I don't really want to argue about whether this is a securty hole or try to dream up scenarios where compromised backups are used to exploit a system during a restore. If you don't think it's a security hole, that's fine.
However, the fact that the package is statically linked to a version of gzip remains, and this version of gzip has a bug which causes certian input streams to crash it. Having your restore crash in the middle because some bits got flipped in the backup is probably not much fun. Recompiling the package to eliminate this possibility seems like a trivial thing and a good idea. Also, there will be security holes^W^Wbugs in gzip in the future, so statically linking it is a bad thing in general. -- see shy jo
signature.asc
Description: Digital signature
