1 |
Ryan Hill wrote: |
2 |
> On Wed, 07 May 2008 16:23:12 +0300 |
3 |
> Mart Raudsepp <leio@g.o> wrote: |
4 |
> |
5 |
> |
6 |
>> Hello, |
7 |
>> |
8 |
>> Over the course of this year, a lzma-utils buildtime dependency has |
9 |
>> been added to a few system packages, to handle .tar.lzma tarballs. |
10 |
>> This has huge implications on the requirement of the system toolchain, |
11 |
>> which is highly disturbing from a minimal (lets say embedded) systems |
12 |
>> concern - lzma-utils depends on the C++ compiler and the libstdc++ |
13 |
>> beast, while a minimal system would like to avoid this at all cost. |
14 |
>> |
15 |
> |
16 |
> The new lzma-utils codebase uses liblzma, written in C. It's at the |
17 |
> alpha stage but supposedly supports encoding/decoding the current lzma |
18 |
> format "well enough" (;P). It probably has some fun bugs to find |
19 |
> and squish. |
20 |
> |
21 |
> http://sf.net/mailarchive/forum.php?thread_name=200804251652.58484.lasse.collin%40tukaani.org&forum_name=lzmautils-announce |
22 |
> |
23 |
> |
24 |
According to the mailing list this change was done to fix security holes |
25 |
in the format and also resulted in a slightly different format that's |
26 |
incompatible with the previous verion. So lzma 5.x and higher will be a |
27 |
different on disk format. It's troubling to me that projects are using |
28 |
lzma when it's on disk format isn't even final and the project has |
29 |
security issues. |
30 |
-- |
31 |
gentoo-dev@l.g.o mailing list |