[Buildroot] [PATCH v1 1/4] package/xz: bump version to 5.6.0

[Buildroot] [PATCH v1 1/4] package/xz: bump version to 5.6.0

[Peter Seiderer via buildroot]

- bump version to 5.6.0
- change homepage URL to https://xz.tukaani.org/xz-utils/
- add BSD-0-Clause and update license file hash accordingly (see [1], [2],
  and [3])

For details see [4].

[1] https://github.com/tukaani-project/xz/commit/b1ee6cf259bb49ce91abe9f622294524e37edf4c
[2] https://github.com/tukaani-project/xz/commit/689e0228baeb95232430e90d628379db89583d71
[3] https://github.com/tukaani-project/xz/commit/28ce45e38fbed4b5f54f2013e38dab47d22bf699
[4] https://github.com/tukaani-project/xz/blob/master/NEWS

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
 package/xz/Config.in | 2 +-
 package/xz/xz.hash   | 7 ++++---
 package/xz/xz.mk     | 6 +++---
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/package/xz/Config.in b/package/xz/Config.in
index 687bd55482..7130fa5e8e 100644
--- a/package/xz/Config.in
+++ b/package/xz/Config.in
@@ -12,4 +12,4 @@ config BR2_PACKAGE_XZ
 	  invoked via appropriate symlinks will emulate the behavior
 	  of the commands in the lzma package.
 
-	  https://tukaani.org/xz/
+	  https://xz.tukaani.org/xz-utils/
diff --git a/package/xz/xz.hash b/package/xz/xz.hash
index e8025a8065..71c2c65a3e 100644
--- a/package/xz/xz.hash
+++ b/package/xz/xz.hash
@@ -1,9 +1,10 @@
 # Locally calculated after checking pgp signature
-# https://github.com/tukaani-project/xz/releases/download/v5.4.6/xz-5.4.6.tar.bz2.sig
-sha256  913851b274e8e1d31781ec949f1c23e8dbcf0ecf6e73a2436dc21769dd3e6f49  xz-5.4.6.tar.bz2
+# https://github.com/tukaani-project/xz/releases/download/v5.6.0/xz-5.6.0.tar.bz2.sig
+sha256  88c8631cefba91664fdc47b14bb753e1876f4964a07db650821d203992b1e1ea  xz-5.6.0.tar.bz2
 
 # Hash for license files
-sha256  29a1e305b2e34eefe5d4602d00cde1d528b71c5d9f2eec5106972cf6ddb6f73f  COPYING
+sha256  0864e508475f20b43a2393957fdb5a966558099ffa8fed1e3e73fe2b3eebb145  COPYING
+sha256  0b01625d853911cd0e2e088dcfb743261034a091bb379246cb25a14cc4c74bf1  COPYING.0BSD
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING.GPLv2
 sha256  3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986  COPYING.GPLv3
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LGPLv2.1
diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index 40fa59ca7c..e35fbc0268 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -4,13 +4,13 @@
 #
 ################################################################################
 
-XZ_VERSION = 5.4.6
+XZ_VERSION = 5.6.0
 XZ_SOURCE = xz-$(XZ_VERSION).tar.bz2
 XZ_SITE = https://github.com/tukaani-project/xz/releases/download/v$(XZ_VERSION)
 XZ_INSTALL_STAGING = YES
 XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
-XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
-XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
+XZ_LICENSE = Public Domain, BSD-0-Clause, GPL-2.0+, GPL-3.0+, LGPL-2.1+
+XZ_LICENSE_FILES = COPYING COPYING.0BSD COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
 XZ_CPE_ID_VENDOR = tukaani
 
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
-- 
2.44.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v1 2/4] package/xz: determine all autoconf options

[Peter Seiderer via buildroot]

Determine all autoconf options (with default values) with the following
special cases:

- sandbox: use 'auto' (which will compile detect landlock in case
  kernel headers >= 5.13)

- unaligned-access: use 'auto' (which will default to yes for x86, x86-64,
  powerpc, powerpc64 and powcerpc64le and use compile detection for arm,
  aarch64 and riscv, see xz-5.6.0/configure line 21323 ff)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
 package/xz/xz.mk | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index e35fbc0268..a9e33bd3df 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -13,6 +13,46 @@ XZ_LICENSE = Public Domain, BSD-0-Clause, GPL-2.0+, GPL-3.0+, LGPL-2.1+
 XZ_LICENSE_FILES = COPYING COPYING.0BSD COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
 XZ_CPE_ID_VENDOR = tukaani
 
