Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide
Vincent Lefevre <vincent@vinc17.net> writes:
> On 2015-07-29 00:21:54 +0200, Antonio Diaz Diaz wrote:
>> A compressed file is like an envelope with a message inside. The
>> objective of the decompressor is to extract the message and deliver it
>> intact to the user.
> The problem is that data could have been appended to a compressed file
> (thanks Firefox!), and one wants to detect that and not lose such data,
> i.e. after the envelope is not necessarily garbage, it may be important
> data.
There were a few long messages to this thread that I didn't absorb in
their entirety, so apologies if this is a repeat. But another angle of
this is that the discussion is about using lzip *for Debian packages*. In
that context, being tolerant of appended data, or *any* other form of
modification to the file, is basically pointless. Debian packages are
authenticated and protected via cryptographic signatures, which will not
match if there are any changes at all to the file, even appending a nul
byte. And if the signature doesn't verify, one should treat the package
with extreme suspicion, and certainly should not be installing it on a
system except in a very controlled environment for investigative purposes.
So regardless of the merits or drawbacks of such a feature, it's rather
irrelevant to the discussion that we're having here.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: