From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E45CE158041 for ; Sat, 30 Mar 2024 03:07:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7A9E3E2A0B; Sat, 30 Mar 2024 03:07:16 +0000 (UTC) Received: from james.steelbluetech.co.uk (james.steelbluetech.co.uk [78.40.151.100]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E1BCCE29C4 for ; Sat, 30 Mar 2024 03:07:15 +0000 (UTC) Received: from ukinbox.ecrypt.net (hq2.ehuk.net [10.0.10.2]) by james.steelbluetech.co.uk (Postfix) with ESMTP id CED30BFC18 for ; Sat, 30 Mar 2024 03:07:13 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.10.3 james.steelbluetech.co.uk CED30BFC18 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ehuk.net; s=default; t=1711768033; bh=Yr6l7DGi2V/3/jnkJ/MJ2Nbb0GkQYpOmnq2ReIxkb/Q=; h=Date:Subject:From:To:Reply-To:From; b=pDe0O2hJv+3B6IavqzYLG6xGsEOPxiOCkC7LEJF7Pky/JqHgbhwz2aosmrfbyXw8T UCQq0tAeZs31+tWbEigsuHxhRsavnkJFA1DINXvVKiaUUszMWBAfPp+by6jyaGVRfu 6KOPZMbSHeNR9skSPSel/TfF/o/7ycQJHdl6dVwrx4ZTKlHiLwr35DIq5eyB4Idlii /3wEFi9l+bhRuLf/7thqWGNxJYfAQAbplTglJ2NXpoSQgvAc5BCg3MBZq9AicKFv3D VdbjCzIBHjdtsMvfp2wycq1n/kl0LSew8ibLM5O1fLHwBmwbXlD7IHqV8eULMMHYvz CuaRB5LLlsb1Q== Message-ID: Date: Sat, 30 Mar 2024 03:07:13 -0000 Subject: [gentoo-dev] Current unavoidable use of xz utils in Gentoo From: "Eddie Chapman" To: gentoo-dev@lists.gentoo.org User-Agent: SquirrelMail/1.5.2 [SVN] Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang X-Archives-Salt: 5acf1a52-5cfa-420a-b3c3-e257d3212d9d X-Archives-Hash: 016bc0968a2233aa2f6ca040c6f80e76 Given what we've learnt in the last 24hrs about xz utilities, you could forgive a paranoid person for seriously considering getting rid entirely of them from their systems, especially since there are suitable alternatives available. Some might say that's a bit extreme, xz-utils will get a thorough audit and it will all be fine. But when a malicious actor has been a key maintainer of something as complex as a decompression utility for years, I'm not sure I could ever trust that codebase again. Maybe a complete rewrite will emerge, but I'm personally unwilling to continue using xz utils in the meantime for uncompressing anything on my systems, even if it is done by an unprivileged process. I see that many system package ebuilds unconditionally expect app-arch/xz-utils to be installed simply to be able to decompress the source archive in SRC_URI. So simply specifying -lzma on your system isn't going to get rid of it. No one could have been expected to foresee what's happened with xz-utils, but now that it's here, perhaps Gentoo (and other projects that do) should consider not relying on a single decompression algorithm for source archives, even just as an insurance against some other yet unknown disaster with one algorithm or another in future? And yes I'm sure there will be individual packages that currently absolutely need xz-utils installed during the build process, and one or two that absolutely have to have it available at runtime, but those bridges can be crossed as and when. Eddie