On 25/03/17 06:26, Ariel Santana Naranjo wrote: > Dear maintainers, > > I have made an unsettling discovery: > http://www.nongnu.org/lzip/lzip_benchmark.html#busybox > "error detection in the xz format is silently broken." > > If this is true (and it might be, because it provides a reproducer), why > is such a central project as GNU Coreutils being distributed in xz > format only? Shouldn't Coreutils switch to a safe-by-default compressed > format, as the above link suggests?
This request is a little light on info. Looking for a few mins I see these checks are currently in place: - The compressed data is checked with gpg - xz headers are always checksummed with crc32 - xz uncompressed data is checksummed with crc64 by default Your proposal is to specify --check=crc32 when compressing to support checks with busybox unxz. This seems fair enough, but would also probably hit the pristine-tar issue mentioned in this thread: https://lists.gnu.org/archive/html/coreutils/2017-01/msg00014.html cheers, Pádraig
