[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Future autoconf package compression

From: Jim Meyering
Subject: Re: Future autoconf package compression
Date: Sun, 16 Dec 2012 02:54:50 +0100

Jim Meyering wrote:
> Bob Friesenhahn wrote:
>> On Sat, 24 Nov 2012, Marko Lindqvist wrote:
>>> On 2 March 2012 06:45, Eric Blake <address@hidden> wrote:
>>>> The Autoconf team is considering releasing only .xz files for 2.69; if
>>>> this would be a hardship for you, and you need the .gz or .bz2 release,
>>>> please speak up now.
>>> I just encountered new argument for providing .gz of autoconf also in
>>> the future.
>> There is no tangible benefit offered to the world by removing the
>> gzip-compressed autoconf package.  Xz is excessively complex,
>> excessively large, and has limited portability and stability compared
>> with gzip.
> Hi Bob,
> I don't know of significant portability problems.
> In my experience, if they are reported and affect significant
> (sometimes even insignificant) portability targets, they will be
> addressed promptly.  Can you point to reported problems that
> have not been resolved?
> There is no shortage of reasons to avoid gzip these days.  One that
> strikes home for me (as a package maintainer) is that there have
> been exploitable CVEs against gzip in the recent past, and the code
> is surprisingly ugly (hence hard to audit).  I do not want to require
> tarball consumers to use a tool that I do not feel good about, and gzip
> is one of those.  Just because it is still used by so many people (due
> mostly to inertia) does not mean that we should ignore its faults.

FYI, a couple of weeks ago, Aki Helin exposed still more problems in
gzip's unpacking code.  Paul Eggert fixed them just a few days ago:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]