Um maybe? >From what I've read so far it doesn't seem the format is compromised but it certainly seems like a concerted attempt to subvert an upstream. However a knee-jerk jump to another format might be premature without carefully considering if other upstreams have been targeted.
I guess zstd is overseen by Facebook but it's still a mostly single contributor repo. Lzip's history directly ties to the original author of xz and we haven't heard from them yet. We should certainly keep an eye on the situation but let's not be too hasty. On Sat, 30 Mar 2024, 05:00 Paolo Bonzini, <pbonz...@redhat.com> wrote: > For more info, see > https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlx...@awork3.anarazel.de/ > but, essentially, xz was backdoored and it seems like upstream was directly > responsible for this. > > Based on this, should we switch our distribution from bz2+xz to bz2+zstd > or bz2+lzip? > > Thanks, > > Paolo >
