Re: Removing bzip2 support from apt due to rustification

To: debian-devel@lists.debian.org, deity@lists.debian.org
Subject: Re: Removing bzip2 support from apt due to rustification
From: Adam Borowski <kilobyte@angband.pl>
Date: Fri, 7 Jun 2019 00:16:44 +0200
Message-id: <[🔎] 20190606221644.GA13473@angband.pl>
In-reply-to: <[🔎] 0460cf0a3989ea5ccb7104621688948632d58351.camel@debian.org>
References: <[🔎] 20190606232729.GA11050@debian.org> <[🔎] 0460cf0a3989ea5ccb7104621688948632d58351.camel@debian.org>

On Thu, Jun 06, 2019 at 05:44:27PM -0400, Boyuan Yang wrote:
> 在 2019-06-06四的 23:35 +0200，Julian Andres Klode写道：
> > seeing that Federico Mena Quintero has taken over bzip2 development
> > and is in the process of porting it to Rust[1], we should consider
> > removing bzip2 support from apt, dpkg, etc. following the release
> > of buster.

How long are versions written in a sane language going to be security
supported?  It's not like bzip2 is a fast moving target.  Vulnerability to
malicious data is the only real concern -- a small code base can otherwise
be kept afloat for decades by just fixing FTBFSes on new compilers/archs.

> > My understanding is that having APT depend on a library written in
> > Rust severily hurts its portability, and makes it hard to support
> > for stable releases, as Rust is a fairly fast moving target.
> > 
> > I do not believe that bzip2 is a useful algorithm in todays world,
> > and we should look at migrating any remaining bzip2-only things
> > (translation files I think) to xz or zstd.

Aye, per the recent thread.

> I do remember there's still some source packages / binary packages in Debian
> using the bzip2 format. If we are going to do that (which looks reasonable,
> BTW), a serious archive-wide scan should be made in advance to see how great
> the impact is and we need to deal with each occurrence.

I did such a scan just weeks before.  There's not a single _binary_ package
that uses bz2 for either the control or data tarball in stretch nor buster
(in amd64 but I doubt other archs would be different).  I did not test
jessie -- but dropping support in bullseye would mean the user needs to mix
packages 3 releases apart.  Disallowing that sounds fine to me.

On the other hand, there's a massive number of _source_ packages with bz2
components.  There's 3621 referenced bz2 files in sid.  We're not getting
rid of them anytime soon.

> Another issue is that the new toolchain (apt/dpkg/...) will not be able to
> handle old packages using bzip2. Why not make the bzip2 support optional (like
> a plugin or something similar)?

pipe|exec("bzip2") or dlopen('libbzip2') may work.

Please add support for zstd and improve either 0.939 debs or a new format
while doing so. :)

Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Sometimes you benefit from delegating stuff.  For example,
⢿⡄⠘⠷⠚⠋⠀ this way I get to be a vegetarian.
⠈⠳⣄⠀⠀⠀⠀

Reply to:

References:
- Removing bzip2 support from apt due to rustification
  - From: Julian Andres Klode <jak@debian.org>
- Re: Removing bzip2 support from apt due to rustification
  - From: Boyuan Yang <byang@debian.org>

Prev by Date: Re: Removing bzip2 support from apt due to rustification
Next by Date: Re: Removing bzip2 support from apt due to rustification
Previous by thread: Re: Removing bzip2 support from apt due to rustification
Next by thread: Re: Removing bzip2 support from apt due to rustification
Index(es):
- Date
- Thread