1/2 If you don’t want to read about the #xz backdoor-related stuff I advise muting the hashtag because a *lot* of people across the geek spectrum find this whole thing fascinating and very educational.
My latest educational read has been the discussion over in the Debian world at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 which makes me happy about my long-term policy of running things on Debian Stable except where proved impossible.
Also…
2/2 … raises the possibility that the attacker may have left some tiny little buffer-overflow or suchlike exploit hidden behind the big obvious backdoor hack. *shudder*
@timbray Seems like there's a small contingent suggesting moving away from xz entirely. Is something being seriously considered?
@cratermoon @timbray sounds worthwhile to me, there are so many compression libs out there
@jamiemccarthy @eighthave @timbray Even if the essay*is* fud, and xz is a fine compression algorithm, I see hints that the effort to truly vet and clean up the xz code is larger and less certain than switching.
@eighthave @cratermoon @timbray The essay at https://www.nongnu.org/lzip/xz_inadequate.html is dismissed as FUD in that thread, but it does seem to make some good points.