On Thu, Jun 06, 2019 at 05:44:27PM -0400, Boyuan Yang wrote:
> 在 2019-06-06四的 23:35 +0200,Julian Andres Klode写道:
> > seeing that Federico Mena Quintero has taken over bzip2 development
> > and is in the process of porting it to Rust[1], we should consider
> > removing bzip2 support from apt, dpkg, etc. following the release
> > of buster.
How long are versions written in a sane language going to be security
supported? It's not like bzip2 is a fast moving target. Vulnerability to
malicious data is the only real concern -- a small code base can otherwise
be kept afloat for decades by just fixing FTBFSes on new compilers/archs.
> > My understanding is that having APT depend on a library written in
> > Rust severily hurts its portability, and makes it hard to support
> > for stable releases, as Rust is a fairly fast moving target.
> >
> > I do not believe that bzip2 is a useful algorithm in todays world,
> > and we should look at migrating any remaining bzip2-only things
> > (translation files I think) to xz or zstd.
Aye, per the recent thread.
> I do remember there's still some source packages / binary packages in Debian
> using the bzip2 format. If we are going to do that (which looks reasonable,
> BTW), a serious archive-wide scan should be made in advance to see how great
> the impact is and we need to deal with each occurrence.
I did such a scan just weeks before. There's not a single _binary_ package
that uses bz2 for either the control or data tarball in stretch nor buster
(in amd64 but I doubt other archs would be different). I did not test
jessie -- but dropping support in bullseye would mean the user needs to mix
packages 3 releases apart. Disallowing that sounds fine to me.
On the other hand, there's a massive number of _source_ packages with bz2
components. There's 3621 referenced bz2 files in sid. We're not getting
rid of them anytime soon.
> Another issue is that the new toolchain (apt/dpkg/...) will not be able to
> handle old packages using bzip2. Why not make the bzip2 support optional (like
> a plugin or something similar)?
pipe|exec("bzip2") or dlopen('libbzip2') may work.
Please add support for zstd and improve either 0.939 debs or a new format
while doing so. :)
Meow!
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Sometimes you benefit from delegating stuff. For example,
⢿⡄⠘⠷⠚⠋⠀ this way I get to be a vegetarian.
⠈⠳⣄⠀⠀⠀⠀
