qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Backdoor in xz, should we switch compression format for tarballs?

From: Alex Bennée
Subject: Re: Backdoor in xz, should we switch compression format for tarballs?
Date: Sat, 30 Mar 2024 05:33:48 +1100
Um maybe?

From what I've read so far it doesn't seem the format is compromised but it certainly seems like a concerted attempt to subvert an upstream. However a knee-jerk jump to another format might be premature without carefully considering if other upstreams have been targeted.

I guess zstd is overseen by Facebook but it's still a mostly single contributor repo. Lzip's history directly ties to the original author of xz and we haven't heard from them yet.

We should certainly keep an eye on the situation but let's not be too hasty.

On Sat, 30 Mar 2024, 05:00 Paolo Bonzini, <pbonzini@redhat.com> wrote:
For more info, see https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de/ but, essentially, xz was backdoored and it seems like upstream was directly responsible for this.

Based on this, should we switch our distribution from bz2+xz to bz2+zstd or bz2+lzip?

Thanks,

Paolo
reply via email to
[Prev in Thread] Current Thread [Next in Thread]