On Fri, Feb 27, 2026 at 9:23 AM William Richards #SaveOurInternet <[email protected]> wrote:
> So do Linux distros Debian and Ubuntu have to compress a package with XZ > Utils only once? Have to compress only once, no. But as practical matter, for many reasons, when compressed for a package, generally done once and that's it, and especially so for any released version. Basically that's it, it needs remain unchanged, because, e.g. (secure) hashes in Packages file(s), etc. Any changes needed ... new version, new hash(es). > Can you get in touch with more powerful Debian & Ubuntu developers Not my job/responsibility. You asked from a Debian list, you ought best ask there. I am not a Debian list, forum, developer, nor maintainer. And as for Ubuntu, go ask somewhere suitable for Ubuntu. See also: http://www.catb.org/~esr/faqs/smart-questions.html#noprivate > if they considering if they were going to compress OpenSSH around the time > the backdoor was discovered? Asking this because projects improve with every > update and I feel the same would apply to XZ Utils.yy Moot for Debian. Was never in stable. Was in unstable/testing, but those don't get security (team) support, for the most part there, any security bugs there are mostly handled like any other bug (though there's some additional tracking and such). So, it was a (security) bug, it was fixed, new package(s) released, pretty much end of story. If someone wants to dig into archives and run older buggy stuff with bugs and security bugs from unstable/testing, well, that's on them. But no, those don't get recompressed. They don't change. Heck, folks may want/need to research what happened, or what was in the earlier, etc, for any number of lots of possible reasons. It's basically history. History doesn't get rewritten. So, really no reason to be recompressing the older, and helluva lot of reasons not to and why that would generally be problematic. > On Thu, Feb 26, 2026 at 1:30 AM Michael Paoli <[email protected]> > wrote: >> >> Presuming you're talking about the .deb files, >> as far as I'm aware, they, or more accurately >> some of their contents, is compressed when the >> package is created. >> >> When the compression program is updates, >> no, pretty dang sure Debian isn't going to go back and >> recompress all the .deb files that were ever compressed with that >> program. That would really be pretty dang wasteful in terms of resources, >> and other complications. E.g. if the content weren't identical for the same >> version of package, that would mean different hashes, thus they wouldn't >> check/compare same to the older, so, to distinguish, they'd all need a new >> version, and all the software would count those as new versions, and want >> to download and upgrade all those for ... the exact same content - other than >> teensy difference in the compressed content, not the uncompressed at all, >> as that would still be identical (well other than if we also bump version >> number >> data). So, no ... just no. >> >> Just think about it logically. Also look over practice on the >> packages and archives, >> timestamps, hashes, etc. So, no, the packages aren't recompressed on >> account of >> compression programs changing. Now, if there were any actual compromise of >> security of the packages on account of some exploit in the compression >> program (or anything >> else along the packaging chain), then that would be a security issue >> for the package, >> and, at least if under support, would then mean a new version with new >> hashes, >> but as far as I'm aware, nothing of the sort has ever occurred, though the xv >> exploit was probably the closest that's ever come. But the exploit >> code in there >> not only never made it beyond testing, it was also very specific in >> what it exploited >> and how, so, it never introduced any issues into what it compressed (other >> than >> the compression and/or decompression taking wee bit longer, as that code was >> also doing some things it never should've been doing, but unless it was under >> very specific circumstances, that just burned some CPU cycles and maybe wee >> bit more RAM, but didn't really do a net anything beyond that). >> >> On Tue, Feb 24, 2026 at 12:15 AM William Richards #SaveOurInternet >> <[email protected]> wrote: >> > >> > Does a package only get compressed when it is updated or when the >> > compressor used to compress it (e.g. Zstandard, XZ, etc.) is updated? I'm >> > hoping this is only the case if the program itself gets updated because >> > this would decrease the chance of exploits and backdoors. >> > I'm asking this for a friend and they're extremely scared about this kind >> > of thing.
