Hi, I just installed Fedora on 2 of my PCs a couple of weeks ago. One version of Fedora 39 release and one of Fedora 40 to see where things are going.
I learned about this XZ-hack from Ars Technica & The Economist. I got to the Fedora Magazine article and wasn't really clear on that. So I followed the discussion to this thread in this Development mailing list. I read a lot of it but _still_ can't 100% figure out what the final solution is going to be. I have a question about that. I'm for sure OK that a responsibly developed FOSS project can contribute value and should be welcomed. ISTM that if a package is used on critical-path or security-path by default in a Distro it needs a higher bar. IIUC from this thread and online discussions about XZ & alternatives that 1] Lack of committer 'Real' identity confidence and verification is a problem. 2] Undetected differences source + packaging in repo vs tarballs are unchecked. 3] Under-resourced development creates risk; 'Many eyes' bench depth in development is needed. 4] XZ has a single, unsupported committer. 5] ZSTD is developed & used at Facebook. 6] ZSTD matches or outperforms XZ and most other compression in most metrics. 7] ZSTD is already used for default compression by Distros. I get that there's never going to be 100% perfect solution. But wouldnt' switching Fedora from using XZ to ZSTD by default fix a lot of the uncertainty around at least this current issue? Is that being considered in Fedora? Or is the focus trying to fix XZ to continue to use it? Thanks for any help to understand all this :-) Cheers! Arnie -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
