On Thu, 8 Jun 2017 11:42:48 +0200 Jakub Jelinek <ja...@redhat.com> wrote:
> On Thu, Jun 08, 2017 at 11:27:30AM +0200, Antonio Diaz Diaz wrote: > > Gzip was once ubiquituous in distro packages and it was replaced. > > But this time distros won't lead the change because they can work > > around the main defects of xz. As you can read in section 2.2 of > > http://www.nongnu.org/lzip/xz_inadequate.html#fragmented > > You keep referencing the marketing pages of one of the formats > comparing to other formats, that can be hardly considered unbiased. > Most of the compression formats have similar kind of pages, usually > biased as well. > > > "Distributing software in xz format can only be guaranteed to be > > safe if the distributor controls the decompressor run by the user > > (or can force the use of external means of integrity checking)". > > > > Distros control the package manager, which can even verify package > > signatures by default. For them xz, or even lzma-alone, is good > > enough. The only way for distros to change is that a significant > > number of upstream projects change first. This is why upstream > > projects willing and able to compare lzip and xz based on their > > technical merits are required to lead the way. > > For integrity checking, gcc provides the md5.sum, sha512.sum files on > gcc.gnu.org and gpg signatures on ftp.gnu.org. The choice of xz is > that it is used very widely these days, which is not the case of lzip. > This works well as a complement, but this seems to be a mere excuse to palliate the defects of the compressor, in this case of xz. It would be different if the signatures are accompanied with a well-designed compressor (like lzip).
pgpj49ucJA8qn.pgp
Description: OpenPGP digital signature
