Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide

[Vincent Lefevre <vincent@vinc17.net>]

On 2015-08-02 11:45:38 -0700, Russ Allbery wrote:
> There were a few long messages to this thread that I didn't absorb in
> their entirety, so apologies if this is a repeat.  But another angle of
> this is that the discussion is about using lzip *for Debian packages*.  In
> that context, being tolerant of appended data, or *any* other form of
> modification to the file, is basically pointless.

I don't think that it is pointless. I would say that it must *not*
be tolerant to appended data, because...

> Debian packages are
> authenticated and protected via cryptographic signatures, which will not
> match if there are any changes at all to the file, even appending a nul
> byte.  And if the signature doesn't verify, one should treat the package
> with extreme suspicion, and certainly should not be installing it on a
> system except in a very controlled environment for investigative purposes.

The purpose of adding garbage could be to make a modified tarball
match the signature. Of course, this would mean that the system
would no longer be crytographically safe in general, but it might
still be safe for some class of files with a fixed structure, such
as xz. And not every one would render a vulnerability public...
So, it is safer not to accept garbage when decoding.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)