Re: Steering committee, please, consider using lzip instead of xz

[Matias Fonzo <selk at dragora dot org>]

On Thu, 8 Jun 2017 11:42:48 +0200
Jakub Jelinek <jakub@redhat.com> wrote:

> On Thu, Jun 08, 2017 at 11:27:30AM +0200, Antonio Diaz Diaz wrote:
> > Gzip was once ubiquituous in distro packages and it was replaced.
> > But this time distros won't lead the change because they can work
> > around the main defects of xz. As you can read in section 2.2 of
> > http://www.nongnu.org/lzip/xz_inadequate.html#fragmented  
> 
> You keep referencing the marketing pages of one of the formats
> comparing to other formats, that can be hardly considered unbiased.
> Most of the compression formats have similar kind of pages, usually
> biased as well.
> 
> > "Distributing software in xz format can only be guaranteed to be
> > safe if the distributor controls the decompressor run by the user
> > (or can force the use of external means of integrity checking)".
> > 
> > Distros control the package manager, which can even verify package
> > signatures by default. For them xz, or even lzma-alone, is good
> > enough. The only way for distros to change is that a significant
> > number of upstream projects change first. This is why upstream
> > projects willing and able to compare lzip and xz based on their
> > technical merits are required to lead the way.  
> 
> For integrity checking, gcc provides the md5.sum, sha512.sum files on
> gcc.gnu.org and gpg signatures on ftp.gnu.org.  The choice of xz is
> that it is used very widely these days, which is not the case of lzip.
> 

This works well as a complement, but this seems to be a mere excuse to
palliate the defects of the compressor, in this case of xz.  It would
be different if the signatures are accompanied with a well-designed
compressor (like lzip).

Attachment: pgpcW3jWDadiB.pgp
Description: OpenPGP digital signature