[Devel-en] Compressing man pages with gzip instead of xz?
Mikhail Novosyolov
m.novosyolov at rosalinux.ru
Sat Mar 30 17:47:00 MSK 2024
30.03.2024 17:26, Giovanni Mariani пишет:
> Il 30/03/24 13:01, Mikhail Novosyolov ha scritto:
>> Hello everyone.
>>
>> Probably most of you have already heard about a backdoor added into xz:
>>
>> https://www.openwall.com/lists/oss-security/2024/03/29/4
>>
>> https://www.opennet.ru/opennews/art.shtml?num=60877
>>
>> https://www.opennet.ru/opennews/art.shtml?num=60880
>>
>> https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
>>
>> ROSA Linux has been compressing /usr/share/man/man*/* with xz for ages. Compression is done automatically by spec-helper after the %install stage. Some other distros use gzip (*.gz).
>>
>> I do not know about any big advantages of xz for man pages over gzip, but know about a rather big problem that exists with xz:
>>
>> https://gitlab.com/man-db/man-db/-/issues/4
>>
>> man-db (/usr/bin/man is from man-db) by default uses seccomp-based isolation when decompressing and parsing manual pages. Isolation makes sense, to my mind, because a vulnerability may exist in the interpreter of man pages.
>>
>> mandb uses gzip as a library for decompressing *.gz man pages, but cannon use liblzma (xz library) and calls /usr/bin/xz for decompression. This makes generating the mandb cache VERY slow and VERY I/O intensive, it made building ISO images on ABF nearly impossible. I had to disable isolation by default for man-db being ran from RPM file triggers: https://abf.io/import/man-db/commit/4908043777080c512fb001da80c9e47081fd5834
>>
>> Now we have the following situation:
>>
>> 1) the xz/lzma library has become not trusted (thanks to gvm@ for trying to quickly remove the backdoor in https://abf.io/import/xz/commits/rosa2023.1 , but we cannot be sure that there are no other backdoors)
>>
>> 2) xz saves some disk space, but do we really care about a few megabytes in the installed system?
>>
>> 3) man-db works much faster with gzip then with xz with and without isolation
>>
>> So, my question is: does any body see any real advantage of xz in mans?
>
> From my POV, none...
>
> Perhaps is it possible to simply switch to zstd as we already do for the kernel modules?
The same performance problem will exist with zstd as with xz...
>
> BTW, do we have other stuff depending upon xz/lzma?
> It should be safer to avoid them entirely...
cpio payload in RPM and SRPM packages is compressed with it...
More information about the Devel-en
mailing list