From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-30618-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Ju6Nc-0004ce-VB
	for garchives@archives.gentoo.org; Thu, 08 May 2008 13:41:53 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 22868E03A5;
	Thu,  8 May 2008 13:41:51 +0000 (UTC)
Received: from nameserver1.mcve.com (nameserver1.mcve.com [216.155.111.1])
	by pigeon.gentoo.org (Postfix) with ESMTP id F32BCE03A5
	for <gentoo-dev@lists.gentoo.org>; Thu,  8 May 2008 13:41:50 +0000 (UTC)
Received: from [192.168.1.55] (shop.monetra.com [216.155.111.10])
	by nameserver1.mcve.com (Postfix) with ESMTP id A2B9F112801A
	for <gentoo-dev@lists.gentoo.org>; Thu,  8 May 2008 09:41:50 -0400 (EDT)
Message-ID: <4823031D.7050303@gentoo.org>
Date: Thu, 08 May 2008 09:41:49 -0400
From: Doug Goldstein <cardoe@gentoo.org>
User-Agent: Thunderbird 2.0.0.14 (X11/20080502)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev]  Re: RFC: lzma tarball usage
References: <1210166592.19574.10.camel@localhost>	<20080507185239.541383c9@halo.dirtyepic.sk.ca>	<4822FD54.4000904@gentoo.org> <20080508142844.0c5af157@snowcone> <482300F2.9030403@gentoo.org>
In-Reply-To: <482300F2.9030403@gentoo.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Archives-Salt: e3abcf65-08de-4c08-a542-098cece0081d
X-Archives-Hash: 1e00e11ccd70dd2be0d8dde87a532855

Doug Goldstein wrote:
> Ciaran McCreesh wrote:
>> On Thu, 08 May 2008 09:17:08 -0400
>> Doug Goldstein <cardoe@gentoo.org> wrote:
>>  
>>> It's troubling to me that projects are using lzma when it's on disk
>>> format isn't even final and the project has security issues.
>>>     
>>
>> You mean projects like 'GNU tar'?
>>
>>   
> As far as I know Ciaran, all GNU projects have switched or are in the 
> process of switching to lzma over bzip2. I believe the issue in 
> question which prompted this original e-mail was due to coreutils. But 
> I could be wrong.
Additionally to follow myself up, I believe one of the security issues 
was execution of arbitrary data either when untarred or just 
decompressed (assuming a  specially crafted lzma file).

Some of the other fun bits are lzma requires autotools but autotools are 
going to be compressed with lzma. So if we ever need to autoreconf, we 
have a chicken/egg issue.
-- 
gentoo-dev@lists.gentoo.org mailing list