+XZ_CONF_OPTS = \
+	--enable-encoders=lzma1,lzma2,delta,x86,powerpc,ia64,arm,armthumb,arm64,sparc,riscv \
+	--enable-decoders=lzma1,lzma2,delta,x86,powerpc,ia64,arm,armthumb,arm64,sparc,riscv \
+	--enable-match-finders=hc3,hc4,bt2,bt3,bt4 \
+	--enable-checks=crc32,crc64,sha256 \
+	--disable-external-sha256 \
+	--enable-microlzma \
+	--enable-lzip-decoder \
+	--enable-assembler \
+	--enable-clmul-crc \
+	--enable-arm64-crc32 \
+	--disable-small \
+	--enable-assume-ram=128 \
+	--enable-xz \
+	--enable-xzdec \
+	--enable-lzmadec \
+	--enable-lzmainfo \
+	--enable-lzma-links \
+	--enable-scripts \
+	--enable-sandbox=auto \
+	--enable-symbol-versions \
+	--enable-rpath \
+	--enable-largfile \
+	--enable-ifunc \
+	--enable-unaligned-access=auto \
+	--disable-unsafe-type-punning \
+	--disable-werror \
+	--disable-year2038
+
+HOST_XZ_CONF_OPTS = \
+	$(XZ_CONF_OPTS) \
+	--enable-nls \
+	--enable-threads
+
+ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
+XZ_CONF_OPTS += --enable-nls
+else
+Z_CONF_OPTS += --disable-nls
+endif
+
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
 XZ_CONF_OPTS += --enable-threads
 else
-- 
2.44.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [RFC v1 3/4] package/xz: enable year2038 option

[Peter Seiderer via buildroot]

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
Notes:

- From autoconf-2.72 release notes ([1]):
  *** Support for ensuring time_t is Y2038-safe
  configure can now ensure that time_t can represent moments in time
  after 18 January 2038, i.e. 2**31 - 1 seconds after the Unix epoch.
  On most 64-bit systems this is true by default; the new feature
  is detection of systems where time_t is a 32-bit signed integer by
  default, *and* there is an alternative mode in which it is larger,
  in which case that mode will be enabled.

  In this release, all configure scripts that use AC_SYS_LARGEFILE
  gain a new command line option --enable-year2038.  When this option
  is used, the configure script will check for and enable support for
  a large time_t.

  This release also adds two new macros, AC_SYS_YEAR2038 and
  AC_SYS_YEAR2038_RECOMMENDED.  Both have all the effects of
  AC_SYS_LARGEFILE.  (This is because it is not possible to enlarge
  time_t without also enlarging off_t, on any system we are aware of.)

  AC_SYS_YEAR2038 additionally flips the default for --enable-year2038;
  a configure script that uses this macro will check for and enable
  support for a large time_t by default, but this can be turned off by
  using --disable-year2038.  AC_SYS_YEAR2038_RECOMMENDED goes even
  further, and makes the configure script fail on systems that do not
  seem to support timestamps after 18 January 2038 at all.  This
  failure can be suppressed by using --disable-year2038.

  Changing the size of time_t can change a library`s ABI.  Therefore,
  application and library builders should take care that all packages
  are configured with consistent use of --enable-year2038 or
  --disable-year2038, to ensure binary compatibility.  This is similar
  to longstanding consistency requirements with --enable-largefile and
  --disable-largefile.

  In this release, these macros only know how to enlarge time_t on two
  classes of systems: 32-bit MinGW, and any system where time_t can be
  enlarged by defining the preprocessor macro _TIME_BITS with the
  value 64.  At the time this NEWS entry was written, only GNU libc
  (version 2.34 and later) supported the latter macro.  Authors of
  other C libraries with a 32-bit time_t are encouraged to adopt
  _TIME_BITS, rather than inventing a different way to enlarge time_t.

