Ryan Hill wrote:
On Wed, 07 May 2008 16:23:12 +0300
Mart Raudsepp <[EMAIL PROTECTED]> wrote:
Hello,
Over the course of this year, a lzma-utils buildtime dependency has
been added to a few system packages, to handle .tar.lzma tarballs.
This has huge implications on the requirement of the system toolchain,
which is highly disturbing from a minimal (lets say embedded) systems
concern - lzma-utils depends on the C++ compiler and the libstdc++
beast, while a minimal system would like to avoid this at all cost.
The new lzma-utils codebase uses liblzma, written in C. It's at the
alpha stage but supposedly supports encoding/decoding the current lzma
format "well enough" (;P). It probably has some fun bugs to find
and squish.
http://sf.net/mailarchive/forum.php?thread_name=200804251652.58484.lasse.collin%40tukaani.org&forum_name=lzmautils-announce
According to the mailing list this change was done to fix security holes
in the format and also resulted in a slightly different format that's
incompatible with the previous verion. So lzma 5.x and higher will be a
different on disk format. It's troubling to me that projects are using
lzma when it's on disk format isn't even final and the project has
security issues.
--
gentoo-dev@lists.gentoo.org mailing list
