Re: Backdoor in xz, should we switch compression format for tarballs?

[Michael Tokarev]

30.03.2024 13:03, Stefan Hajnoczi :
> On Fri, 29 Mar 2024 at 14:00, Paolo Bonzini <pbonzini@redhat.com> wrote:
> > For more info, see 
> > https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de/
> >  but, essentially, xz was backdoored and it seems like upstream was directly 
> > responsible for this.
> >
> > Based on this, should we switch our distribution from bz2+xz to bz2+zstd or 
> > bz2+lzip?
>
> I think it's reasonable to drop xz as a precaution due to the
> long-term control the attacker may have had over the code base. I
> haven't researched the alternatives though.

I agree with Daniel here, - lets' not rush into conclusions so far.

Even with this long-term control, so far it does not look like .xz
format itself is somehow bad (but it can be improved for sure), or
it poses a treat.

> I CCed Michael Tokarev because he looked at compression formats for
> distributing QEMU recently and may have thoughts on which alternative
> is suitable.

The only my intention at the time was to avoid keeping things in *two*
forms, - as it looked like there's no reason for that.   My reasons was
that .xz is used for quite some time as default download link on qemu.org
website so it should be safe to assume everyone has .xz support by now
and there's no need to keep .bz2.  Now with this incident in mind, maybe
that wasn't a good idea and some other format should be kept still.

But once again, - I think it's a bit preliminary to make decisions while
the dust still not settled.

/mjt