Doug Goldstein wrote:
Ciaran McCreesh wrote:
On Thu, 08 May 2008 09:17:08 -0400
Doug Goldstein <[EMAIL PROTECTED]> wrote:
It's troubling to me that projects are using lzma when it's on disk
format isn't even final and the project has security issues.
You mean projects like 'GNU tar'?
As far as I know Ciaran, all GNU projects have switched or are in the
process of switching to lzma over bzip2. I believe the issue in
question which prompted this original e-mail was due to coreutils. But
I could be wrong.
Additionally to follow myself up, I believe one of the security issues
was execution of arbitrary data either when untarred or just
decompressed (assuming a specially crafted lzma file).
Some of the other fun bits are lzma requires autotools but autotools are
going to be compressed with lzma. So if we ever need to autoreconf, we
have a chicken/egg issue.
--
gentoo-dev@lists.gentoo.org mailing list
