Alexander Sosedkin wrote:
We have just released gnutls-3.8.12.
Congratulations on the new release. :-)
Here are the XZ compressed sources:
Have you considered using any other compressed format? I find it somewhat odd that a secure communications library is distributed using about the only format that does not guarantee the integrity of the decompressed data against decompression errors. See, for example, http://www.nongnu.org/lzip/xz_inadequate.html#checking . Note that a cryptographic signature of the compressed file does not protect against decompression errors caused by faulty RAM or bugs in the decompressor.
Gzip, bzip2, and lzip always check the integrity of the decompressed data, and therefore would be fine. Zstd may also be adequate in practice because, even if its integrity checking is optional, I don't know of any zstd decompressor that does not implement it.
Thanks, Antonio. _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
