30.03.2024 13:03, Stefan Hajnoczi :
On Fri, 29 Mar 2024 at 14:00, Paolo Bonzini <pbonz...@redhat.com> wrote:
For more info, see
https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlx...@awork3.anarazel.de/
but, essentially, xz was backdoored and it seems like upstream was directly
responsible for this.
Based on this, should we switch our distribution from bz2+xz to bz2+zstd or
bz2+lzip?
I think it's reasonable to drop xz as a precaution due to the
long-term control the attacker may have had over the code base. I
haven't researched the alternatives though.
I agree with Daniel here, - lets' not rush into conclusions so far.
Even with this long-term control, so far it does not look like .xz
format itself is somehow bad (but it can be improved for sure), or
it poses a treat.
I CCed Michael Tokarev because he looked at compression formats for
distributing QEMU recently and may have thoughts on which alternative
is suitable.
The only my intention at the time was to avoid keeping things in *two*
forms, - as it looked like there's no reason for that. My reasons was
that .xz is used for quite some time as default download link on qemu.org
website so it should be safe to assume everyone has .xz support by now
and there's no need to keep .bz2. Now with this incident in mind, maybe
that wasn't a good idea and some other format should be kept still.
But once again, - I think it's a bit preliminary to make decisions while
the dust still not settled.
/mjt
