Re: Please, use --check=crc32 or switch to a safe format

[Pádraig Brady]

On 25/03/17 06:26, Ariel Santana Naranjo wrote:
> Dear maintainers,
> 
> I have made an unsettling discovery:
> http://www.nongnu.org/lzip/lzip_benchmark.html#busybox
> "error detection in the xz format is silently broken."
> 
> If this is true (and it might be, because it provides a reproducer), why
> is such a central project as GNU Coreutils being distributed in xz
> format only? Shouldn't Coreutils switch to a safe-by-default compressed
> format, as the above link suggests?

This request is a little light on info.
Looking for a few mins I see these checks are currently in place:

 - The compressed data is checked with gpg
 - xz headers are always checksummed with crc32
 - xz uncompressed data is checksummed with crc64 by default

Your proposal is to specify --check=crc32 when compressing
to support checks with busybox unxz.

This seems fair enough, but would also probably hit
the pristine-tar issue mentioned in this thread:
https://lists.gnu.org/archive/html/coreutils/2017-01/msg00014.html

cheers,
Pádraig