- In buildroot there is already the BR2_TIME_BITS_64 config option
  ('Build Y2038-ready code'), which enables a system wide
  '-D_TIME_BITS=64' compile flag (and maybe should additional set
  '--enable-year2039' configure option for the autotools-packages?).
---
 package/xz/xz.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index a9e33bd3df..64dbec8b2e 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -40,7 +40,7 @@ XZ_CONF_OPTS = \
 	--enable-unaligned-access=auto \
 	--disable-unsafe-type-punning \
 	--disable-werror \
-	--disable-year2038
+	--enable-year2038
 
 HOST_XZ_CONF_OPTS = \
 	$(XZ_CONF_OPTS) \
-- 
2.44.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [RFC v1 4/4] package/xz: convert to cmake build

[Peter Seiderer via buildroot]

Convert to cmake build with the following autoconf options without
direct equivalent cmake option:

- '--disable-external-sha256'

- '--enable-assembler'

- '--enable-assume-ram=128': hard coded in the CMakeLists.txt file
  1685     target_compile_definitions(xz PRIVATE ASSUME_RAM=128)

- '--enable-scripts' (see [1]: 'CMake: xzdiff, xzgrep, xzless, xzmore, and
  their symlinks are now installed')

- '--enable-symbol-versions': hard coded in the CMakeLists.txt file
  1247     target_compile_definitions(liblzma PRIVATE HAVE_SYMBOL_VERSIONS_LINUX=1)

- '--enable-rpath'

- '--enable-largefile': see CMakeLists.txt
  233 # Check for large file support. It's required on some 32-bit platforms and
  234 # even on 64-bit MinGW-w64 to get 64-bit off_t. This can be forced off on
  235 # the CMake command line if needed: -DLARGE_FILE_SUPPORT=OFF
  236 tuklib_large_file_support(ALL)

- '--enable-unaligned-access=auto': see CMakeLists.txt and cmake/tuklib_integer.cmake
   238 # This is needed by liblzma and xz.
   239 tuklib_integer(ALL)

- '--disable-unsafe-type-punning' see CMakeLists.txt and cmake/tuklib_integer.cmake
   238 # This is needed by liblzma and xz.
   239 tuklib_integer(ALL)

- '--disable-werror'

- '--enable-year2038'

[1] https://github.com/tukaani-project/xz/releases/tag/v5.6.0

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
 package/xz/xz.mk | 59 +++++++++++++++++++-----------------------------
 1 file changed, 23 insertions(+), 36 deletions(-)

diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index 64dbec8b2e..1064d6a586 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -8,55 +8,42 @@ XZ_VERSION = 5.6.0
 XZ_SOURCE = xz-$(XZ_VERSION).tar.bz2
 XZ_SITE = https://github.com/tukaani-project/xz/releases/download/v$(XZ_VERSION)
 XZ_INSTALL_STAGING = YES
-XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
 XZ_LICENSE = Public Domain, BSD-0-Clause, GPL-2.0+, GPL-3.0+, LGPL-2.1+
 XZ_LICENSE_FILES = COPYING COPYING.0BSD COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
 XZ_CPE_ID_VENDOR = tukaani
 
 XZ_CONF_OPTS = \
-	--enable-encoders=lzma1,lzma2,delta,x86,powerpc,ia64,arm,armthumb,arm64,sparc,riscv \
-	--enable-decoders=lzma1,lzma2,delta,x86,powerpc,ia64,arm,armthumb,arm64,sparc,riscv \
-	--enable-match-finders=hc3,hc4,bt2,bt3,bt4 \
-	--enable-checks=crc32,crc64,sha256 \
-	--disable-external-sha256 \
-	--enable-microlzma \
-	--enable-lzip-decoder \
-	--enable-assembler \
-	--enable-clmul-crc \
-	--enable-arm64-crc32 \
-	--disable-small \
-	--enable-assume-ram=128 \
-	--enable-xz \
-	--enable-xzdec \
-	--enable-lzmadec \
-	--enable-lzmainfo \
-	--enable-lzma-links \
-	--enable-scripts \
-	--enable-sandbox=auto \
-	--enable-symbol-versions \
-	--enable-rpath \
-	--enable-largfile \
-	--enable-ifunc \
-	--enable-unaligned-access=auto \
-	--disable-unsafe-type-punning \
-	--disable-werror \
-	--enable-year2038
+	-DENCODERS="lzma1;lzma2;delta;x86;powerpc;ia64;arm;armthumb;arm64;sparc;riscv" \
+	-DDECODERS="lzma1;lzma2;delta;x86;powerpc;ia64;arm;armthumb;arm64;sparc;riscv" \
+	-DMATCH_FINDERS="hc3;hc4;bt2;bt3;bt4" \
+	-DADDITIONAL_CHECK_TYPES="crc64;sha256" \
+	-DMICROLZMA_ENCODER=ON \
+	-DMICROLZMA_DECODER=ON \
+	-DLZIP_DECODER=ON \
+	-DALLOW_CLMUL_CRC=ON \
+	-DALLOW_ARM64_CRC32=ON \
+	-DENABLE_SMALL=OFF \
+	-DENABLE_SANDBOX=ON \
+	-DUSE_ATTR_IFUNC=ON \
+	-DCREATE_XZ_SYMLINKS=ON \
+	-DCREATE_LZMA_SYMLINKS=ON \
+	-DBUILD_SHARED_LIBS=OFF
 
