On Thu, Jun 08, 2017 at 11:27:30AM +0200, Antonio Diaz Diaz wrote:
> Gzip was once ubiquituous in distro packages and it was replaced. But this
> time distros won't lead the change because they can work around the main
> defects of xz. As you can read in section 2.2 of
> http://www.nongnu.org/lzip/xz_inadequate.html#fragmented
You keep referencing the marketing pages of one of the formats comparing to
other formats, that can be hardly considered unbiased. Most of the
compression formats have similar kind of pages, usually biased as well.
> "Distributing software in xz format can only be guaranteed to be safe if the
> distributor controls the decompressor run by the user (or can force the use
> of external means of integrity checking)".
>
> Distros control the package manager, which can even verify package
> signatures by default. For them xz, or even lzma-alone, is good enough. The
> only way for distros to change is that a significant number of upstream
> projects change first. This is why upstream projects willing and able to
> compare lzip and xz based on their technical merits are required to lead the
> way.
For integrity checking, gcc provides the md5.sum, sha512.sum files on
gcc.gnu.org and gpg signatures on ftp.gnu.org. The choice of xz is that it
is used very widely these days, which is not the case of lzip.
Jakub
