251MwQUUt27xlfnKYOmQs7CqONlXuXlGZI6WufrUjxNcVz+5gJsqvUWuuJWsgg sDmE92IBnfG/f81fPHWQyfr/SF4wYDMyoFp5xCCQpp1zB63iuFvvrhxBkEHzmbRtVDOhl0Xp BVEDR1w3QRACw9QJD/KM05Czv9JNQYlwinWO/OaQ9cMlUpKLgswUPg9IZ5vucxScfuAUA5uC B1jlAQ8ZPlVukBmbEv5RGOv+lpuEbA3YDMVtEeH4YMFbjt/+vH3Cr2vTbp5JlpByLburJEH0 WXZLUawEfUsZvVwpOuJK75vaa2HYXee+Cb3iCIzwfIfctdlqzUcbGRczlRNM59hpvj4z29Gh 3kAxVHItAYq54ikxQ9l4hQ8s9sLYPbX/WtcBxNX8crBSw0FLnmzGleVEtBHyqtt5CLzQNgrj GYWl1vKDUmRPw1CdZ1c+fMN9CY11jOM5B5ZnqZWfDeVYO2iJ5SuvTycChexCb8WYn1bdCBIo bBtga2RBXbVt4Mh9E4owsszefn51MwfjXxB20Fc5k3GU1AVpTCMs3ayYCzo0b2pvEvdjtDcA CYLEFPWgaFX9iQAM/CDfKvTtvgGWpqtCL2raq/mQoJEU Message-ID: <2423c126-114e-751a-27f4-9b541b311a66@gmail.com> Date: Sat, 30 Mar 2024 11:07:17 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 SeaMonkey/2.53.18.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: 5ac1bdee-9dab-43b8-b707-4a52c9f62577 X-Archives-Hash: 8678cf438eb48f92c82f0fdb9f812cb4 Eddie Chapman wrote: > Michał Górny wrote: >> On Sat, 2024-03-30 at 14:57 +0000, Eddie Chapman wrote: >> >>> Note, I'm not advocating ripping xz-utils out of tree, all I'm saying >>> is wouldn't it be nice if there were at least 2 alternatives to choose >>> from? That doesn't have to be disruptive in any way, people who wish to >>> continue using and trusting xz-utils should be able to continue to do so >>> without any friction whatsoever. >> So, you're basically saying we should go out of our way, recompress all >> distfiles using two alternative compression formats, increase mirror load >> four times and add a lot of complexity to ebuilds, right? >> >> -- >> Best regards, >> Michał Górny >> > Yes that's a very good point, that was something I was wondering in > weighing up both sides, what the costs would be practically, as I don't > know the realities of running Gentoo infrastructure. And maybe the costs > is just too high of a price to pay. > > I wonder if increased use of git repos rather than distributed tarballs > could be part of a solution to those issues, although that could put quite > a storage burden on every user. Unless they were all shallow git pulls and > the user could optionally choose to tar up the git directory after clone > with compression. But yes granted then there is even more ebuild > complexity. > > > . > There is a lot of unknowns out there.  From what I've read, the person responsible for writing the code inserted this hack.  There may be no way to prevent this.  Basically, the person that should have been trusted with this code violated that trust.  Why is unknown but I'm as curious about that as anything.  It's like when someone goes to a grocery store to buy a tomato.  They want organic and there is a organic sticker on the tomato.  You either trust that sticker, and the person/company who put it on there, or you don't trust that sticker at all and avoid buying all tomatoes.  The trust starts with the person/company that puts that sticker on the tomato.  The person who was trusted with that code, broke that trust.  There is likely hundreds of packages out there in the exact same position.  Any package that has few or only one person writing the code can do the same thing.  While this should be analyzed as more info comes in, right now, we should let the devs get us back to as safe a place as possible.  Since it appears to affect systemd users who don't use Gentoo, which is a huge target, they certainly need to react as quickly as they can to the devs actions.  Let's just not overreact just yet.  The devs has rolled back to a safe, safer, version.  Let time and more info sort this out. If it is needed, xz will go away, which shouldn't come as a surprise.  I'm sure the person who did this will never get that trust back.  Long term, this is going to be interesting to see what all gets revealed.  The why is one thing.  Another is how to prevent if it can be at all.  I'm going back to my hole now.  Dale :-)  :-)  P. S.  Links that some may want to follow, instead of a -dev thread.  https://bugs.gentoo.org/928134 https://forums.gentoo.org/viewtopic.php?p=8821925