 HOST_XZ_CONF_OPTS = \
 	$(XZ_CONF_OPTS) \
-	--enable-nls \
-	--enable-threads
+	-DENABLE_NLS=ON \
+	-DENABLE_THREADS=ON
 
 ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
-XZ_CONF_OPTS += --enable-nls
+XZ_CONF_OPTS += -DENABLE_NLS=ON
 else
-Z_CONF_OPTS += --disable-nls
+XZ_CONF_OPTS += -DENABLE_NLS=OFF
 endif
 
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
-XZ_CONF_OPTS += --enable-threads
+XZ_CONF_OPTS += -DENABLE_THREADS=ON
 else
-XZ_CONF_OPTS += --disable-threads
+XZ_CONF_OPTS += -DENABLE_THREADS=OFF
 endif
 
 # we are built before ccache
@@ -64,5 +51,5 @@ HOST_XZ_CONF_ENV = \
 	CC="$(HOSTCC_NOCCACHE)" \
 	CXX="$(HOSTCXX_NOCCACHE)"
 
-$(eval $(autotools-package))
-$(eval $(host-autotools-package))
+$(eval $(cmake-package))
+$(eval $(host-cmake-package))
-- 
2.44.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v1 1/4] package/xz: bump version to 5.6.0

[James Hilliard]

[-- Attachment #1.1: Type: text/plain, Size: 3857 bytes --]

On Thu, Mar 7, 2024 at 9:52 AM Peter Seiderer via buildroot <
buildroot@buildroot.org> wrote:

