On Fri, 29 Mar 2024 at 14:00, Paolo Bonzini <pbonz...@redhat.com> wrote: > > For more info, see > https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlx...@awork3.anarazel.de/ > but, essentially, xz was backdoored and it seems like upstream was directly > responsible for this. > > Based on this, should we switch our distribution from bz2+xz to bz2+zstd or > bz2+lzip?
I think it's reasonable to drop xz as a precaution due to the long-term control the attacker may have had over the code base. I haven't researched the alternatives though. I CCed Michael Tokarev because he looked at compression formats for distributing QEMU recently and may have thoughts on which alternative is suitable. For the record, I confirmed that the following QEMU servers do not have xz-utils 5.6.0 or 5.6.1 packages installed: - shell1.qemu.org - node1.qemu.org - ci1 at OSUOSL - qemu2.osuosl.org Stefan