Re: Future autoconf package compression

[Jim Meyering]

Bob Friesenhahn wrote:
> On Sat, 24 Nov 2012, Marko Lindqvist wrote:
>> On 2 March 2012 06:45, Eric Blake <address@hidden> wrote:
>>>
>>> The Autoconf team is considering releasing only .xz files for 2.69; if
>>> this would be a hardship for you, and you need the .gz or .bz2 release,
>>> please speak up now.
>>
>> I just encountered new argument for providing .gz of autoconf also in
>> the future.
>
> There is no tangible benefit offered to the world by removing the
> gzip-compressed autoconf package.  Xz is excessively complex,
> excessively large, and has limited portability and stability compared
> with gzip.

Hi Bob,

I don't know of significant portability problems.
In my experience, if they are reported and affect significant
(sometimes even insignificant) portability targets, they will be
addressed promptly.  Can you point to reported problems that
have not been resolved?

There is no shortage of reasons to avoid gzip these days.  One that
strikes home for me (as a package maintainer) is that there have
been exploitable CVEs against gzip in the recent past, and the code
is surprisingly ugly (hence hard to audit).  I do not want to require
tarball consumers to use a tool that I do not feel good about, and gzip
is one of those.  Just because it is still used by so many people (due
mostly to inertia) does not mean that we should ignore its faults.

> The XZ Utils project obviously has issues.  As an example, I clicked
> on the NEWS link offered by its web site (http://www.tukaani.org/xz/)
> to see what has changed and saw this
> "http://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;hb=HEAD";.  Further
> investigation reveals that its git repository has vaporized.

While reading your message (catching up, now), I clicked on
that link, and it works fine now.  Even if the site were off-line
for a few days, that is no reason to reject the technology.
If we did that across the board, very few projects would still be with us.