[Devel-en] Compressing man pages with gzip instead of xz?
Mikhail Novosyolov
m.novosyolov at rosalinux.ru
Sat Mar 30 15:01:49 MSK 2024
Hello everyone.
Probably most of you have already heard about a backdoor added into xz:
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://www.opennet.ru/opennews/art.shtml?num=60877
https://www.opennet.ru/opennews/art.shtml?num=60880
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
ROSA Linux has been compressing /usr/share/man/man*/* with xz for ages. Compression is done automatically by spec-helper after the %install stage. Some other distros use gzip (*.gz).
I do not know about any big advantages of xz for man pages over gzip, but know about a rather big problem that exists with xz:
https://gitlab.com/man-db/man-db/-/issues/4
man-db (/usr/bin/man is from man-db) by default uses seccomp-based isolation when decompressing and parsing manual pages. Isolation makes sense, to my mind, because a vulnerability may exist in the interpreter of man pages.
mandb uses gzip as a library for decompressing *.gz man pages, but cannon use liblzma (xz library) and calls /usr/bin/xz for decompression. This makes generating the mandb cache VERY slow and VERY I/O intensive, it made building ISO images on ABF nearly impossible. I had to disable isolation by default for man-db being ran from RPM file triggers: https://abf.io/import/man-db/commit/4908043777080c512fb001da80c9e47081fd5834
Now we have the following situation:
1) the xz/lzma library has become not trusted (thanks to gvm@ for trying to quickly remove the backdoor in https://abf.io/import/xz/commits/rosa2023.1 , but we cannot be sure that there are no other backdoors)
2) xz saves some disk space, but do we really care about a few megabytes in the installed system?
3) man-db works much faster with gzip then with xz with and without isolation
So, my question is: does any body see any real advantage of xz in mans?
More information about the Devel-en
mailing list