On Fri, 08 Oct 2021 20:42:25 -0300 Matias Fonzo <s...@dragora.org> wrote: > Note, distributing under the xz format sucks![1]. Its competitor in > quality offers not only a better license (adequate for free software > projects), but is also better prepared for reproducibility[2]. > > [1] http://lzip.nongnu.org/xz_inadequate.html > [2] http://lzip.nongnu.org/safety_of_the_lzip_format.html Thanks a lot!
I've started reading these and they look really interesting. While modifying linux-libre for Replicant, I've noticed that with Linux releases, released tarball are compressed with xz, but that they didn't sign them. Instead they signed the uncompressed tarballs. At first I thought that it was to enable people to change the compression level, but now I also wonder if xz shortcoming also influenced that decision. Denis.
pgptAkZNGYTu8.pgp
Description: OpenPGP digital signature
