Um maybe?

>From what I've read so far it doesn't seem the format is compromised but it
certainly seems like a concerted attempt to subvert an upstream. However a
knee-jerk jump to another format might be premature without carefully
considering if other upstreams have been targeted.

I guess zstd is overseen by Facebook but it's still a mostly single
contributor repo. Lzip's history directly ties to the original author of xz
and we haven't heard from them yet.

We should certainly keep an eye on the situation but let's not be too hasty.

On Sat, 30 Mar 2024, 05:00 Paolo Bonzini, <> wrote:

> For more info, see
> but, essentially, xz was backdoored and it seems like upstream was directly
> responsible for this.
> Based on this, should we switch our distribution from bz2+xz to bz2+zstd
> or bz2+lzip?
> Thanks,
> Paolo

Reply via email to