> - bump version to 5.6.0
> - change homepage URL to https://xz.tukaani.org/xz-utils/
> - add BSD-0-Clause and update license file hash accordingly (see [1], [2],
>   and [3])
>
> For details see [4].
>
> [1]
> https://github.com/tukaani-project/xz/commit/b1ee6cf259bb49ce91abe9f622294524e37edf4c
> [2]
> https://github.com/tukaani-project/xz/commit/689e0228baeb95232430e90d628379db89583d71
> [3]
> https://github.com/tukaani-project/xz/commit/28ce45e38fbed4b5f54f2013e38dab47d22bf699
> [4] https://github.com/tukaani-project/xz/blob/master/NEWS
>
> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> ---
>  package/xz/Config.in | 2 +-
>  package/xz/xz.hash   | 7 ++++---
>  package/xz/xz.mk     | 6 +++---
>  3 files changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/package/xz/Config.in b/package/xz/Config.in
> index 687bd55482..7130fa5e8e 100644
> --- a/package/xz/Config.in
> +++ b/package/xz/Config.in
> @@ -12,4 +12,4 @@ config BR2_PACKAGE_XZ
>           invoked via appropriate symlinks will emulate the behavior
>           of the commands in the lzma package.
>
> -         https://tukaani.org/xz/
> +         https://xz.tukaani.org/xz-utils/
> diff --git a/package/xz/xz.hash b/package/xz/xz.hash
> index e8025a8065..71c2c65a3e 100644
> --- a/package/xz/xz.hash
> +++ b/package/xz/xz.hash
> @@ -1,9 +1,10 @@
>  # Locally calculated after checking pgp signature
> -#
> https://github.com/tukaani-project/xz/releases/download/v5.4.6/xz-5.4.6.tar.bz2.sig
> -sha256
> <https://github.com/tukaani-project/xz/releases/download/v5.4.6/xz-5.4.6.tar.bz2.sig-sha256>
> 913851b274e8e1d31781ec949f1c23e8dbcf0ecf6e73a2436dc21769dd3e6f49
> xz-5.4.6.tar.bz2
> +#
> https://github.com/tukaani-project/xz/releases/download/v5.6.0/xz-5.6.0.tar.bz2.sig
> +sha256
> <https://github.com/tukaani-project/xz/releases/download/v5.6.0/xz-5.6.0.tar.bz2.sig+sha256>
> 88c8631cefba91664fdc47b14bb753e1876f4964a07db650821d203992b1e1ea
> xz-5.6.0.tar.bz2
>
>  # Hash for license files
> -sha256  29a1e305b2e34eefe5d4602d00cde1d528b71c5d9f2eec5106972cf6ddb6f73f
> COPYING
> +sha256  0864e508475f20b43a2393957fdb5a966558099ffa8fed1e3e73fe2b3eebb145
> COPYING
> +sha256  0b01625d853911cd0e2e088dcfb743261034a091bb379246cb25a14cc4c74bf1
> COPYING.0BSD
>  sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643
> COPYING.GPLv2
>  sha256  3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986
> COPYING.GPLv3
>  sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551
> COPYING.LGPLv2.1
> diff --git a/package/xz/xz.mk b/package/xz/xz.mk
> index 40fa59ca7c..e35fbc0268 100644
> --- a/package/xz/xz.mk
> +++ b/package/xz/xz.mk
> @@ -4,13 +4,13 @@
>  #
>
>  ################################################################################
>
> -XZ_VERSION = 5.4.6
> +XZ_VERSION = 5.6.0
>

Is this version backdoored?
https://www.openwall.com/lists/oss-security/2024/03/29/4


>  XZ_SOURCE = xz-$(XZ_VERSION).tar.bz2
>  XZ_SITE =
> https://github.com/tukaani-project/xz/releases/download/v$(XZ_VERSION)
>  XZ_INSTALL_STAGING = YES
>  XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
> -XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
> -XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
> +XZ_LICENSE = Public Domain, BSD-0-Clause, GPL-2.0+, GPL-3.0+, LGPL-2.1+
> +XZ_LICENSE_FILES = COPYING COPYING.0BSD COPYING.GPLv2 COPYING.GPLv3
> COPYING.LGPLv2.1
>  XZ_CPE_ID_VENDOR = tukaani
>
>  ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
> --
> 2.44.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
>

[-- Attachment #1.2: Type: text/html, Size: 6043 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v1 1/4] package/xz: bump version to 5.6.0

[Yann E. MORIN]

James, all,

On 2024-03-29 11:21 -0600, James Hilliard spake thusly:
[--SNIP--]
>     -XZ_VERSION = 5.4.6
>     +XZ_VERSION = 5.6.0
> Is this version backdoored?
> [17]https://www.openwall.com/lists/oss-security/2024/03/29/4

Wahoo. Just, wahoo... thanks for pointing this out, I've marked the
series rejected.

I've been reading on this story, and it is just, well, I don't have
words. I'm stomached.

Thanks a lot for pointing this out.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v1 1/4] package/xz: bump version to 5.6.0

[Thomas Petazzoni via buildroot]

Hello,

On Fri, 29 Mar 2024 20:54:07 +0100
"Yann E. MORIN" <yann.morin.1998@free.fr> wrote:

> On 2024-03-29 11:21 -0600, James Hilliard spake thusly:
> [--SNIP--]
> >     -XZ_VERSION = 5.4.6
> >     +XZ_VERSION = 5.6.0
> > Is this version backdoored?
> > [17]https://www.openwall.com/lists/oss-security/2024/03/29/4  
> 
> Wahoo. Just, wahoo... thanks for pointing this out, I've marked the
> series rejected.
> 
> I've been reading on this story, and it is just, well, I don't have
> words. I'm stomached.

The story is indeed crazy. For once, the fact that we are somewhat slow
at merging patches ensured this didn't get applied before the backdoor
was discovered :-)

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot