[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240403225903.0773746d@kaneli>
Date: Wed, 3 Apr 2024 22:59:03 +0300
From: Lasse Collin <lasse.collin@...aani.org>
To: <angel.lkml@...its.net>
Cc: Andrew Morton <akpm@...ux-foundation.org>, Jubin Zhong
<zhongjubin@...wei.com>, linux-kernel@...r.kernel.org,
vegard.nossum@...cle.com
Subject: Re: [PATCH 11/11] xz: Adjust arch-specific options for better
kernel compression
On 2024-03-31 angel.lkml@...its.net wrote:
> Under the light of the recent xz backdoor, I should note that this
> patch (patch 11) does:
>
> > +# Set XZ_VERSION (and LIBLZMA_VERSION). This is needed to disable
> > features +# that aren't available in old XZ Utils versions.
> > +eval "$($XZ --robot --version)" || exit
The eval method has been on the xz man page for a very long time but I
agree that due to the recent events the above method is not ideal.
It can break also if XZ_OPT or XZ_DEFAULTS contains something that they
usually shouldn't. For example, XZ_OPT=--help would make the above eval
method run the output of $XZ --help.
> So, in the spirit of keeping a fair amount of paranoia, and since it
> doesn't do any harm, any such code should be failproofed to ensure it
> can only import the expected shell variables with the right format[3]:
>
> eval "$($XZ --robot --version | grep '^\(XZ\|LIBLZMA\)_VERSION=[0-9]*$')" || exit
I would rather get rid of eval. I committed the following to the
upstream repository:
XZ_VERSION=$($XZ --robot --version | sed -n 's/^XZ_VERSION=//p') || exit
Thanks!
--
Lasse Collin
Powered by blists - more mailing lists