Jim Meyering wrote: > Bob Friesenhahn wrote: >> On Sat, 24 Nov 2012, Marko Lindqvist wrote: >>> On 2 March 2012 06:45, Eric Blake <ebl...@redhat.com> wrote: >>>> >>>> The Autoconf team is considering releasing only .xz files for 2.69; if >>>> this would be a hardship for you, and you need the .gz or .bz2 release, >>>> please speak up now. >>> >>> I just encountered new argument for providing .gz of autoconf also in >>> the future. >> >> There is no tangible benefit offered to the world by removing the >> gzip-compressed autoconf package. Xz is excessively complex, >> excessively large, and has limited portability and stability compared >> with gzip. > > Hi Bob, > > I don't know of significant portability problems. > In my experience, if they are reported and affect significant > (sometimes even insignificant) portability targets, they will be > addressed promptly. Can you point to reported problems that > have not been resolved? > > There is no shortage of reasons to avoid gzip these days. One that > strikes home for me (as a package maintainer) is that there have > been exploitable CVEs against gzip in the recent past, and the code > is surprisingly ugly (hence hard to audit). I do not want to require > tarball consumers to use a tool that I do not feel good about, and gzip > is one of those. Just because it is still used by so many people (due > mostly to inertia) does not mean that we should ignore its faults.
FYI, a couple of weeks ago, Aki Helin exposed still more problems in gzip's unpacking code. Paul Eggert fixed them just a few days ago: http://git.sv.gnu.org/cgit/gzip.git/commit/?id=f2be148c3d956c2dd19bd6fdbe6d http://git.sv.gnu.org/cgit/gzip.git/commit/?id=16977ae732bf60f79c9a4fd6d183 _______________________________________________ Autoconf mailing list Autoconf@gnu.org https://lists.gnu.org/mailman/listinfo/autoconf
