This is the mail archive of the
mailing list for the GCC project.
Re: Steering committee, please, consider using lzip instead of xz
- From: Jakub Jelinek <jakub at redhat dot com>
- To: Antonio Diaz Diaz <antonio at gnu dot org>
- Cc: gcc at gcc dot gnu dot org, "Matias A. Fonzo" <selk at dragora dot org>
- Date: Thu, 8 Jun 2017 11:42:48 +0200
- Subject: Re: Steering committee, please, consider using lzip instead of xz
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jakub at redhat dot com
- Dkim-filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 1739CC04B316
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 1739CC04B316
- References: <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org>
- Reply-to: Jakub Jelinek <jakub at redhat dot com>
On Thu, Jun 08, 2017 at 11:27:30AM +0200, Antonio Diaz Diaz wrote:
> Gzip was once ubiquituous in distro packages and it was replaced. But this
> time distros won't lead the change because they can work around the main
> defects of xz. As you can read in section 2.2 of
You keep referencing the marketing pages of one of the formats comparing to
other formats, that can be hardly considered unbiased. Most of the
compression formats have similar kind of pages, usually biased as well.
> "Distributing software in xz format can only be guaranteed to be safe if the
> distributor controls the decompressor run by the user (or can force the use
> of external means of integrity checking)".
> Distros control the package manager, which can even verify package
> signatures by default. For them xz, or even lzma-alone, is good enough. The
> only way for distros to change is that a significant number of upstream
> projects change first. This is why upstream projects willing and able to
> compare lzip and xz based on their technical merits are required to lead the
For integrity checking, gcc provides the md5.sum, sha512.sum files on
gcc.gnu.org and gpg signatures on ftp.gnu.org. The choice of xz is that it
is used very widely these days, which is not the case of lzip.